By Ingo Trede (pictured), European head of technical underwriting, and Audrey Louche, cyber underwriter, Alta Signa.
A surge in AI-driven threats, a rapidly evolving regulatory landscape, and persistently soft market conditions are combining to stoke robust debates in the European cyber insurance sector.
Amid rising demand and increasing awareness, insurers are under pressure to deliver both protection and proactivity - balancing competitive pricing with the need for underwriting discipline, exposure and aggregation management, as well as innovation.
Cyber insurance across Europe is currently experiencing a soft market. Premiums are declining, capacity is abundant, and competition is intense—particularly in mature markets such as France, where clients benefit from greater choice and stronger negotiating power.
While this is advantageous for buyers in the short term, the long-term sustainability of such pricing is uncertain. Some coverage elements being included go beyond typical “extensions” and resemble coverage from entirely different lines of business—often inadequately priced. For example, the inclusion of property damage or crime-related risks could significantly affect loss development and overall portfolio performance over the medium term.
The growing pressure to weaken or remove exclusions for systemic or widespread events further complicates the landscape. Just a few years ago, such exclusions were considered essential to make cyber risks insurable. Today, many underwriters warn that a market correction is likely inevitable, whether triggered by tightening capital conditions or a major loss event.
Insurers are being urged to maintain underwriting discipline amid the temptation to grow volume at the expense of risk management. Bespoke offerings and “active insurance” services - such as vulnerability assessments and ongoing risk mitigation support - are becoming key differentiators, allowing carriers to provide value beyond simple indemnity. However, with rates under pressure and losses mounting, some fear that the market is not pricing risk appropriately, particularly as the threat landscape continues to evolve at speed.
AI and the Escalating Threat Landscape
Artificial intelligence is reshaping both the tools of cyber defence and the methods of attack. On one hand, AI enables faster detection and response to anomalies; on the other, it is empowering cybercriminals to launch more convincing and scalable attacks. Deepfakes, autonomous phishing, and AI-powered ransomware are already pushing the boundaries of traditional risk models.
Insurers are grappling with how to quantify these risks, and how to price them appropriately. The European Commission’s AI Act, which came into force in August 2024, is the world’s first comprehensive framework regulating AI. It imposes obligations on firms deploying AI systems in the EU, including risk assessments, technical documentation, and AI literacy requirements. While many of its provisions will only be enforceable from 2026, some - like employee training requirements - began as early as February 2025.
The implications for cyber underwriting are profound. Insurers will need to assess not just the AI risk of the insured’s operations, but also their regulatory preparedness. This is particularly pressing for companies with customer-facing AI tools or those using AI for decision-making in financial services or healthcare.
Regulatory Overhaul: DORA and the Drive for Resilience
At the regulatory level, 2025 also marked the beginning of enforcement for the EU’s Digital Operational Resilience Act (DORA). Applicable from January 17, 2025, DORA imposes sweeping requirements on financial entities, including insurance firms, to build operational and cybersecurity resilience. It mandates the classification of ICT incidents, the implementation of third-party risk frameworks, and direct oversight of critical ICT service providers.
Insurers must therefore consider not only their clients’ cyber hygiene but also their broader compliance posture. Failure to meet these standards could increase exposure to regulatory action - particularly in the event of a breach involving outsourced service providers or poorly governed AI systems.
Security Spending Soars, But So Do Expectations
According to IDC, security spending in Europe is set to grow by 11.8% year-on-year in 2025, reaching nearly $97 billion by 2028. This uptick is driven by heightened cybercrime, geopolitical instability, and a tightening regulatory environment. The EU has also committed €1.3 billion under its DIGITAL programme (2025–2027) to boost cybersecurity and digital resilience.
These investments highlight growing awareness among firms, but they also raise the bar for insurers. Clients expect more than just a financial backstop - they want guidance, proactive protection, and specialist insight. In this context, the line between insurer, risk advisor, and tech partner is blurring.
Looking Ahead: Correction or Continuation?
The cyber insurance market in Europe is rich with opportunity, but equally fraught with complexity. Capacity remains strong, and demand is rising, but so too are the risks. AI will test traditional models, regulation will raise compliance stakes, and without a catalyst - like a systemic loss event - pricing discipline may remain elusive, so high quality underwriting on a case by case basis is critical.
Whether 2026 becomes a turning point or a continuation of the current trend will depend on how quickly insurers can adapt, differentiate, and guide clients through the storm.
Looking at the US market, which usually serves as a decent frontrunner to base expectations on, it looks at least like significant rate reductions are slowing and the market is stabilising. In the long run, the winners will be those who embrace innovation while staying anchored in proactive cyber risk understanding, exposure management and underwriting fundamentals.
No comments yet