A&O Shearman and Aon publish comprehensive review of the insurability of cyber fines across multiple jurisdictions

Key findings

• Overlapping regulatory regimes: Organisations are facing potential fines under multiple frameworks including GDPR (up to EUR20 million/4% turnover), NIS2 (up to EUR10m/2% turnover), DORA, and the Cyber Resilience Act (up to EUR15m/2.5% turnover).
• Insurability varies by jurisdiction: In some countries, such as Finland and Portugal, cyber fines are explicitly uninsurable as a matter of public policy. In others, including England and Wales, Ireland, and the Netherlands, the legal position remains uncertain and untested by courts providing a challenging landscape for organisations operating across multiple jurisdictions.
• Significant enforcement activity: Regulators are growing increasingly assertive in their pursuit of enforcement, with recent cases including Meta (EUR251m), Capita (GBP14m), Enel Energia (EUR79.1m), and Advanced Computer Software (GBP3.07m) serving as examples.
• Increasing personal liability for boards: NIS2 and DORA have introduced direct liability for senior management, including potential management bans.
• EU AI Act adds new exposure: With strict cybersecurity requirements for providers and deployers of high-risk AI systems, non-compliance could see fines of up to EUR35m or 7% of turnover levelled at businesses.

Practical action for organisations

The report identifies a number of actions businesses can take to mitigate their risks in this complex space, including:

• jurisdictional risk mapping
• preparation for non-monetary sanctions
• compliance audits
• strengthening policies and reporting frameworks.

About the report

The report covers regulatory developments across multiple jurisdictions including the UK, EU member states, Switzerland, Saudi Arabia, South Africa, Turkey, and the UAE.

Stay ahead of regulatory developments—request a copy of the Insurability of cyber fines report today.