Cyber insurance for businesses in France
Cyber insurance, explained and quoted in English. DigiCare is an independent broker that compares the French market for English-speaking businesses, so you get the right cover at a clear EUR price.
Independent broker · ACPR oversight · English quotes
What is cyber insurance for a business?
Cyber insurance is financial and service protection for a business after a cyberattack. It pays for incident response, business interruption, ransomware and data-breach costs, and your civil liability to third parties. It covers three loss types: financial, operational and reputational. It is built for companies, not individuals.
~€317M
total French cyber premiums (2024)
AMRAE LUCY 2025
~17%
claims-to-premiums loss ratio
AMRAE LUCY 2025
+200%
rise in SME breach declarations
AMRAE LUCY 2025
Source: AMRAE LUCY 2025; Cybermalveillance.gouv.fr
What does cyber insurance cover?
Cyber insurance has four pillars: 24/7 incident-response assistance; financial damages and losses (business interruption, ransomware, breach-notification costs); investigations and regulatory sanctions; and cyber civil liability to third parties. Most policies also cover cyber-fraud, such as president-fraud payment diversion. Cover limits reach up to ~€10M in market practice.
| Covered | Not covered / conditions |
|---|---|
24/7 incident response contains and investigates the attack | |
Business interruption (perte d'exploitation) lost revenue while you cannot trade | |
Ransomware (cyber rançon) conditional on the LOPMI 72-hour complaint | |
Breach-notification costs the RGPD/CNIL notification costs | |
Regulatory fines & sanctions where legally insurable | |
Cyber civil liability (RC cyber) claims from clients whose data leaked | |
Cyber-fraud (fraude au président) payment diversion and social-engineering loss | |
Unpatched systems / no MFA a minimum security posture is required | |
Non-compliant backups regular, independent backups are a condition | |
Prior known incidents issues you already knew about | |
Intentional acts, war, sanctions standard market exclusions |
Coverage based on market practice; RGPD obligations: CNIL
How much does cyber insurance cost in France?
Updated: May 2026
In France in 2026, cyber insurance for a well-secured micro-business starts from about €29/month. A small business or SME under 50 staff typically pays €1 000–€5 000 a year, and a mid-sized SME €5 000–€9 000. Your exact price depends on turnover, sector and security posture, so we quote in euros.
Turnover
higher revenue, higher premium
Sector
data-heavy and IT sectors pay more
Headcount
more staff widens the attack surface
Security maturity
good hygiene can cut the premium by up to 20%
Cover limit
higher limits and lower excess cost more
Ranges: aggregated French broker data; market context: AMRAE LUCY 2025
Is cyber insurance mandatory in France?
No. In 2026, cyber insurance is not mandatory for businesses in France: it is voluntary but strongly recommended, and service-public.fr does not list it among compulsory business insurances. Two separate 72-hour deadlines still apply after an attack.
LOPMI criminal complaint
within 72 hours of becoming aware
File a complaint (dépôt de plainte) to preserve your insurer's indemnity for losses and damage. Code des assurances art. L.12-10-1, from the LOPMI (loi n° 2023-22 of 24 January 2023, in force 24 April 2023). Source: legifrance.gouv.fr.
RGPD/CNIL breach notification
within 72 hours of awareness
Notify the CNIL of a personal-data breach. Separate obligation under RGPD art. 33. Source: cnil.fr; eur-lex.europa.eu.
RGPD fines reach up to €10M or 2% of global turnover for lesser breaches, and €20M or 4% for the most serious (art. 83). Source: cnil.fr.
NIS 2
The NIS2 directive ((UE) 2022/2555) is not yet transposed in France as of May 2026; the future loi Résilience would add cybersecurity duties for essential and important entities, but will not require buying cyber insurance. Source: cyber.gouv.fr (ANSSI).
Sources: Legifrance, CNIL, ANSSI/cyber.gouv.fr; service-public.fr. Verified 2026-05-31.
Who needs cyber insurance in France?
Any business that handles client data, takes payments or relies on IT systems should consider cyber insurance, whether it is a TPE, PME or ETI. Exposure, not size, drives the need.
E-commerce
card payments and customer data
IT / SaaS
hosts client systems; often needs RC Pro and cyber combined
Professional services
holds sensitive client files under RGPD
Any data holder
personal data raises liability and obligations
Written for English-speaking founders, expat SMEs and international subsidiaries in France, including SAS, SARL, EURL and SCI structures. As an independent broker, DigiCare compares the French market for you, in English.
RC Pro vs cyber insurance: do you already have cover?
Many founders assume professional liability insurance (RC Pro) already handles cyberattacks. It usually does not. RC Pro covers damage you cause clients or third parties; it generally excludes both cyber-attack damage and the losses your own business suffers. Cyber insurance fills that gap.
| RC Pro | Cyber insurance | |
|---|---|---|
| What it covers | damage you cause third parties | your own losses + third parties |
| Cyber-attack damage | usually excluded | core cover |
| Your own losses | not covered | covered (interruption, recovery) |
| Incident response | none | 24/7 incident response |
How does a cyber insurance claim work?
A cyber claim in France follows five steps. Two legal deadlines fall on the same clock but are separate obligations.
- 1
Call the 24/7 hotline
One call reaches the incident-response team.
- 2
Contain and investigate
Experts stop the spread and run forensics.
- 3
Meet both 72-hour deadlines
File a criminal complaint within 72 hours to preserve your insurer's indemnity (LOPMI art. L.12-10-1). Separately, if personal data is affected, notify the CNIL within 72 hours (RGPD art. 33).
- 4
Recover and communicate
Data recovery, crisis comms and client notification.
- 5
Indemnify
Business-interruption losses and costs are reimbursed.
How to get covered and lower your premium
Insurers require a minimum security posture to quote or renew. Strong hygiene can cut your premium by up to 20%. DigiCare runs a free diagnostic, then quotes in English across the French market.
- MFA on sensitive accounts and remote access
- Regular, independent backups
- Up-to-date patching, no expired licences
- Staff phishing training
DigiCare is an independent broker under ACPR (Banque de France) oversight, serving English-speaking businesses in France.
DigiCare France, an insurance broker registered with ORIAS (verifiable on orias.fr), under ACPR supervision (Code des assurances art. L. 511-1).
Chapter VI
Cyber insurance FAQ (France)
- Is cyber insurance mandatory for businesses in France?
- No. Cyber insurance is not legally mandatory in France, but it is strongly advised. RGPD fines reach up to €20M or 4% of global turnover, and the LOPMI requires a 72-hour criminal complaint to preserve your insurer's indemnity. DigiCare can quote in English.
- What is not covered by cyber insurance?
- Common exclusions are poor security hygiene such as unpatched systems or no MFA, non-compliant backups, prior known incidents, and intentional acts. War, sanctions, and bodily injury or property damage are excluded too; those need separate policies. To compare, [see full coverage details](/en-FR/cyber-insurance/#whatItCovers).
- How much does cyber insurance cost for a small business in France?
- There is no fixed price. A well-secured micro-business can start from about €29/month, while a small business or SME under 50 staff typically pays €1 000–€5 000 a year. Turnover, sector and security posture set the figure.
- Does my RC Pro already cover cyberattacks?
- Usually not. RC Pro (professional liability) covers damage you cause clients and third parties; it generally excludes cyber-attack damage and your own losses. Cyber insurance covers your own losses plus 24/7 incident response. IT firms often combine both.
- What should I do in the first 72 hours of a cyberattack?
- Call your 24/7 hotline first. Then file a criminal complaint within 72 hours to preserve your insurer's indemnity (LOPMI art. L.12-10-1). Separately, if personal data is breached, notify the CNIL within 72 hours (RGPD art. 33). These are two distinct deadlines.
- Does cyber insurance cover RGPD fines and breach-notification costs?
- Breach-notification costs are a standard part of data-breach cover. Cover for RGPD fines applies only where the fine is legally insurable. The cover offsets the cost of meeting the CNIL 72-hour notification under RGPD art. 33.
- Can I buy cyber insurance in English in France?
- Yes. DigiCare is an independent broker serving English-speaking businesses in France. We compare the French market, explain French terms such as RC Pro and franchise (the excess you keep), and quote in English and euros. Prefer French? [FAQ en français](/fr-FR/assurance-cyber/).
- Can I cancel my contract after signing (cooling-off period)?
- A 14-day right of withdrawal applies to insurance contracts sold at a distance (Code des assurances art. L. 112-2-1). It attaches to distance selling, not to every B2B subscription, so depending on how you sign it may not apply.