Cyber insurance covers the financial damage of cyber incidents, such as repair costs, loss of turnover and liability to third parties. For a Belgian SME with 50 to 250 employees, annual premiums range from €2,500 to €35,000, depending on size and security level. But a policy without proper security is worthless: insurers deny claims for negligence, and the premium decreases the stronger your security is.
As a business owner, should you invest in security, buy cyber insurance, or both? The short answer: both, but in the right order. Security first, then insurance. The Belgian insurance market for cyber insurance in 2026 is more stringent than ever. Insurers set concrete security requirements before offering you a policy, and reject claims for demonstrable negligence. At the same time, the VLAIO Cybersecurity Barometer shows that 45.8% of Flemish companies were victims of a cyber-attack. This article will help you make an informed choice from the perspective of cybersecurity experts, not an insurer.
What is cyber insurance and what does it cover?
Cyber insurance (also called cyber policy or cyber risk insurance) compensates for the financial consequences of a cyber incident. Unlike traditional business insurance, which covers physical damage, cyber insurance focuses specifically on digital risks. Coverage is typically made up of five sections.
Own damage (incident response) includes the costs of forensic investigation, legal assistance and restoration of systems and data. If your company is affected by ransomware, for example, this module reimburses the hiring of specialists to find the cause and repair the damage.
Business interruption offsets lost revenue during downtime. For a manufacturing company, each day of downtime can cost tens of thousands of euros. According to Belgian market data, 81% of cyber incidents are limited to less than €20,000 in damage, but in 3% of cases the bill exceeds €1,000,000.
Third-party liability covers claims for damages from customers, suppliers or other parties when their data is leaked. If your customer database ends up on the street, affected individuals can hold you liable. Also read our guide on what to do in the event of a data breach.
Cyber extortion is an optional module in many policies that reimburses costs around ransomware negotiations. Note that reimbursement for the ransom itself is increasingly limited or excluded in 2026. Insurers don’t want to feed the criminal economy.
Notification and PR costs cover mandatory notification to data subjects and communication to the press and public. In the event of a serious data breach, professional crisis management can make the difference between reputational damage and a controlled resolution.
What cyber insurance doesn’t cover
This is the information you won’t find on an insurer’s product page, but is crucial to your decision. Exclusions are more sharply defined than ever in 2026.
Known, unpatched vulnerabilities are a standard exclusion. If your systems are affected via a security vulnerability for which an update has been available for weeks, the insurer may deny your claim. The time between publication of a software vulnerability and active exploitation has dropped to an average of five days. Insurers expect critical patches to be installed within 48 to 72 hours.
Negligence is the biggest risk of claim rejection. No multi-factor authentication (MFA), no working backups, no security awareness training for employees: these are all reasons why an insurer may decide not to pay out. The standard is the diligence of a “good family man.”
Government fines are unlikely to be insurable. Despite commercial claims by some providers, the legal reality in Belgium remains that both GDPR fines (up to 4% of global turnover) and NIS2 fines (up to €10 million) are generally not covered. The Belgian insurance contract law prohibits coverage of criminal fines, and administrative fines of a repressive nature are generally equated with these. You can insure against the costs of investigation and legal defense, but you will pay the fine itself out of your own resources.
State-sponsored attacks (war exclusions) and failure of public infrastructure (Internet, electricity) are also excluded by default. And scams without technical hacks, such as CEO fraud, often require separate fraud insurance.
What does cyber insurance cost for a Belgian SME?
In 2026, the premium for cyber insurance will no longer be a fixed amount, but a direct reflection of your security level. Companies with strong security will pay significantly less than those that do not have the basics in order. Specialist Vanbreda Risk & Benefits reported a stable cyber portfolio volume of €17.1 million in 2025, but analysts at S&P Global Ratings estimate that high-risk companies can expect premium increases of 15% to 20% in 2026.
For a Belgian SME with 50 to 250 employees and an average security level, the following indicative annual premiums apply:
| Company size | Insured capital | Annual premium (indication 2026) | Own risk |
|---|---|---|---|
| 50 to 100 employees | €1.000.000 | €2,500 to €5,500 | €5,000 to €10,000 |
| 100 to 175 employees | €2.500.000 | €6,000 to €12,000 | €15,000 to €25,000 |
| 175 to 250 employees | €5.000.000 | €15,000 to €35,000 | €25,000 to €50,000 |
Companies in the manufacturing industry often pay a surcharge of 20% to 40% because of the higher risk of business interruption when a production line shuts down. The average claim for a small business in Belgium is about €27,800, while the average value of a ransomware claim is $631,000.
Also keep in mind the deductible (excess). With most policies, you carry the first €5,000 to €50,000 yourself. This means that smaller incidents are entirely at your own expense.
What security measures lower your premium?
Here’s where it gets concrete. Insurers have effectively become the strictest “auditors” by 2026. Companies that do not meet their minimum requirements will be denied or pay three to four times the market average. This checklist determines whether you are insurable, and on what terms.
Multi-factor authentication (MFA) on all remote access. This is the absolute zero requirement. MFA must be active on VPN access, all cloud applications, administrator accounts and email. Breaches via stolen login credentials cost an average of $4.67 million per incident, which explains why insurers do not accept compromises here.
Immutable backups following the 3-2-1-1 rule. Three copies of your data, on two different media, one off-site and one immutable or physically disconnected from the network. Modern ransomware actively looks for backup servers to encrypt before the main attack begins.
Endpoint Detection & Response (EDR). Traditional antivirus software is considered inadequate by insurers. EDR solutions with behavioral analytics detect threats in real-time. Organizations using AI-driven monitoring reduce their detection time by an average of 80 days.
Patch management and vulnerability management. A documented policy for installing security updates is a hard requirement. Critical patches must be installed within 48 to 72 hours.
Security awareness training and phishing simulations. Human error is at the root of 26% to 30% of all data breaches. Insurers demand regular training, including simulated phishing attacks. By 2026, they also expect executives to take cybersecurity training themselves.
A cybersecurity audit as proof. For many insurers, an external audit report is the ultimate proof that your security is in order. It not only shows where you stand, but also provides the roadmap to close the remaining gaps.
An incident response plan. Does your team know what to do in the first hours after an attack? A documented plan with contacts, responsibilities and communication procedures is a standard requirement.
Each of these measures not only lowers your premium, but more importantly reduces the likelihood that you will ever have to file a claim.
Cyber insurance vs. prevention: where do you invest best?
This is the key question every business owner asks himself. Let’s make it concrete with a calculation example for a Belgian SME with 75 employees.
Prevention investment (first year): A cybersecurity audit (about €4,700), security awareness training with phishing simulations (about €3,000), and an infrastructure pen test (about €5,000) together cost about €12,700. Through the VLAIO cybersecurity improvement program, you will receive 50% subsidy on a guided path, and through the SME portfolio up to 45% subsidy on cybersecurity advice. After subsidy, you will effectively pay €6,350 to €8,250 for the prevention trajectory.
Cyber insurance premium: for the same SME about €3,500 to €5,500 per year, depending on your security level. But without the preventive measures mentioned above, you will soon pay double that, or simply be denied.
The conclusion is clear: prevention is the foundation, insurance is the safety net. If you invest in security first, not only will your premium go down, but you will also reduce the likelihood of an incident. The combination of both is the wisest. VLAIO advises SMEs to spend at least 10% of their total IT budget on cybersecurity. The insurance premium is part of that, but it should never be the only item.
Cyber insurance and NIS2: what you need to know
The NIS2 legislation does not mandate cyber insurance, but it does increase the need for it. If your company has more than 50 employees or more than €10 million in turnover, you are likely to be covered by NIS2, either directly or as a supplier in the chain.
NIS2 compliance significantly improves your insurability. The measures required by law (risk assessment, incident reporting, business continuity, supply chain security) largely overlap with what insurers require. For insurers, a CyFun label or ISO 27001 certification is the ultimate proof of a low risk profile.
But beware: NIS2 fines (up to €10 million or 2% of global turnover) are probably not insurable. And the personal director liability introduced by NIS2 is not automatically covered by a standard cyber policy. For this, you may need a separate Directors & Officers (D&O) policy. By 2026, it will be virtually impossible to obtain full D&O coverage without demonstrating that directors are trained in cyber risk management.
Frequently asked questions about cyber insurance
What exactly is cyber insurance?
Cyber insurance is a policy that covers the financial consequences of cyber incidents, such as the cost of restoring systems, lost revenue due to business interruption, data breach liability and forensic investigation costs. It complements your existing business insurance policies, which typically do not cover digital risks.
What does cyber insurance cost for a Belgian SME?
For an SME with 50 to 100 employees, annual premiums in 2026 are between €2,500 and €5,500 at an average security level. The premium increases with company size, insured capital and the risk profile of your sector. Companies without basic security (no MFA, no EDR) pay three to four times more.
Does cyber insurance cover ransomware-losing money?
Many policies offer coverage for cyber extortion as an optional module, but compensation for the ransom itself is increasingly limited or excluded in 2026. The focus is shifting to coverage for the recovery costs and business interruption that follow a ransomware attack.
Are GDPR or NIS2 fines insurable in Belgium?
No, not in practice. Belgian insurance contract law prohibits coverage of criminal fines. Administrative fines of a punitive nature, such as GDPR and NIS2 fines, are generally equated with this. However, you can insure against the costs of legal defense and the investigation process.
Why do I need cyber insurance if I already have good security?
No security is foolproof. Cyber insurance catches the residual risks you can’t eliminate: a zero-day vulnerability that can’t yet be patched, a sophisticated attack that breaches all layers, or the damage that occurs before an incident is discovered. It’s similar to fire insurance: you install fire alarms and sprinklers, but still take out a policy.
What minimum security measures do insurers require?
By 2026, virtually all insurers require at a minimum: MFA on all remote access, immutable backups, EDR software, a documented patch policy, regular security awareness training, and an incident response plan. Without these basic measures, you will be denied or pay a significantly higher premium.
Want to lower your cyber insurance premium, or get assurance that your claim won’t be denied in the event of an incident? Cyberplan helps you with a cybersecurity audit that proves your security is in order, and delivers the report insurers want to see. Schedule a no-obligation consultation and find out where you stand.
