Cyber insurance for French SMEs in 2026: accounting, tax and risk framing

Cyber insurance is not a substitute for cybersecurity. For a French SME, it is a partial risk transfer contract that must align with internal controls, backups, continuity planning, customer contractual obligations and the ability to produce accounting evidence of losses. Three texts shape the 2026 landscape: Directive (EU) 2022/2555 (NIS2), whose French transposition (the Resilience law) is expected mid-2026; Article 5 of the LOPMI law n. 2023-22, which conditions any cyber indemnity on filing a criminal complaint within 72 hours; and Article 33 of GDPR, which requires CNIL notification within the same 72 hours when personal data is breached. The cabinet observes that less than 5 percent of French SMEs hold a cyber policy, while 43 percent of attack victims reported by ANSSI in 2024 were SMEs. Cyber insurance is no longer a security expert's topic; it has become a board, CFO and chartered accountant issue.

A cyber insurance premium is in principle deductible from the taxable result as an operating expense incurred in the company's interest, under the general principles of article 39 of the French Tax Code and BOFiP commentary BOI-BIC-CHG-40-20-20. It is booked in PCG account 6161 (Multi-risk) with a deferred-expense adjustment via account 486 when coverage spans two accounting periods. Insurance proceeds received after a claim are booked in account 791 or 7711 depending on their nature, restoring the result accordingly. But the real issue is not accounting: it is the quality of the underwriting and claims file. Indemnity is won through the insurer questionnaire, negotiated exclusions, deductible, annual and per-guarantee caps, waiting period, evidence of effectively deployed security, incident timeline and ability to quantify business interruption. Without method, the insurer reduces or rejects the indemnity, or invokes misrepresentation. The 2026 observed premium range for SMEs sits between EUR 800 and EUR 8,000 per year depending on revenue, sector and cybersecurity score.

• Policy: scope, global and per-guarantee deductible, annual and per-claim caps, exclusions (digital warfare, backup failure, ransom), waiting period (typically 8 to 72 hours).
• Accounting: premium in account 6161, deferred-expense adjustment via 486, indemnities in 791 or 7711, impairment of destroyed fixed assets (6816), provisions for likely losses where applicable.
• Tax: match expense and income to the period of legal entitlement, VAT on IT remediation services, ransom treatment (frequently excluded or capped).
• Evidence of security actually deployed: enforced MFA, tested immutable offline backups, centralised logging, EDR/XDR, patch management, yearly phishing training.
• Governance: who notifies the insurer, who files the LOPMI complaint within 72 hours, who notifies CNIL within 72 hours under GDPR article 33, who leads client and employee communication.
• Continuity: business continuity plan (BCP), disaster recovery plan (DRP), documented restoration tests, pre-negotiated incident response retainers.

Recent quantified illustration. An Ile-de-France industrial SME (38 employees, EUR 7.2m revenue, outside direct NIS2 scope but subcontractor to an essential entity) pays a EUR 4,800 annual premium for EUR 500,000 of cover with a EUR 10,000 deductible. In February 2026, ransomware spreads through an attachment opened by a salesperson. Outcome: EUR 18,000 of IT vendors (forensics, restoration, AD rebuild), EUR 12,000 of lost gross margin over four production days, EUR 3,500 of legal and CNIL costs, EUR 2,000 of client communication. Total: EUR 35,500. Management files the criminal complaint on D+2 (LOPMI compliant), notifies CNIL on D+3 (GDPR compliant), produces a timestamped action log, vendor quotes and invoices, immutable backup evidence and an accounting export of lost sales. Indemnity reaches EUR 24,200 (net of deductible and business interruption cap). Without the file, the loss adjuster could have capped at EUR 8,000. The difference plays out in traceability, not in the contract wording.

A French industrial SME leader recently asked us to frame the cyber insurance renewal after a near-incident. The Hayot Expertise method connects insurance, accounting and risk steering through three concrete levers. First, we systematically push back on three clauses in 2026: the NIS2 non-compliance exclusion (added by several insurers since 2024, which can void cover for a NIS2 important entity in case of ANSSI ReCyF gaps), the ransomware sub-limit (often undersized at EUR 50,000 for SMEs that may face EUR 200,000 of restoration costs) and the business interruption duration (the 30-day standard does not cover complex incidents; we request a 90-day minimum for SaaS and e-commerce activities). Second, we formalise the claims accounting file from the underwriting phase: incident log template, emergency spending approval workflow, loss quantification method (lost gross margin, redeployed internal costs, vendors, communication). Third, we tie cyber insurance to CNIL and LOPMI obligations so a 24-hour delay on the complaint does not gut the cover. The policy is a financial asset; it must be steered as one.

The most underestimated risk in 2026 is misrepresentation in the underwriting questionnaire. Ticking 'enforced MFA', 'quarterly tested offline backups' or 'operational continuity plan' when controls are partial or theoretical constitutes, under articles L.113-8 and L.113-9 of the French Insurance Code, an intentional or unintentional false statement. The consequence is either contract nullity or proportional indemnity reduction. Two other pitfalls are growing. First, the confusion between standard professional liability and cyber insurance: standard liability hardly ever indemnifies remediation costs, cyber business interruption or CNIL fines. Second, missing the LOPMI 72-hour criminal complaint: an SME that negotiates with the attacker first or waits to understand the attack loses the cover even if all other conditions are met. The clock starts at awareness of the attack, not at quantification of damages.

• Appoint a CEO + CFO duo as owner of the cyber insurance file and broker relationship.
• Run a cybersecurity diagnostic (ANSSI MonAideCyber self-assessment or ExpertCyber provider) before each renewal.
• Document every control declared in the questionnaire (audit evidence, screenshots, vendor attestations).
• Prepare a claims accounting playbook: log template, emergency spending workflow, loss quantification method.
• Explicitly connect cyber insurance, continuity plan, GDPR, customer contracts and IT budget in the risk map.
• Run a yearly end-to-end cyber claim drill (alert, 72-hour complaint, CNIL notification, communication, indemnity).

• French Resilience Law (NIS2 transposition) expected mid-2026: essential entities from 250 employees or EUR 50m revenue, important entities from 50 employees or EUR 10m, sanctions up to EUR 10m or 2 percent of worldwide turnover.
• ANSSI Referentiel Cyber France (ReCyF) released on 17 March 2026: becomes the assessment standard for reinforced underwriting questionnaires.
• NIS2 cascading effect: even outside direct scope, a SME subcontracting to essential entities must document its security measures or risk losing contracts.
• LOPMI article 5: criminal complaint within 72 hours is mandatory for any cyber indemnity, no exception.
• GDPR article 33: CNIL notification within 72 hours when personal data is breached, separate from the LOPMI complaint.
• 2026 common exclusions: cyber-warfare acts, untested backups, unpaid premium, ransom in some contracts, GDPR administrative fines (generally not insurable).

• NIS2 and French SME cybersecurity in 2026
• wire fraud prevention protocol
• the four pillars of business digitalisation
• 12 supplier IBAN fraud controls
• French 2026 e-invoicing SME guide
• corporate crypto-assets PCG/ANC accounting
• digital finance transformation
• outsourced CFO and risk management
• French SME accounting support in Paris 8
• e-commerce accounting
• Power BI dashboards for risk steering

• ANSSI – Directive NIS 2 et Référentiel Cyber France (ReCyF)
• CNIL – Notifier une violation de données personnelles (article 33 RGPD)
• Légifrance – Loi LOPMI n° 2023-22, article 5 (indemnisation cyber et plainte 72 h)
• BOFiP – BIC, primes d’assurance (BOI-BIC-CHG-40-20-20)
• Légifrance – Article 39 du Code général des impôts
• Direction générale du Trésor – Développement de l’assurance du risque cyber
• Cybermalveillance.gouv.fr – Guide PME et TPE
• France Num – Améliorer la cybersécurité de sa TPE PME

Freshness note: Current as of 3 May 2026.