New reporting requirements for insurers and IT service providers – Part 2
Emerging obligations for software vendors, managed service providers, and cloud service providers
In the first part of this series, we examined reporting requirements in the financial sector, focusing on a comparison between the Digital Operational Resilience Act (DORA) and FINMA’s rules on reporting cyberattacks. Our attention was particularly on insurers and their IT service providers.
In this second part, we turn to other European regulations that will become increasingly relevant in the coming years: the Cyber Resilience Act (CRA), the NIS 2 Directive (NIS 2), and the Artificial Intelligence Act (AI Act). These frameworks introduce new reporting obligations for software vendors, managed service providers (MSPs), and cloud providers. We will also look at regulatory developments in Switzerland, which are not directly based on EU law but pursue similar objectives.
Reporting obligations for product manufacturers under the CRA
The Cyber Resilience Act (CRA) establishes binding cybersecurity requirements for products with digital elements — i.e., products that can connect to a device or network and are placed on the EU market. This also includes inventory management software for insurers, provided it is marketed as a standalone product and operated by the insurer.
Typically, such software falls within the CRA’s scope but is not classified as important (Annex III) or critical (Annex IV), since it does not play a key role in securing other products and has limited impact on their cybersecurity. Accordingly, it is subject to the CRA’s general security requirements and simplified control and testing procedures.
From 11 September 2026, the following applies to all product categories: if an actively exploited vulnerability is discovered or a serious security incident occurs, the manufacturer must report it within 24 hours to both the competent national Computer Security Incident Response Team (CSIRT) and the European Union Agency for Cybersecurity (ENISA) (CRA Art. 14(1), (3)). Within 72 hours, the manufacturer must provide a detailed analysis of the vulnerability and a description of planned countermeasures. These deadlines apply regardless of weekends or public holidays.
The purpose of such strict timelines is to enable rapid response and effective damage limitation. Reports will be submitted via a central EU-wide platform, expected to be operational in 2026. Non-compliance carries significant penalties: fines of up to EUR 15 million or 2.5% of global annual turnover.
Reporting obligations for MSPs and SaaS providers under NIS 2
If inventory management software is not operated as a standalone product but delivered as Software-as-a-Service (SaaS) or by a managed service provider (MSP), it does not fall under the CRA. Instead, the NIS 2 Directive applies.
NIS 2 establishes an EU-wide framework to strengthen cybersecurity and resilience of critical infrastructure and digital services. MSPs and cloud providers serving insurers are frequently designated as essential or important entities and are therefore subject to the directive’s requirements. The obligations are particularly relevant for providers performing critical or important functions for clients — such as insurers — and are therefore deemed significant players in sensitive sectors. In the scenario described, a SaaS provider or MSP operating inventory management software on behalf of an insurer will fall within the scope of NIS 2.
Although national implementation laws — such as in Germany and Austria — are still in draft form, companies should act now. Early analysis and implementation of NIS 2 requirements are critical, as national application is expected to begin during 2025.
Once implementation laws enter into force, the following applies: within 24 hours of becoming aware of a security incident with significant impact on service delivery (NIS 2 Art. 23(1)), an early warning must be submitted to the competent authority, typically the national CSIRT. This strict deadline — irrespective of weekends or holidays — requires affected companies to maintain 24/7 reporting capabilities and processes for promptly assessing and escalating incidents.
Reporting obligations for AI-based products and services under the AI Act
The regulatory picture becomes more complex when inventory management software incorporates AI components, thus bringing it within the scope of the Artificial Intelligence Act (AI Act). In such cases, the CRA (for on-premise products) and NIS 2 (for SaaS or MSP models) both apply, alongside the AI Act.
The AI Act imposes reporting requirements on providers of high-risk AI systems marketed in the EU. From 2 August 2026, providers must report serious incidents to the competent market surveillance authority in the relevant Member State (AI Act, Art. 73). Reporting deadlines vary: 15 days for most incidents, 2 days for particularly serious or widespread disruptions (Art. 3(49)(b)), 10 days in cases where a death is attributable to the AI system. Failure to comply may result in severe penalties — up to GBP 13 million or 3% of global annual turnover.
The combination of software products, SaaS services performing critical functions for insurers and financial firms, and AI technology creates a demanding regulatory environment. Vendors and providers must not only comply with the CRA or NIS 2 but also fulfil the AI Act’s specific reporting obligations — with respect to deadlines, content, and competent authorities.
Reporting obligations for operators of critical infrastructure in Switzerland
Switzerland currently has no direct equivalent to the CRA or AI Act specifically regulating product safety or AI systems. However, the Information Security Act (ISG) and the related Cybersecurity Ordinance (CSV) introduce a national obligation to report cyberattacks on operators of critical infrastructure. This framework took effect on 1 April 2025.
For SaaS or managed service providers, the obligation only applies if they themselves are classified as operators of critical infrastructure. In such cases, they must report cyberattacks that impair system functionality or compromise sensitive data to the Federal Office for Cyber Security (BACS) within 24 hours of discovery.
The obligation covers incidents such as malware infections, ransomware, unauthorised access, or targeted manipulation of IT systems. A transition period runs until 1 October 2025, during which non-reporting will not be penalised. After that, violations may result in fines of up to CHF 100,000.
Efficient coordination and compliance in the digital insurance ecosystem
The evolving regulatory landscape demands holistic, forward-looking security and compliance management that integrates technical, organisational, and legal requirements — especially concerning incident reporting obligations.
Close cooperation among all parties is essential: software vendors, MSPs, and cloud providers must coordinate reporting processes to avoid duplicate submissions and ensure efficient communication with authorities. Companies that prepare early not only strengthen the resilience of the entire value chain but also build long-term trust in their products and services.
