LONDON, 4 February 2026 –
Aon plc (NYSE: AON), a leading global professional services firm, has released ‘
The Insurability of Cyber Fines’, a joint report with global law firm A&O Shearman, that found businesses located in or with operations in EMEA are facing greater exposure to cyber-related fines. With the rise of cyber incidents across sectors and jurisdictions, new regulations are increasing the likelihood of significant fines and penalties for both organisations and senior executives who fail to ensure compliance.
The report found that while exposure to cyber fines is expanding rapidly, the insurability of those fines remains uncertain and highly specific to differing jurisdictions. Many penalties are only insurable to the extent permitted by law, leaving organisations potentially liable for regulatory fines even if they hold cyber insurance. By contrast, defence, investigation, breach notification, business interruption and remediation costs are more consistently covered, highlighting a widening gap between regulatory risk and insurable protection.
The report’s findings follow Aon’s 2025 Global Risk Management Survey which ranked cyber-attacks and data breaches as the top emerging risk for EMEA-based businesses.
Regulatory scope is expanding
While GDPR remains the cornerstone of cyber enforcement, organisations now face obligations under NIS2, DORA, the Cyber Resilience Act, sector-specific regimes and the EU AI Act. Comparable frameworks are also developing globally, including the UK Cyber Security and Resilience Bill, South Africa’s POPIA and Cybercrimes Act, and Saudi Arabia’s PDPL, ACCL, and TITA regulations. Breaches under the EU AI Act can trigger fines of up to 3 percent, or 7 percent of global turnover for prohibited practices, on top of penalties under GDPR, NIS2 and DORA.
Enforcement is increasingly assertive, technical and multi-layered
Authorities are now testing technical and governance controls, from access management and incident logging to breach notification and incident response readiness. Non-monetary sanctions, such as operational suspensions, management bans, or public enforcement decisions, can be as disruptive to businesses as monetary fines and are generally not insurable.
The need for practical action is urgent
Boards and senior management now face heightened accountability for governance, oversight and preparedness. Activities such as jurisdictional risk-mapping, compliance audits, ‘tabletop’ exercises, regulator engagement, policy and coverage optimisation, as well as robust governance of suppliers are all central to mitigating cumulative regulatory and litigation exposure to cyber fines.
Pablo Constenla, head of coverage and claims for cyber and financial lines at Aon in EMEA, said:
“The regulatory landscape for cyber is evolving rapidly, with regulators taking a much more hands-on approach to enforcement, from testing technical controls to imposing penalties - which could also boost third party liability. Businesses need to understand how fines and penalties are treated across jurisdictions and ensure that their governance, reporting and compliance frameworks are robust enough to withstand scrutiny."
David Molony, head of cyber solutions EMEA at Aon, said:
“Cyber risk is not just about the likelihood of an attack or data breach, businesses should also consider the financial and reputational impact of regulatory consequences. Organisations that integrate incident response planning with risk oversight and cross-functional coordination are better positioned to absorb shocks and to maintain operational resilience amid an increasingly complex environment."
‘The Insurability of Cyber Fines’is available here.
About Aon
Aon plc (NYSE: AON) exists to shape decisions for the better — to protect and enrich the lives of people around the world. Through actionable analytic insight, globally integrated Risk Capital and Human Capital expertise, and locally relevant solutions, our colleagues provide clients in over 120 countries with the clarity and confidence to make better risk and people decisions that protect and grow their businesses.
Follow Aon on LinkedIn, X, Facebook and Instagram. Stay up-to-date by visiting Aon's newsroom and sign up for News Alerts here.
Media Contacts: