NEWSLETTER #6

From Cyber Incidents to Systemic Risk

Europe is entering a decisive phase in its approach to cybersecurity, one in which cyber threats are no longer viewed as isolated technical incidents but as systemic risks with direct implications for economic stability, market confidence and insurability. For the insurance sector in particular, the escalation of ransomware, the growing geopolitical dimension of cyber operations and the increasing dependence on complex digital supply chains have exposed the limits of traditional cyber risk modelling. Correlated losses, opaque dependencies, and uneven cybersecurity maturity across sectors have made predictability more difficult precisely at a time when demand for cyber insurance is growing.

CSA2 as Europe’s Strategic Reset

The Cybersecurity Act 2 (CSA2) represents a strategic response to this challenge. Instead of adding fragmented obligations, CSA2 seeks to modernise Europe’s cybersecurity architecture by strengthening governance, reforming certification and addressing ICT supply chain risk at the Union level. Its significance for insurers lies not only in its individual provisions, but also in how it complements and reinforces the broader regulatory ecosystem shaped by DORA and NIS2. Together, these frameworks reshape the environment in which cyber risk is assessed, priced, and transferred. CSA2 emerges against a backdrop of mounting pressure. In recent years, cyber incidents

Read More »