Businesses operating in EMEA face increasing exposure to regulatory penalties that may not be covered by existing cyber insurance policies – a gap that has widened as enforcement activity intensifies across the bloc and new frameworks come into force.
A report produced jointly by Aon and global law firm A&O Shearman found that while exposure to cyber fines is expanding, the insurability of those penalties remains uncertain and varies by jurisdiction.
Many fines are only insurable to the extent permitted by local law, leaving organisations potentially liable even if they hold cyber insurance.
Defence, investigation, breach notification, business interruption, and remediation costs are more consistently covered under cyber policies. The report identifies this as a widening gap between regulatory risk and insurable protection.
The warning comes as European data protection authorities continue to levy significant penalties. According to industry data, regulators issued roughly €1.2 billion in GDPR fines during 2025, bringing total penalties since the regulation came into force in 2018 to approximately €7.1 billion.
Ireland's Data Protection Commission fined TikTok €530 million for transferring European users' personal data to servers in China without adequate protections. Meta was hit with a €479 million fine by a Madrid court for unlawfully processing user data, while France's CNIL fined Google €200 million for placing advertisements disguised as emails into Gmail inboxes without valid consent.
The coverage gap exists despite projections that the worldwide cyber insurance sector will surpass $30 billion by the end of the decade. Allianz Commercial has noted that overall adoption rates remain modest, with many companies unaware of the breadth of coverage offered.
Organisations now face compliance requirements under multiple frameworks beyond GDPR. The Digital Operational Resilience Act has been in force since January 17, 2025, while the NIS2 Directive required member states to transpose its provisions into national law by October 2024 – though as of June 2025, only 14 EU member states had fully done so.
The EU AI Act follows a phased implementation, with prohibited AI systems banned from February 2025 and full compliance required by August 2027.
Breaches can trigger fines of up to 3% of global turnover, or 7% for prohibited practices – penalties that may apply on top of fines under GDPR, NIS2, and DORA.
Comparable regimes are also developing in the UK, South Africa, and Saudi Arabia.
The report noted that enforcement has become more assertive, with authorities now testing technical and governance controls. Non-monetary sanctions such as operational suspensions, management bans, and public enforcement decisions can disrupt business operations and are generally not insurable.
Pablo Constenla (pictured above), head of coverage and claims for cyber and financial lines at Aon in EMEA, said regulators are taking a more hands-on approach.
"Businesses need to understand how fines and penalties are treated across jurisdictions and ensure that their governance, reporting and compliance frameworks are robust enough to withstand scrutiny," he added.
David Molony, head of cyber solutions EMEA at Aon, said organisations that integrate incident response planning with risk oversight and cross-functional coordination are better positioned to maintain operational resilience.
