Post

Who Pays When the Dam Opens

An assessment of the convergence failure between security governance, cyber insurance, and property insurance across Europe's critical infrastructure.

Posted
By Leonard Gráf
26 min read
Who Pays When the Dam Opens
Slow-motion ice fracture, 1000 fps. Credit: Crustoff / iStock

Key Assessments

Cyber operations against European critical infrastructure increasingly produce physical consequences through operational technology: water discharge, power disruption, industrial process manipulation. The threat ranges from opportunistic hacktivist intrusions to state-directed campaigns. It falls into a governance dead ground where three systems fail simultaneously: security governance does not model it, cyber insurance excludes it, and property insurance excludes it.

The only coverage available for malicious cyber-physical damage sits in the terrorism and political violence insurance market, a product most critical infrastructure operators do not carry. The market has built a product for the gap and placed it behind a door that the governance framework does not know exists.

Lloyd’s 2023 war exclusion clauses (LMA5567A/B) have shifted coverage disputes from a binary “is this war?” determination to a threshold-based analysis of whether an attack causes “major detrimental impact” to a state’s essential services. For critical infrastructure operators, the class of incidents most likely to produce physical consequences is also the class most likely to trigger the exclusion.

NIS2 holds management bodies personally liable for cybersecurity resilience failures, including for a threat category that neither the governance framework nor the financial backstop is designed to address. This assessment proposes a convergence audit: three questions that reveal whether an organization’s most consequential risk category is governed, insured, both, or neither.

On 7 April 2025, hackers gained unauthorized access to the control systems of a dam facility at Lake Risevatnet in Bremanger, Norway, and manipulated its water discharge. Water flowed undetected for four hours. The Norwegian Police Security Service formally attributed the attack to pro-Russian actors. Norway’s support for Ukraine made its critical infrastructure a target in a hybrid conflict that does not distinguish between military and civilian systems.1

The physical consequence at Risevatnet was limited: no flooding, no casualties, no evacuations have been publicly reported. The incident demonstrates that the convergence seam exists. The Polish energy infrastructure attacks of December 2025, where a state-linked threat cluster came close to causing a sustained blackout, demonstrate that the seam is consequential.

The preceding assessment in this series diagnosed the Risevatnet failure as a governance problem: an ISMS calibrated to a threat environment that no longer exists.2 That diagnosis was correct but incomplete. The Risevatnet incident sits at the intersection of three systems (security governance, cyber insurance, and property insurance), each designed to address part of the risk, none of which covers the whole. A cyber operation that manipulates a dam’s water discharge belongs to none of the categories the current architecture was built to handle. It produces a physical consequence through digital means, crossing the boundary between what the cybersecurity governance framework governs and what the physical safety framework governs, between what the cyber insurance policy covers and what the property insurance policy covers. In practice, no single system claims it.

I. Three Systems, One Void

The governance architecture around European critical infrastructure was built in layers, each addressing a domain that was, at the time of design, reasonably separable from the others. Convergence was never part of the blueprint.

The ISMS does not model it. The preceding assessment established that ISO 27001’s risk assessment methodology is structurally blind to geopolitical targeting logic; clause 4.1’s requirement to identify external issues relevant to the ISMS produces, in most implementations, a list of regulatory changes and technology shifts rather than an assessment of where the organization sits relative to active conflicts and alliance structures.3 The cyber-physical dimension adds a second layer to that diagnosis. Even where an organization recognizes that it may be geopolitically targeted, the ISMS risk taxonomy does not naturally produce a risk entry that bridges cyber means and physical consequences. Information security and operational technology safety belong to different risk owners, governed through separate management reviews, tracked in separate risk registers. Even where a domain-specific OT standard exists (IEC 62443, designed for industrial automation and control system security), it operates in its own governance lane with its own risk owners and its own assessment cycle. IEC 62443 governs the security of industrial automation within its scope. It does not bridge to the ISMS management review, and it does not bridge to the insurance architecture. The convergence void survives even where 62443 is fully implemented, because the standard was not designed to close it. A threat that moves between these two domains crosses a seam that neither governance system monitors.

The BSI’s own data quantifies the exposure at that seam: 52% of German critical infrastructure operators had not reached minimum maturity requirements for attack detection systems.4 The convergence failure is the current operating condition for the majority of the regulated market.

Cyber insurance was designed for a different domain. Standalone cyber insurance policies cover losses arising from cyber incidents: business interruption from system outages, data breach response costs, ransomware payments, forensic investigation, legal liability. Physical loss or damage to tangible property caused by a cyber act generally falls outside their scope.

The exclusion architecture described here is drawn primarily from the Lloyd’s market and LMA model clauses, which set the structural template for much of the global specialty insurance market. Continental European insurers operating outside Lloyd’s syndicates may use different policy wording, and the exclusion boundaries in German, Nordic, or French cyber and property markets have not been independently mapped in this assessment. The structural incentive that produces the exclusion (cyber insurers excluding physical damage, property insurers excluding cyber causes) operates independently of policy wording. The triple failure may present differently in specific jurisdictions. The logic that produces it does not.

The exclusion is deliberate, an architectural boundary in the insurance market. Cyber insurance was developed to cover a class of losses that property insurance did not address: the intangible, digital, information-layer consequences of cyber incidents. Property insurance covers physical damage to tangible assets. The two products were designed for different domains, and each excludes the other’s territory. A cyber operation that crosses the boundary, producing physical damage through digital means, falls between both products.

Lloyd’s of London has been explicit about this. A 2021 report on the emerging cyber threat to industrial control systems stated that it is “essential” that the market develops products to address the risk of cyber-physical losses.5 A subsequent 2022 assessment of physical cyber risk in a changing geopolitical landscape detailed hypothetical scenarios in which geopolitical tensions lead to state-directed cyber-physical sabotage, concluding that such scenarios were “plausible.”6 Lloyd’s own assessment is that the existing market for cyber-physical insurance remains “small and specialised.”7 Most standalone cyber policies specifically exclude cover for physical damage.8

The exposure remains open. Lloyd’s has published no further assessment of the cyber-physical coverage boundary since 2022. Four years of silence after naming the problem is itself a market signal.

After NotPetya, property insurers drew the line. Property insurance (the “all risks” policies that cover physical loss or damage to insured assets) typically contains cyber exclusions. The NotPetya incident in 2017 caused an estimated $10 billion in damage globally and triggered years of litigation over whether cyber-caused losses fell within or outside property policy coverage. The insurance market moved to clarify the boundary.9 The trend has been to exclude cyber-caused losses from property policies, either through specific cyber exclusions or through the absence of affirmative cyber coverage.

Some write-backs of cyber coverage are available in the international property market, but these typically cover physical damage caused by non-malicious cyber events: accidental system failures, software errors, operational mistakes. Damage caused by malicious cyber acts, the category that includes state-directed attacks on operational technology, generally remains excluded.10

The result is a protection boundary that Lloyd’s itself has mapped. Property insurance with appropriate endorsements may cover physical damage from non-malicious cyber events; standalone cyber insurance covers digital losses from cyber events. Physical damage from malicious cyber acts, whether caused by a hacktivist exploiting a default credential or a state actor deploying custom malware, falls between both products. The Risevatnet intrusion demonstrated the governance seam. The state-directed Polish energy infrastructure attacks of December 2025 demonstrated the consequence. Both produce the same category of uninsured loss.

II. The Only Coverage Is in the Wrong Market

The Lloyd’s Market Association responded to this boundary with two model endorsements: LMA5478A and LMA5479A, designed for use in the terrorism and political violence insurance market. LMA5478A covers physical damage arising from the use of any computer system to perpetrate an act of terrorism or sabotage. LMA5479A extends this to include resulting business interruption.11

The insurance market’s own solution to the cyber-physical protection failure sits in neither the cyber market nor the property market. It sits in the terrorism and political violence market, a specialized line that most critical infrastructure operators have never purchased and have no rational basis for purchasing without first concluding that their facility is a plausible target for state-directed sabotage. The market has no public track record of performance under these endorsements for a cyber-physical incident. Insurance settlements are routinely confidential, and the absence of public reporting is not proof of absence. But a board purchasing these endorsements is purchasing a product with no demonstrated claims history in the scenario class it is designed to cover.

That conclusion is precisely the one the ISMS cannot produce. Geopolitical targeting does not appear in the governance framework. No risk register entry models the scenario; no management review has assessed the organization’s position relative to adversary operational priorities. Without that assessment, the board has no basis for purchasing terrorism and political violence coverage, and without that coverage, the organization has no financial backstop for malicious cyber-physical damage. The market built a product for the gap and placed it behind a door that the governance framework does not know exists.

The word “gap” understates the problem. What exists here is a circular failure. The insurance product requires a risk assessment the ISMS does not perform, because the standard does not require it, because geopolitical targeting was never part of the design. The result is a convergence failure in which every system’s exclusion is justified by the existence of the others, and the risk itself has no institutional owner.

Marsh’s global survey data illustrates how few organizations have found their way through it. The average take-up rate for property terrorism insurance across all sectors fell to 38% in 2025. Among energy and mining companies, the sector that includes the dam operators, wind farms, and power plants actually targeted by cyber operations in the past year, the figure was 17%. That is the base product. The cyber-physical endorsement (LMA5478A/5479A) is a specialized extension within that already-thin market.12 The Marsh figures are global; European-specific take-up data for terrorism and political violence coverage is not publicly reported. The structural disincentives against purchase are self-reinforcing: a governance framework that does not surface the need ensures the risk does not appear in the register. These dynamics apply regardless of jurisdiction. The percentage of energy operators carrying terrorism and political violence coverage with a cyber-physical damage endorsement is likely a fraction of an already-thin market.

The Risevatnet incident illustrates the lower bound. The attack was not a state-directed operation. It was a pro-Russian hacktivist group exploiting a weak password on an exposed human-machine interface. The sophistication was low. The physical consequence was limited but real: four hours of uncontrolled water discharge at a dam facility. If a low-sophistication actor using default credentials can cross the boundary between cyber means and physical consequence, then the convergence failure is not a tail risk specific to state-directed operations. It is a structural condition that exists across the entire threat spectrum. The Polish energy infrastructure attacks of December 2025, attributed to state-linked actors deploying significantly greater capability, demonstrate the upper bound.13 The architecture fails at both ends.

Low take-up is not purely a visibility problem. Pricing, risk appetite, and the probability-weighted calculation that the premium may not justify the expected loss all play a role. The governance failure is nonetheless the primary bottleneck: even where an organization is aware of the risk in general terms, the ISMS does not produce the documented assessment that would justify the specific purchase to the board. A risk that does not appear in the risk register does not appear in the budget.

For the operator of a dam in Norway, a wind farm in Poland, a combined heat and power plant serving nearly half a million customers (the facilities that have actually been targeted in the past year, across the full spectrum from hacktivist to state-directed), the architecture offers no path from where they are to where the coverage is. Purchasing the right insurance requires reaching a conclusion their governance framework was never designed to produce. The organizations most likely to need the product are the least likely to know it exists.

III. The War Exclusion Compounds the Exposure

The protection failure for cyber-physical damage exists independently of the war exclusion question. But the war exclusion makes it worse.

Following the Merck v. ACE American litigation, in which the pharmaceutical company successfully argued that its insurers could not deny coverage for $1.4 billion in NotPetya losses under a traditional war exclusion, the insurance market moved to clarify the treatment of state-backed cyber operations.14 Lloyd’s Market Bulletin Y5381, issued in 2022, required that from March 2023, all standalone cyber-attack policies must contain an exclusion for state-backed cyber operations that significantly impair a state’s ability to function or its security capabilities.15

The LMA5567A/B model exclusion clauses operationalize this requirement. They shift the coverage determination from the old binary question (is this war, or is it not?) to a threshold-based analysis. The exclusion applies where a cyber operation, attributable to a state, causes “major detrimental impact” on the essential services or security of an “impacted state.” Coverage disputes now turn on temporal proximity, functional consequence, and the geographic mapping of impact: whether the attack was immediately preparatory to a conflict, whether the state’s functioning was significantly impaired, and which state’s essential services were affected.16

For European critical infrastructure operators, this creates a compounding problem. The class of cyber operations most likely to produce physical consequences (state-directed attacks on operational technology in energy, water, and transport infrastructure) is also the class most likely to trigger the state-backed exclusion. The Norwegian dam attack was formally attributed to pro-Russian actors by the Norwegian Police Security Service. The Polish energy infrastructure attacks of December 2025 were attributed by CERT Polska to a Russian state-linked threat cluster, independently linked to Sandworm by multiple vendors, and described by Poland’s Digital Affairs Minister as coming “very close to a blackout,” though electricity generation at affected sites continued.13 The operational pattern extends back a decade: Sandworm conducted cyber-physical attacks against the Ukrainian power grid in 2015 and 2016, causing blackouts affecting hundreds of thousands of civilians.17 The governance and insurance architecture has had ten years to adapt to this threat category and has not. These are exactly the incidents that the LMA5567A/B exclusion was designed to address.

An organization that suffers a state-directed cyber-physical attack may find that its cyber policy excludes the physical damage, its property policy excludes the cyber cause, and even if the cyber policy would otherwise cover some portion of the loss, the state-backed exclusion removes it. The financial backstop for the most consequential threat category facing European critical infrastructure may, under current policy architecture, be zero.

IV. Personal Liability Without a Path to Coverage

NIS2 enters this picture as an accelerant.

Under the directive, management bodies of essential and important entities are directly accountable for cybersecurity measures. Members of the management body may be held personally liable for damages caused by culpable conduct. Fines reach €10 million or two percent of annual turnover. National competent authorities may conduct security audits and, in certain member states, temporarily bar individuals from exercising managerial responsibilities until the entity remediates identified deficiencies.1819 No NIS2 enforcement actions targeting governance adequacy have been publicly reported. The liability chain is legally sound but practically untested.

The directive requires risk management measures that follow an all-hazards approach, incident reporting within twenty-four hours, supply chain security, business continuity management, and management oversight of implementation.20 These are process requirements. They tell the management body what to do, and they are silent on what to do when the governance framework cannot model the risk and the insurance framework cannot cover it.

A board member at a European critical infrastructure operator now faces the following position. The organization is required by law to manage cybersecurity risk, and the board member is personally liable for its failure to do so. The most consequential cyber risk the organization faces is a state-directed operation targeting its operational technology to produce physical consequences. The ISMS risk assessment methodology does not naturally model it. The cyber insurance policy may exclude the physical damage; the property insurance policy may exclude the cyber cause. The war exclusion may remove whatever residual coverage remains. Each system has a structural reason to exclude the same risk. The board member carries personal liability for the resilience outcome without a governance tool that identifies the exposure or a financial instrument that transfers it.

The Allianz D&O Insurance Insights 2026 report notes that NIS2 increases the personal accountability for directors and officers, who are now directly responsible for overseeing cybersecurity and risk management.21 Seventy-two percent of security leaders surveyed in the United States and the United Kingdom had taken out personal indemnity insurance to protect themselves from potential litigation arising from cyber incidents broadly, not only from the convergence failure mapped here.22 No equivalent survey of European security leaders has been published. The behavioral signal (individual actors purchasing personal protection against structural failures they cannot remediate from within the system) is not jurisdiction-dependent, though the liability regime under NIS2 differs materially from the US and UK frameworks that produced these figures.

The pattern is diagnostic of a specific structural failure: a director facing personal liability for a risk the ISMS cannot model and insurance cannot cover has exactly three options. Accept the residual risk and document the decision. Transfer it, if a product exists that the governance framework can identify. Or lobby for structural change to the architecture that produced the exposure.

V. A Convergence Audit

The circular failure diagnosed in Section II (where the insurance product requires a risk assessment the governance framework cannot produce) has no internal correction mechanism. The convergence audit is an external one. What follows is a set of questions that, if a management body asked them today, would reveal whether their organization sits in that dead ground, and how deep.

Where does the cyber-physical boundary run? Every critical infrastructure operator has operational technology systems whose compromise could produce a physical consequence (water discharge, power interruption, chemical process alteration). In most organizations, these systems have a safety owner and a security owner, different people in different reporting lines with different risk registers. The question for each system is the same: does any one person or governance body own the combined risk of a cyber operation producing a physical outcome through it? Where the answer is no (and in most implementations it will be no), that is the first finding. At Risevatnet, water flowed undetected for four hours, evidence that no effective governance body owned that boundary before the incident or during the exploitation.

Where does the insurance boundary run? For each cyber-physical scenario the first question surfaces, existing coverage must be tested against the specific scenario, not against “cyber risk” in the abstract. A state-attributed attack on a SCADA system that causes a four-hour uncontrolled water discharge. A ransomware incident that locks out safety systems in a chemical plant during active production. The relevant question is whether the specific policy, with its specific exclusions, covers the specific scenario. Where the answer is no (and in most critical infrastructure policies it will be no), that is the second finding.

Does the war exclusion close the last door? For organizations in sectors that have been the subject of state-directed targeting (energy, water, transport, telecommunications), the question is whether a plausible incident would trigger the state-backed exclusion under the organization’s actual policy wording. The clause in the contract the organization signed, not the model clause. If a plausible scenario falls within the exclusion parameters, the organization cannot rely on the cyber policy as a financial backstop for that scenario. That is the third finding.

Taken together, three questions and three findings tell the management body whether the organization’s most consequential risk category is governed, insured, both, or neither. The answers will often be ambiguous; policy wording is contested, thresholds are undefined, and coverage determinations depend on facts that do not yet exist. The third question in particular requires insurance-law expertise that most organizations do not hold internally; this is something a board commissions, not something a CISO runs alone. The value is in forcing these questions onto the management agenda, where the current architecture places none of them.

Under NIS2, that knowledge is not optional. The management body must approve and oversee cybersecurity measures. These three questions give the board the documented basis for a decision it is legally required to make, one that the current architecture provides no other mechanism to inform.

Three forces could break the equilibrium. A major cyber-physical coverage dispute reaching litigation could force the insurance market to absorb the risk through case law, the same way Merck v. ACE American forced the redesign of the war exclusion. A member state competent authority could interpret NIS2’s all-hazards requirement to explicitly include cyber-physical scenarios, breaking the equilibrium from the governance side. A cyber-physical incident large enough to produce political consequences (a sustained blackout, a contaminated water supply, casualties) could generate the regulatory pressure that voluntary market adaptation has not. None has yet materialized.

There is a counterargument. The insurance market may have correctly identified cyber-physical damage from state-linked operations as an uninsurable tail risk, the same category as nuclear incidents or pandemics, where commercial insurance was never going to be the solution and the backstop properly belongs to the state. The precedents exist: Pool Re for terrorism in the United Kingdom, the Terrorism Risk Insurance Act in the United States, government-backed reinsurance for natural catastrophe in several European jurisdictions. If the risk is genuinely uninsurable at commercial scale, the exposure is not a market failure but a correct pricing signal that the backstop must come from the sovereign. This assessment does not resolve that question. But even if the answer is sovereign rather than commercial, the governance failure remains: a board cannot decide whether to lobby for a backstop, purchase the existing terrorism and political violence product, or formally accept the residual risk if the ISMS does not identify the exposure in the first place. The insurance question is open. The governance bottleneck is not.

Whether the answer is commercial or sovereign, neither path opens without the governance bottleneck breaking first. The convergence audit is the prerequisite for both.

The equilibrium holds because every actor in it has a rational reason not to move. The standard-setter would need to absorb a threat category it was not designed to govern. Insurers spent a decade building the exclusion architecture that produces the void; reversing it means pricing a risk they deliberately shed. No regulator has yet defined the requirement that would force convergence. The cost of breaking this equilibrium falls on whoever moves first, while the cost of maintaining it falls on the operator and the director who carries personal liability for the outcome. That allocation is the architecture’s final product.

  1. PST (Norwegian Police Security Service) Chief Beate Gangås, public attribution at Arendalsuka national policy forum, August 2025. Investigation by Kripos and NSM. Incident date: 7 April 2025, Lake Risevatnet dam, Bremanger municipality. Reported in VG, Aftenposten, Associated Press, Politico. Referenced in World Economic Forum, Global Cybersecurity Outlook 2026, Section 3.2. ↩︎

  2. Leonard Gráf, “Peacetime Architecture: Why the ISMS Fails in a Geopolitical Threat Environment,” April 2026. ↩︎

  3. Gráf, “Peacetime Architecture,” Section II: The Geopolitical Blind Spot. ISO 27001 clause 4.1 and clause 6.1 analysis. ↩︎

  4. BSI, “Die Lage der IT-Sicherheit in Deutschland 2025” (Lagebericht 2025). 48% of critical infrastructure operators had reached maturity level 3 (the minimum standard) for attack detection systems. The figure measures detection capability across critical infrastructure operators, including at the OT layer where cyber-physical attacks originate. ↩︎

  5. Lloyd’s of London, “The Emerging Cyber Threat to Industrial Control Systems,” 2021. ↩︎

  6. Lloyd’s of London, “Shifting Powers: Physical Cyber Risk in a Changing Geopolitical Landscape,” June 2022. The report concluded that ransomware attacks by state-backed proxies and state-on-state cyber-physical sabotage were both “plausible” scenarios. ↩︎

  7. Lloyd’s of London, “Shifting Powers: Physical Cyber Risk in a Changing Geopolitical Landscape,” June 2022: “the existing market for cyber physical cover is small and specialised.” ↩︎

  8. ICLG, Insurance & Reinsurance Laws and Regulations Report 2025, Chapter 1, confirms that most standalone cyber policies “specifically exclude cover for physical damage and related Business Interruption stemming from digital interference.” ↩︎

  9. The NotPetya attack of June 2017 caused an estimated $10 billion in damage globally. Merck & Co. estimated its losses at $1.4 billion. Mondelēz estimated losses exceeding $100 million. Both companies litigated coverage under property insurance policies. Merck v. ACE American Insurance Co., New Jersey Superior Court. ↩︎

  10. ICLG, Insurance & Reinsurance Laws and Regulations Report 2025, Chapter 1. ICLG characterizes prevailing market practice as follows: write-backs of cyber coverage in the property market “typically only cover physical damage caused by non-malicious cyber risks (e.g. accidental system failure), leaving assets uninsured in respect of loss or damage caused by [malicious] cyber acts.” This is ICLG’s summary of market terms, not a direct quotation from LMA model clause language. ↩︎

  11. Lloyd’s Market Association model endorsements LMA5478A and LMA5479A. LMA5478A covers physical damage “arising from the use of any computer, computer system, software or programme or any other electronic system to perpetrate an act of terrorism or sabotage.” LMA5479A extends coverage to include resulting business interruption. ↩︎

  12. Marsh, Global Terrorism Risk Insurance Report 2026. Global survey. Property terrorism insurance take-up rates declined from 56% in 2021 to 38% in 2025. Energy and mining sector take-up was 17%, the second lowest of all sectors surveyed. Reported in Business Insurance, “Terrorism insurance take-up rates fall in five years: Marsh,” March 2026. ↩︎

  13. CERT Polska, Energy Sector Incident Report, 29 December 2025, published 30 January 2026. Attribution to Static Tundra (FSB Center 16). Independent attribution to Sandworm/ELECTRUM (GRU Unit 74455) by ESET and Dragos with medium confidence. These attributions point to different Russian intelligence services; the discrepancy is unresolved in the open-source record. Polish Digital Affairs Minister Krzysztof Gawkowski stated the attack came “very close to a blackout.” CISA amplified CERT Polska’s findings in a February 2026 advisory to US critical infrastructure operators. ↩︎ ↩︎2

  14. Merck & Co. v. ACE American Insurance Co. New Jersey Superior Court ruled January 2022 that the war exclusion did not apply to the NotPetya attack. Affirmed by state appellate court, May 2023. Settlement reached January 2024 prior to New Jersey Supreme Court review. Terms undisclosed. Reported in Bloomberg Law, Cybersecurity Dive, Recorded Future News. ↩︎

  15. Lloyd’s Market Bulletin Y5381, 2022. Effective from 31 March 2023 for all standalone cyber-attack policies. ↩︎

  16. LMA, “War, Cyber War and Limited Cyber Operation Exclusion No. 4” (LMA5567A/B), published 20 January 2023. The clause defines an “Impacted State” as a sovereign state in which a cyber operation has had a “major detrimental impact” on the ability of that state to provide essential services or on its security or defence capabilities. The LMA deliberately left “major detrimental impact” undefined, referencing UK Critical National Infrastructure guidelines as the intended threshold. See also: Cyber Insurance Academy, “LMA5567A/B: A 2026 Market Update,” February 2026, for analysis of the shift from “war” framing to “threshold” framing. Lloyd’s Market Bulletin Y5433, May 2024, refined expectations as the market implemented the model clauses. ↩︎

  17. Sandworm (GRU Unit 74455) conducted the first confirmed cyber-physical attack on a power grid on 23 December 2015, causing a blackout affecting approximately 230,000 customers in western Ukraine. A second attack on 17 December 2016 targeted a transmission substation in northern Kyiv. Both attacks produced physical consequences (power outages) through cyber means (malware-enabled manipulation of SCADA systems). ESET, Dragos, and the US Department of Energy attributed both incidents to Sandworm. ↩︎

  18. NIS2 Directive, Articles 20 and 32. German NIS2 Implementation Act (NIS2UmsuCG), penalty provisions, effective 6 December 2025. ↩︎

  19. NIS2 Directive, Article 32(5)(b). Competent authorities may temporarily prohibit any natural person responsible for discharging managerial responsibilities at chief executive officer or legal representative level from exercising managerial functions in that entity until it remediates identified deficiencies. See also ICLG, Cybersecurity Laws and Regulations Report 2026, Chapter on NIS2, for member state implementation analysis. ↩︎

  20. NIS2 Directive, Article 21. Ten minimum cybersecurity risk-management measures including risk analysis, incident handling, business continuity, supply chain security, and management body oversight. ↩︎

  21. Allianz Commercial, Directors and Officers Insurance Insights 2026, December 2025. NIS2 increases the personal accountability for directors and officers, who are directly responsible for overseeing cybersecurity and risk management. ↩︎

  22. Panaseer, “2025 Security Leaders Report,” November 2024. Survey of 400 CISOs in US and UK organizations. 72% reported taking out personal indemnity insurance. Reported in Infosecurity Magazine, “CISOs Turn to Indemnity Insurance as Breach Pressure Mounts.” ↩︎

Assessment
NIS2 cyber insurance critical infrastructure Lloyd's war exclusion OT security governance ISO 27001 IEC 62443
This post is licensed under CC BY 4.0 by the author.