Businesses located or operating across EMEA face increasing exposure to cyber-related fines and penalties as enforcement becomes more assertive, while the insurability of these fines remains uncertain and varies by jurisdiction, according to a joint report by global broker Aon and law firm A&O Shearman.
The report highlighted that as cyber incidents rise across industry sectors and countries, new regulations aimed at promoting greater cyber resilience are emerging, bringing additional fines and penalties for companies, executives, and board members who fail to ensure compliance.
The regulatory perimeter for cyber fines has expanded sharply. The EU, for example, has introduced major frameworks such as DORA (the Digital Operational Resilience Act) and the NIS2 Directive (Network and Information Security), while the UK recently published the Cyber Security and Resilience Bill. As a result of these new rules, enforcement has become more assertive, technical, and multi-layered, making the insurability of fines and penalties uncertain.
The report found that many jurisdictions restrict or prohibit insurance for criminal or punitive administrative fines on public policy grounds. Many penalties are only insurable to the extent permitted by law, leaving organisations potentially liable for regulatory fines even if they hold cyber insurance.
Meanwhile, defence, investigation, breach notification, business interruption, and remediation costs are more consistently covered, highlighting a growing gap between regulatory risk and insurable protection.
Findings show that non-monetary penalties can be as disruptive as fines. These measures can include orders to cease processing, undergo audits, suspend operations, or revoke licences.
In addition, boards and senior management face heightened accountability, with new regulatory regimes raising expectations around proper oversight, investment, and preparedness in risk mitigation.
Pablo Constenla, head of coverage and claims for cyber and financial lines at Aon in EMEA, said, “The regulatory landscape for cyber is evolving rapidly, with regulators taking a much more hands-on approach to enforcement, from testing technical controls to imposing penalties – which could also boost third party liability. Businesses need to understand how fines and penalties are treated across jurisdictions and ensure that their governance, reporting and compliance frameworks are robust enough to withstand scrutiny.”
David Molony, head of cyber solutions EMEA at Aon, added, “Cyber risk is not just about the likelihood of an attack or data breach, businesses should also consider the financial and reputational impact of regulatory consequences. Organisations that integrate incident response planning with risk oversight and cross-functional coordination are better positioned to absorb shocks and to maintain operational resilience amid an increasingly complex environment.”
