GDPR and NIS 2 impose strict cybersecurity requirements on SMEs; cyber insurance covering crisis costs and liability complements these obligations.
For an SME, a cyber attack can cause: business interruption, data loss, GDPR fines, and damage to image. Recent regulatory changes (GDPR, NIS 2, future LPM law) strengthen incident prevention and reporting obligations. Cyber insurance therefore becomes the last safety net: it finances incident response, expertise, system restoration, and third-party compensation. This guide details: the French / European legal framework, the key guarantees of an SME cyber contract, and the best practices recommended by ANSSI and CNIL to limit claims and optimize your premium.
Why cyber insurance is essential for SMEs
Ransomware attacks have doubled in France since 2022, according to the CNIL and ANSSI; penalties can reach €20 million or 4% of global turnover for GDPR violations. At the same time, the European NIS 2 directive expands the list of "essential entities" and sets fines of up to €10 million or 2% of turnover. Faced with these financial risks, 63% of French SMEs are considering taking out cyber insurance in 2025.
The legal framework to know
GDPR and security obligations
Any data controller must implement “appropriate technical and organizational measures” and notify any data breach within 72 hours. The CNIL regularly sanctions companies for lack of security (€40,000 in Dec. 2024).
NIS 2 Directive (transposition 2024-2025)
The new directive imposes on SMEs in “important” sectors (transport, health, digital, etc.):
- annual risk analysis,
- vulnerability management policy,
- incident notification within 24 hours.
Other texts
-
LPM 2024 Law : cybersecurity obligations for critical service providers.
-
Insurance Code : obligation to offer cyber coverage for certain multi-risk contracts (law of March 3, 2022).
What does SME cyber insurance cover?
A successful contract has two components:
| “First Expenses” section | “Responsibility” section |
|---|---|
| Forensic & crisis management (ransomware, DDoS) | Damage to third parties (data leak, GDPR) |
| IT Restoration & Business Interruption | Insurable defense costs and fines* |
| Ransom (according to legislation) | Damage to e-reputation |
*Administrative sanctions remain uninsurable, but defense costs are covered.
Best practices to reduce risk and premium
Governance & awareness
Train employees annually on email and phishing scams.
ANSSI IT Hygiene
Apply the 12 essential rules (passwords, updates, backups, secure Wi-Fi).
Continuity/recovery plan
Document a PRA/PCA to limit business interruption; a frequent contractual requirement of insurers.
Regular testing and audits
An annual vulnerability audit reduces the premium by up to 15% with several specialist insurers.
Subscribe with KT Assur&Bank: 3-step process
- Cyber diagnosis for SMEs : maturity questionnaire + estimation of potential losses.
- Program setup : choice of ceilings (€500k to €10M), options (BCR, fraud, e-reputation).
- 24/7 disaster support : access to a team of IT and legal experts in less than 2 hours.
Conclusion
Between GDPR, NIS 2, and the rise of ransomware, cyber insurance has become a pillar of risk management for SMEs. By combining a tailored contract with ANSSI/CNIL best practices , managers reduce their financial exposure and demonstrate their compliance to regulators and their customers.