Cyber Insurance for SMEs in Germany: 2026 Comparison

Cyber insurance for SMEs in Germany covers small and medium-sized businesses against the financial impact of hacking, ransomware (encryption malware) and data breaches. According to the BSI Lagebericht 2024, around 80 percent of cyber attacks target SMEs, and the average loss per incident reaches 45,370 EUR (GDV 2024). Premiums start at about 250 EUR per year for solo professionals and usually run between 1,000 and 5,000 EUR for mid-sized firms.

Why SMEs are the prime target

The threat picture has shifted in the past few years. The Bitkom Wirtschaftsschutz 2025 study found that 87 percent of German companies were hit by data theft, espionage or sabotage, with total damages of 289.2 billion EUR. About 202.4 billion EUR of that total came from cyber attacks alone.

Small and mid-sized firms attract attackers because they usually run thinner security budgets than corporates. But SMEs still hold valuable data: customer databases, order history, bank details, sometimes patient or legal records. The BSI registers around 309,000 new malware variants every day (BSI Lagebericht 2024). At that volume, the question is not whether something gets through, but when.

Some sectors carry more risk than others. Firms that process sensitive data or depend heavily on digital workflows feel attacks first. That includes IT service providers, medical practices, tradespeople with networked equipment, and online retailers.

What cyber insurance for SMEs actually covers

SME cyber policies in Germany break down into three layers: first-party (own) losses, third-party (liability) losses and service benefits. The exact scope varies by tariff and carrier. Our cyber insurance hub walks through how to read a German policy in detail.

What cyber insurance for SMEs costs in 2026

The cyber premium depends on company size, industry, revenue and your existing security baseline. The table below shows market guidance. Actual quotes vary with the individual risk profile.

NIS-2 for SMEs: duties, fines and where insurance fits

The NIS-2 directive took effect as German law (NIS2UmsuCG) on 6 December 2025. It covers about 29,500 companies, including many SMEs from sectors such as food production, waste management, postal services and courier logistics that were not in scope before. Four points changed in a way SMEs will feel:

• Wider scope: many SME sectors are caught for the first time. The BSI publishes a checklist with sectors and thresholds.
• Personal liability of management: directors are personally liable for IT security failures. A D&O policy can absorb this risk separately.
• Reporting duties: incidents have to be reported to the BSI within 24 hours, followed by a detailed report within 72 hours.
• Fines: up to 10 million EUR or 2 percent of worldwide annual revenue for essential entities, up to 7 million EUR or 1.4 percent of revenue for important entities (source: BSI press release on the NIS-2 Implementation Act, December 2025).

Cyber insurance does not replace the legal duty to implement IT security. It absorbs the financial fallout of incidents and gives you access to specialists, such as forensic teams or crisis PR, that most SMEs do not have on call.

How NIS-2 duties map to typical policy benefits

The table below pairs the main NIS-2 duties with the policy benefits that usually support them. It is a planning aid, not legal advice.

NIS-2 quick check: are you in scope?

Whether NIS-2 applies to your company depends on sector, size and your position in the supply chain. The check below gives a rough indication in five questions. For a binding assessment, talk to a specialist lawyer.

SME cyber insurance providers in Germany compared

Several insurers run dedicated SME tariffs in the German market. The table below summarises publicly available product information. Real premiums depend on the individual risk and only become firm in a quote.

Solo self-employed and small Mittelstand: where to start

Solo professionals often get overlooked in the SME conversation, even though they face the same threat patterns as larger firms. If you work as a consultant, IT freelancer or alternative practitioner, your client data is sensitive and a breach gets expensive fast. The good news: tariffs for solo workers start at around 250 EUR per year. Cover of 50,000 to 100,000 EUR is a realistic baseline at that price point.

In the 50 to 250 employee bracket, both risk and insurer expectations rise sharply. GDV 2024 data shows average losses of around 103,000 EUR in this size band. Policies with at least 1 million EUR in cover make sense, paired with clearly defined sublimits for ransom and crisis management. From this size onwards, insurers usually require concrete security measures: multi-factor authentication, patch management and tested backups.

What happens after an attack: a six-step playbook

When the worst happens, the first few hours matter the most. The six steps below describe the typical incident response insurers and the BSI recommend. Most points are covered as service benefits in a good SME cyber policy.

1. Detect and isolate. Pull suspicious systems off the network immediately, but do not switch them off. Disks and logs stay forensically usable that way.
2. Call the insurer's emergency hotline. A 24/7 line spins up IT forensics, legal counsel and crisis communication, usually in a single conference call.
3. Check reporting duties. GDPR breaches go to the supervisory authority within 72 hours. NIS-2 incidents need a first report to the BSI within 24 hours.
4. Forensics and evidence preservation. Specialist providers secure traces, analyse the attack path and help contain the damage.
5. Restore and communicate. Bring systems back from verified backups and brief staff and customers honestly about the situation.
6. File the claim and take notes. Submit full documentation to the insurer, then close the loop with security improvements. Many carriers offer free awareness training after an incident.

SME claim examples from the German market

The three scenarios below show how cyber attacks hit SMEs in practice and what the numbers look like.

Trades business: ransomware via email attachment

A painting and decorating firm with eight employees opens a spoofed email attachment. Ransomware encrypts all job records and customer data. The business stops working for three weeks. The cyber policy pays for IT forensics (4,200 EUR), data recovery (8,500 EUR) and the lost income during the downtime (18,000 EUR). Total settled claim: about 30,700 EUR.

Medical practice: phishing and patient data leak

A medical practice falls for a phishing email (fake message designed to harvest credentials). Attackers reach the practice management system and copy 1,200 patient records. On top of IT forensics, costs cover GDPR notifications to every affected patient, legal advice and crisis communication. The insurer settles roughly 52,000 EUR.

IT service provider: social engineering and downstream damage

An IT service provider with 15 staff gets compromised through social engineering (psychological manipulation). Attackers pivot from the provider into a client's systems. The third-party damage covered by the cyber policy reaches 85,000 EUR. On top of that, the provider pays its own forensics bill and absorbs a business interruption loss.

Coverage gaps and exclusions you should know

Not every loss is covered. Read the terms before you sign. The most common limitations:

• Willful misconduct: intentional acts by the insured are not covered.
• Known unpatched vulnerabilities: if a flagged vulnerability is not fixed, the insurer can reduce or refuse benefits.
• Missing baseline security: many tariffs require regular backups, current antivirus and access controls.
• Sublimits: single benefits such as ransom payments or PR costs can be capped well below the headline sum.
• War and state-sponsored attacks: war-exclusion clauses commonly rule out state-directed incidents.
• Retroactive cover: losses caused before the policy starts are normally excluded.

Improve IT security, lower the premium

Insurers reward documented IT security with discounts. Hiscox publishes around 10 percent off for certified email security; HDI offers up to 7.5 percent for ISO 27001 certification. These are provider statements as of March 2026 and can vary by contract.

Measures that usually move the premium:

• Multi-factor authentication on all privileged accounts
• Regular, tested backups (offline or geographically separated cloud)
• Phishing and social engineering training for staff
• Current patch management for operating systems and applications
• Network segmentation and role-based access control
• Penetration tests by external providers

For practical steps against encryption malware, see our ransomware protection guide.

Six checks before you sign

SMEs picking a cyber policy should walk through six criteria. Our methodology page goes deeper.

1. Coverage limit and sublimits: does the cover hold up under a worst-case scenario? Are sublimits for ransom, PR and legal high enough?
2. Deductible: a higher deductible cuts the premium but raises your exposure. For SMEs, 500 to 2,500 EUR is common.
3. Security duties: which IT security measures does the insurer require? Can your business meet them long term, not just at signing?
4. Service benefits: is there a 24/7 hotline staffed by IT security experts? How fast does help actually arrive?
5. Third-party cover: does the policy include liability for GDPR breaches and customer damages?
6. Sector experience: has the insurer dealt with your industry? Carriers with experience in your sector tend to understand its risks better.

Sector pages for SME cyber insurance

Cyber risk profiles differ sharply by sector. Our deep-dives by industry:

• Cyber insurance for IT service providers: liability through client access, high data protection bar.
• Cyber insurance for tradespeople: networked machines, job management, customer data.
• Cyber insurance for freelancers: cover for solo professionals with digital infrastructure.

Tips for signing the policy

1. Map your risks: what data do you handle, and how dependent is your business on IT? Our guide on cyber risks for SMEs helps you size the exposure.
2. Compare quotes: get at least three offers and compare cover, not only price.
3. Check duties carefully: make sure your business can meet the insurer's security requirements over the policy term.
4. Complementary cover: depending on what you do, a professional liability policy can be a sensible add-on, especially for advisory work or IT freelancing.

Bottom line

SME cyber insurance is not a luxury, it is a measurable answer to a measurable risk. Most attacks land on businesses with 10 to 250 employees, because that is where IT security tends to be thinnest.

When you pick a policy, look at the coverage limit, the business interruption module and a reachable crisis hotline first. Comparing two or three providers usually pays off, since pricing and benefits vary widely in the German market. Solo professionals and Mittelstand firms working digitally should run the NIS-2 quick check and read the provider table above before signing anything. If you work across borders or prefer the German source, the German sibling page at Cyberversicherung KMU covers the same material with the original German terminology.