‘Businesses need to understand how fines and penalties are treated across jurisdictions and ensure that their governance, reporting and compliance frameworks are robust,’ says head
While EMEA-based businesses are the most likely in the world to face cyber-related regulatory fines, the regionally diverse set of laws that govern cyber compliance is making it hard for insurers to protect against such risks.
This is according to a joint report from professional services firm Aon and global law firm A&O Sherman, titled The Insurability of Cyber Fines, which was released yesterday (4 February 2026).
Indeed, the report found that firms may be governed by rulesets including GDPR, NIS2, DORA, the Cyber Resilience Act, the EU AI Act and other sector-specific frameworks, with UK firms additionally obligated by the UK Cyber Security and Resilience Bill.
A serious breach of the EU AI Act alone can result in fines of up to 7% of global turnover, with other penalties potentially stacking.
However, the report highlighted that “many penalties are only insurable to the extent permitted by law”, leaving organisations “liable for regulatory fines even if they hold cyber insurance”.
The authors therefore called for alignment with other areas of cyber cover – such as breach notification, investigation, business interruption, remediation and defence – which are more insurable, therefore narrowing the gap between regulatory risk and insurable protection.
Evolving landscape
David Molony, head of cyber solutions EMEA at Aon, said: “Cyber risk is not just about the likelihood of an attack or data breach, businesses should also consider the financial and reputational impact of regulatory consequences.
Read: Brit launches new cyber and financial institutions consortium
Read: CFC partners with Biba over launch of SME cyber cover extension
Explore more cyber-related content here, or discover other news stories here
“Organisations that integrate incident response planning with risk oversight and cross-functional coordination are better positioned to absorb shocks and to maintain operational resilience amid an increasingly complex environment.”
Pablo Constenla, head of coverage and claims for cyber and financial lines at Aon in EMEA, added: “The regulatory landscape for cyber is evolving rapidly, with regulators taking a much more hands-on approach to enforcement, from testing technical controls to imposing penalties, which could also boost third party liability.
“Businesses need to understand how fines and penalties are treated across jurisdictions and ensure that their governance, reporting and compliance frameworks are robust enough to withstand scrutiny.”
He graduated in 2017 from the University of Manchester with a degree in Geology. He spent the first part of his career working in consulting and tech, spending time at Citibank as a data analyst, before working as an analytics engineer with clients in the retail, technology, manufacturing and financial services sectors.View full Profile
Hosted by comedian and actor Tom Allen, 34 Gold, 23 Silver and 22 Bronze awards were handed out across an amazing 34 categories recognising brilliance and innovation right across the breadth of UK general insurance.
No comments yet