OpenLobby.EU
Explore

Federation of European Risk Management Associations

FERMA

FERMA’s vision is of “a world where risk management is embedded in the business model and culture of organisations”.

Lobbying Activity

Meeting with Piotr Müller (Member of the European Parliament)

10 Nov 2025 · Key aspects of public procurement reform

Meeting with Pascal Canfin (Member of the European Parliament, Shadow rapporteur)

4 Nov 2025 · Omnibus I

Meeting with Hans Ulrich Goessl (Head of Unit European Civil Protection and Humanitarian Aid Operations)

2 Sept 2025 · Discussion on public-private cooperation and risk management

Response to The EU Cybersecurity Act

20 Jun 2025

1. ON THE SIMPLIFICATION OF CYBER REPORTING European companies face an increasingly challenging environment, marked by the rising volume, complexity, and sophistication of cyber threats: since 2018, cyberattacks are considered as the most critical risk by Risk Managers worldwide (see: FERMAs Global Risk Manager survey, 2024). However, EU companies are experiencing substantial administrative burdens due to disparate and often duplicated reporting obligations and particularly for those operating across multiple EU Member States or sectors (see: FERMAs white paper Cyber Reporting Stack: Navigating EU Requirements, 2024). Compliance with varying notification timelines and procedures across different legislations significantly diverts resources away from actual cybersecurity risk management. The complexity stems primarily from a multilayered landscape of EU cyber legislation (i.e., GDPR, NIS 2, DORA, Cyber Resilience Act etc.), each requiring businesses to reporting ICT-related incidents to different authorities (Data protection authorities, ENISA, CSIRT etc.) according to different, tight timelines. This is especially problematic, since it can lead to (i) confusion in determining the applicability and interpreting reporting requirements, (ii) resource misallocation when efforts would be best spent responding to the crisis, and (iii) substantial penalties in case of non-compliance. To address this challenge, FERMA advocate for the establishment of a single-point-of-entry system for cyber incidents reporting, allowing companies to report the incident once on a centralized EU-wide platform, which would then share the information with all relevant authorities. We also call for the harmonisation of timelines and definitions to ensure the consistent interpretation of EU legislation and reporting standards across member states. 2. ON ENISA'S MANDATE In FERMAs view, ENISA has an important role to play in enhancing the cyber resilience of the EU economy. We support any action by ENISA aiming to (i) build cybersecurity capacity, (ii) raise awareness and educate on cybersecurity, (iii) develop cybersecurity certifications and standards to elevate the cyber risk maturity of the EU market, and (iv) share knowledge and data about the cyber risks landscape. We call for ENISA to support industry stakeholder in the form of best practices and guidance to address both technical and non-technical cyber risks, in line with a multi-risk approach compatible with an Enterprise-wide Risk Management (ERM) methodology. Moreover, we think that ENISA should contribute to building a shared EU situational awareness of cyber risks. In todays volatile cyber risk landscape, it is critical that all relevant entities share a clear vision of the EU exposure to cyber risks of all kinds. A shared EU situational awareness of cyber risks is therefore essential for an integrated, whole-of-government approach to cyber risk management and cyber incident response, itself the foundation for a cyber resilient EU which benefits citizens and businesses. 3. ON THE ECCF FERMA calls for cyber risk management processes to be the topic of a dedicated European cybersecurity certification. Effective cyber risk management processes are an essential aspect of cybersecurity as they provide a system for an organisation to identify, assess, prevent and mitigate cyber risks, taking into account all the technologies, products and/or services produced, used and/or deployed by said organisation. A cyber risk management certification would be a clear indicator for relevant stakeholders, such as business partners or insurance providers, that the certified organisation has robust cyber risk management practices in place, which will contribute to fostering trust in the market. Such a measure would also contribute to improving the insurability of cyber risks, risk and insurance managers are increasingly concerned that cyberattacks may become uninsurable in the future.
Read full response

Meeting with Christian Weise (Head of Unit Economic and Financial Affairs)

11 Jun 2025 · Request for meeting on climate resilience capacity building and insurance protection gap

Meeting with Sven Gentner (Head of Unit Financial Stability, Financial Services and Capital Markets Union)

15 May 2025 · CSRD/ESRS Omnibus.

Meeting with Piotr Müller (Member of the European Parliament, Rapporteur)

3 Apr 2025 · Public Procurement

Meeting with Jessika Roswall (Commissioner) and

28 Mar 2025 · Roundtable “Investing in Water Resilience”

Response to Evaluation of the Public Procurement Directives

7 Mar 2025

The Federation of European Risk Management Associations brings together 23 risk management associations in 22 European countries, representing over 5600 risk managers active in a wide range of organisations. FERMA provides the means of co-ordinating risk management and optimising the impact of these associations outside their national boundaries on a European level. Risk and insurance managers working in the public sector must comply with the EU public procurement directives (PPD) when purchasing insurance policies for their organisation. However, the existing EU rules for public tenders are not adapted to the purchasing of insurance by public sector companies. FERMAs position is that the PPD are too cumbersome and inflexible for the volatile and cyclical nature of the insurance market, which disincentivizes the participation of insurers in public tenders. This reduced competition leads public sector companies to struggle to find enough insurance capacity to cover their risks and causes them to pay higher premiums than private sector businesses. First, the procurement process is burdensome for both public sector corporate clients and (re)insurers. This is problematic as the insurance market is seasonal, with activity concentrated in the renewals period (Q4 of a given year). (Re)insurers therefore prioritize allocating their capacity to private companies, which is less time- and resource-intensive than EU public tenders. For this reason, public sector companies frequently receive few or no offers for their tenders. Second, the PPD are not flexible enough to accommodate the complexities of insurance programmes, and public sector corporate buyers could obtain better coverage through direct negotiation. For example, the PPD do not accommodate multilayered or quota-share insurance programmes, which require the participation of multiple (re)insurance providers. Third, the price of insurance capacity is volatile, and public sector companies are often at a disadvantage when negotiating with (re)insurers due to the PPDs requirements. This leads them to paying higher premiums than their private counterparts and exposes them to the risk of not finding coverage at all. In an increasingly complex and fast-changing environment, the resilience of public sector companies is essential, since (i) they are more exposed to certain risks and (ii) disruptions of their activities will be felt directly by citizens, which rely on the public services they provide. Public sector companies access to sufficient insurance coverage is critical to their resilience and is in the best interests of all citizens, who are the one to ultimately shoulder the losses sustained by the public sector if the risks are not transferred to the market. We advocate for the PPD to be amended to allow for more flexibility when public sector companies purchase insurance policies. We call on the European Commission to consider the following policy options: 1. Adapting the PPD to introduce lighter requirements for insurance contracts. We have identified several areas of possible regulatory improvement (see attached document), although this option wouldnt solve the fundamental issues of the directive concerning the purchase of insurance. 2. Excluding insurance policies from the scope of the PPD. Such an exclusion would align with the existing exclusions of loans and other financial products and would be compatible with the overall objectives of the PPD. 3. Allowing ex post reporting on the purchase of insurance policies. This option would provide a greater degree of transparency while giving public sector companies the flexibility they require. However, this option would nonetheless represent an additional administrative burden compared to a simple exclusion. Please find attached a position paper presenting our perspective and recommendations in more details. We look forward to working with the Commission on this important issue and stand ready to discuss pos
Read full response

Meeting with Tilman Lueder (Head of Unit Financial Stability, Financial Services and Capital Markets Union)

15 Jan 2025 · Insurance and pensions

Response to Open finance framework

31 Oct 2023

The Federation of European Risk Management Associations (FERMA) is a European professional association, which represents, through its 22 Member Associations in 21 countries, nearly 5,000 risk professionals. FERMA speaks on behalf of professional risk managers. Within our membership network, there are individuals who are responsible for the insurance programs of their enterprise. FERMAs membership also covers risk managers who make use of captive (re)insurance undertakings. FERMA is therefore a body that represents customers of the insurance industry. Our first, and more general point is that FERMA is supportive of any policy intervention that leads to innovation in the (re)insurance sector. There has simply not been enough innovation in the business-to-business (B2B) (re)insurance market and this is exacerbated by overall hard insurance market conditions. At this stage of our analysis of FIDA, however, we cannot pre-judge whether this specific intervention will lead to the innovation we sorely need. Second, while FERMA recognises that FIDA is primarily targeted to improve outcomes for consumers, our impression is that it will lead to only (a) limited benefit(s) for corporate customers unless corporate insurance data are leveraged to foster the development of value-adding insurance products or to enhance existing insurance solutions. Third, the costs and benefits from aggregating corporate insurance data should be commensurate to the objective of improving insurance offers to corporate clients. Special attention should be paid to developing a corporate-specific data consent and information dashboard, which should reflect the difference between this segment and that of the business-to-consumer (B2C). You will find a fuller elaboration of our position in the attached paper. FERMA is happy to discuss any element of our response with you at your earliest convenience.
Read full response

Response to European Critical Raw Materials Act

30 Jun 2023

The Federation of European Risk Management Associations (FERMA) shares the European Commissions aim to better equip the EU with the tools to ensure our access to a secure and sustainable supply of critical raw materials. We are therefore supportive of the European Commissions policy intervention in the form of the proposed Critical Raw Materials Act (the CRMA) on the premise it will help to fulfil that aim. We do, however, foresee some risks that need to be considered when progressing the proposal through political negotiations. We focus on three main issues pertaining to the supply chain of critical raw materials: o Risk monitoring and mitigation o Circularity and cyber risks o Implications for insurance coverage for businesses In these areas we provide four recommendations, which are: o Consider having a risk management representative on the European Critical Raw Materials Board (ref. Article 35 (6)) o Integrate traceability into the text (ref. Article 25) o Integrate cybersecurity risk assessments as part of the process for strategic projects, for example as part of the considerations of the One stop shop (ref. Article 8) o The co-legislators to consider the insurance implications of the CRMAwhich can be facilitated by risk management representation on the Critical Raw Materials Board. Please find more in the attached document.
Read full response

Response to 2023 Strategic Foresight Report

13 Mar 2023

FERMA, as the representative body of the risk profession at EU-level is happy to contribute its thoughts for consideration in the European Commissions Strategic Foresight Report 2023. First, on the theme chosen for the 2023 report the future of the EUs social and economic sustainability FERMA believes it is an important one for policymaking: the EUs ambition to become the first climate-neutral continent by 2050 certainly requires foresight to get there. FERMA is of the view that, while the climate and environmental challenges we face are both global and systemic, the EU can take the lead in some key areas, such as on narrowing the climate protection gap, through initiatives like the EU climate resilience dialogue, which also shows value in joint DG initiatives (in this case CLIMA and FISMA). These initiatives rely on the interaction between public and private sectors in finding common paths forward. Second, we take the view that overall, EU policymaking is increasingly putting a risk-based approach at its core (from the AI Act, to NIS2, and to corporate sustainability due diligence). We therefore believe that the EU Commissioner in charge of strategic foresight should also have risk management expressly in their title as well. Risk management is about drawing lessons from the past, present and the future to help organisations deliver on their strategic goals. In other words, it is a discipline about hindsight, insight and foresight. Third, the organisations best prepared for the transition are those that understand the internal and external risks to them and their stakeholders. These organisations are also the ones who can adapt to new realities the quickest. It is FERMAs strong belief that on a macro-level, solid cooperation between public and private sector is essential to realizing the aspiration of becoming climate-neutral by 2050. Lastly, FERMA stands ready to contribute to the Commissions work on strategic foresight in various different forms, from the work on the EU Climate Resilience Dialogue and the Critical Raw Materials Act, as well as in future initiatives. Moreover, we look forward to a continued cooperation with VP Šefčovič and his team in this burgeoning field of policy. It is with the above in mind that FERMA makes its following high-level recommendations for the 2023 Strategic Foresight Report: 1) FERMA recommends that the strategic foresight report for 2023 proposes for all EU policymaking to take a holistic risk management approach, i.e. one based on identifying, assessing, prioritising and mitigating risks, while also detailing the opportunities. This is especially important in the context of the EU approach to systemic risks, such as those related to the climate and sustainability. This would be facilitated by the Commissioner for Strategic Foresight also expressly having risk management in their title and responsibilities. 2) Building on point 1, FERMA also recommends that part of the planned actions stemming from the 2023 Strategic Foresight Report, should be to launch an EU-wide public-private Foresight cooperation, which would complement the Ministers for the Future work, and the work of the EU-wide Foresight Network. It would do so by acting as a launchpad to gathering evidence from stakeholders on their key threats and opportunities, fostering a structured dialogue between public and private sector with a view to committing to joint actions. FERMA stands ready to contribute to this with its thought-leadership and call on its network of almost 5,000 risk professionals.
Read full response

Meeting with Axel Voss (Member of the European Parliament, Shadow rapporteur) and BUSINESSEUROPE and

8 Mar 2023 · Corporate Sustainability Due Diligence

Response to Cyber Resilience Act

23 Jan 2023

FERMA is pleased to provide feedback to the European Commission on the proposed Cyber Resilience Act on behalf of the risk management community. While FERMA is, on the whole, supportive of the intention behind the CRA, namely to raise the level of cybersecurity of digital products in the EU (and beyond), we have some practical concerns, which we hope will be addressed by the time the text is finalised. First, on the obligations of manufacturers, importers and distributors, FERMA underlines the importance of ensuring both proportionality of the requirements, as well as with the feasibility of complying with all requirements considering high utilisation of open-source software. Second, on the penalties, FERMA is concerned that the introduction of fines in the context of cybersecurity will lead to a complex landscape of fines according to different pieces of legislation and could also open up (or widen existing) gaps in insurance coverage of companies. FERMA rests at the European Commissions disposal to discuss further the insurance implications of the proposed CRA, as well as the more practical elements related to cybersecurity risks and cybersecurity risk assessments. Please find our full commentary in attached.
Read full response

Response to Sustainable corporate governance

20 May 2022

FERMA is a supporter of the European Commission’s ambitions to succeed in the transition to a climate-neutral and green economy and in delivering on the UN Sustainable Development Goals. From our perspective, it is overall positive to observe that the CSDD proposal borrows so much from a risk management approach. Please also find attached our position paper. We are an active voice at EU-level promoting the crucial and strategic role that risk management plays for organisations on their sustainability journey. We believe a corporate culture that embraces Enterprise Risk Management (ERM) is a fundamental factor for sustainability. We are a firm believer in captives as an enabler for more sustainable organisations and a more resilient EU economy. Nonetheless, as the representative voice of professional risk managers, FERMA has identified two main challenges for companies in meeting the CSDD objectives: • There would be practical difficulties in implementing the due diligence process, especially considering the notion of value chain; and, • There are uncertain implications related to the civil liability dimension of the proposal. Value chain, the due diligence process and practical implementation: a trilemma First, there are likely to be high business consequences in implementing the due diligence process (Articles 5 to 11) to the letter: o How are companies with for example tier II suppliers working in countries with weak records on human rights expected to mitigate or bring to an end the full range of potential and actual adverse impacts? o How is it possible for businesses to deal with a monopoly supplier of a specific commodity or good being located in a country with environmental standards not in line with those in the EU? o How to ensure that requirements do not put at risk the security of supply of urgently needed goods? Second, there is an information problem in terms of availability, access and processing. Based on the experience of some FERMA members with existing legislation in this field, we know the ability of EU enterprises to access the appropriate information about suppliers, as well as identify the appropriate sources of information could be challenging. Third, there is an evidence problem. If an adverse impact cannot be brought to an end, there will be challenges for companies to demonstrate best-efforts have been made, or that the appropriate actions have been taken. Furthermore, as risk managers we take an enterprise-wide view and foresee problems emerging between an exhaustive approach – as implied by practically implementing value chains– and the more practical need for prioritisation, which calls for a more risk-based approach. Recommendation: FERMA suggests that the focus of the due diligence process obligations should be on direct suppliers (tier I) through a cascade process: each company would oblige (by contractual agreement, for example) their direct suppliers (tier I) to apply the same due diligence process on the suppliers of their suppliers (tier II), and so on. Civil liability and CSDD: the need to avoid liability “à la carte” FERMA has identified the following challenges regarding liability as presented in CSDD: • FERMA is concerned that gaps in civil liability regimes may arise across Member States, or even be reinforced This could lead to an unlevel playing field. • FERMA regrets there is no clear definition of damages in the CSDD proposal, which is a central notion regarding liability. This creates an uncertainty that has (un)clear implications on the scope and perimeter of liability for companies. Recommendations: • FERMA calls on the European Commission to elaborate a minimum harmonized framework for liability as it concerns the CSDD at EU-level in order to minimise gaps across EU Member States. • FERMA seeks clarity from the European Commission on the notion of damages in CSDD.
Read full response

Response to Review of measures on taking up and pursuit of the insurance and reinsurance business (Solvency II)

12 Jan 2022

FERMA, the Federation of European Risk Management Associations is happy to provide feedback on the European Commission's proposed amendments to Solvency II, specifically concerning proportionality. As the representative body for almost 5,000 risk and insurance managers at European level, we take great interest in the prudential rules governing insurance undertakings. Furthermore, since many of our Members currently use captives, and several more would like to either set-up a captive or make more use of their captive, FERMA is especially interested in the proposed changes to proportionality. FERMA has consistently advocated a more risk-proportionate regulation of captives in the context of European prudential rules and supervision. At a very high-level, FERMA acknowledges the important strides made in the proposed amendments where there is a new classification of low-risk profile undertaking, which would be able to apply a more proportionate version of the prudential rules. It is our strong belief that it makes sense to have a risk-based set of rules. However, it is also our contention that there is still room to improve Solvency II as it concerns proportionality. FERMA calls for captives to be treated automatically as low-risk profile undertakings. At the same time we understand that discretion may be needed to be applied to a minority of captives. That is why we would also propose an exception to that rule if the the captive is assessed by the NCA to pose a systemic risk or has been in breach of its solvency requirements. Captives provide European businesses with an alternative form of risk transfer. This is crucial in the current hard market conditions but also going forward as risks become more systemic, frequent and impactful. The appetite for using captives is clear. In the 2020 FERMA Risk Manager Survey, 27% said they would use an existing captive for hard to place risks, compared to only 1% in 2018, and 16% were considering the creation of a new captive. Captives are a crucial part of a vibrant and competitive European insurance market. Having them as an option is crucial, though clearly not viable for all businesses. By making the prudential regime more proportionate we have the firm belief that the EU would strengthen the competitiveness overall of its insurance market. Please find our full position paper in the attached. FERMA looks forward to the discussions on this point.
Read full response

Response to Revision of Non-Financial Reporting Directive

24 Jun 2021

FERMA is pleased to have the opportunity to provide the European Commission with feedback from the risk and insurance management community on its proposal for a Corporate Sustainability Reporting Directive [CSRD] (‘the proposal’). As the EU-level representative of the risk management profession FERMA has an important voice on the topic of sustainability. The task force on climate-related financial disclosures (TCFD) recommends focusing on four thematic areas of how organisations operate: governance, strategy, metrics and targets, and risk management. How organisations identify, assess and manage climate-risks (i.e. risk management) is a key part of their strategies, and essential for ensuring both sustainability and resilience. Furthermore, risk and insurance managers regularly both produce and use sustainability information on behalf of their enterprises. This therefore means that a revision of the requirements for reporting on sustainability information directly impacts both our profession, as well as the way that information is produced. Bearing the above in mind, FERMA wishes to express its support for the Commission’s ambitious CSRD proposal but makes the following comments, summarised below and expanded upon in the attached: - While we wholeheartedly agree that companies should do ‘double materiality’ sustainability reporting, we are concerned by the quantity-quality tradeoff, especially when problems exist currently with application of double materiality. - FERMA supports an expansion of the scope, however, we have two concerns with this: i) timing, and ii) knowledge-gaps. - FERMA welcomes the proposal for a common standard on sustainability reporting to be developed but urges that this work is led by industry. - 'Going digital' is welcome but those reporting will likely need some guidance on the process. - Quality assurance is indeed desirable, however, we hope the ‘standard’ will mirror the reporting standard.
Read full response

Response to Revision of the NIS Directive

18 Mar 2021

The Federation of European Risk Management Associations (FERMA) is pleased to have the opportunity to provide the Commission with its comments on the proposal for NISD 2.0. Broadly speaking we see it as a step forward that could benefit with some clarification and additional guidance in some places. We very much welcome the increased prominence given to risk management within the Directive, testament to the growing importance of risk management as a profession in the domain of cybersecurity. We provide more comments in the attached document.
Read full response

Meeting with Andrea Beltramello (Cabinet of Executive Vice-President Valdis Dombrovskis)

16 Sept 2020 · Insurance against pandemic risk

Response to Requirements for Artificial Intelligence

10 Sept 2020

The Federation of European Risk Management Associations (FERMA) welcomes the opportunity to comment on the Commission’s Inception Impact Assessment, specifically on the relevant policy options and policy instruments in the area of Artificial Intelligence. Our input here is complemented by our attached position paper. FERMA brings together 22 risk management associations in 21 countries. They represent nearly 5000 professional risk managers active in a wide range of business sectors. Risk managers utilise a number of tools and methodologies for measuring risk, particularly Enterprise Risk Management (ERM) and the ‘Three Lines of Defense’ model. ERM and the ‘Three Lines of Defense’ have already been applied effectively in the digital context, such as GDPR and cybersecurity, and have proven build organisations’ capacity to mitigate and assess risk. We are therefore encouraged to see that the Commission has incorporated a risk-based approach to AI. The promotion and utilisation of risk management methodologies such as ERM and the ‘Three Lines of Defence’ can help organisations support such a risk-based approach. On this note, FERMA is committed proactively contribute its risk management expertise to the work of the European Commission to ensure a robust ‘risk-based approach’ is enshrined in AI legislation moving forward. FERMA believes it is important to balance any future legislation against the clear need for innovation and market development. At the current stage of market maturity, FERMA is in favour of applying broad, market-based principles. With specific reference to the policy options presented in the Inception Impact Assessment document, FERMA supports Options 2, and 3. B therefore believes that Option 4, which would see a combination of policy tools being used that take into account the different levels of risk of particular AI applications, is ultimately the most sensible approach. In addition to the comments above, FERMA takes the view that AI raises a number of concerns related to liability. This is why FERMA believes that the existing European legislative framework in this area, the Product Liability Directive, needs to be re-examined before creating a new liability regime specific to AI. To that end, FERMA believes the primary goal of action in this area should be to ensure legal certainty since this will allow risk managers and the insurance industry to adjust their solutions to market needs. Even with legal certainty, AI will always pose risks. To mitigate AI-related risk, FERMA recommends the Commission to create a mix of ex-ante incentives to encourage regulatory compliance based on good-faith disclosures and reasonable transparency requirements, combined with a light-touch ex-post enforcement mechanism. FERMA remains committed to working with the European Commission to build a holistic AI legislative framework that accounts for risk inherent to AI without stifling innovation.
Read full response

Response to Report on the application of the General Data Protection Regulation

28 Apr 2020

You will find here attached the position of FERMA (Federation of Risk Management Associations) as well as its report “GDPR and Corporate Governance: The Role of Internal Audit and Risk Management One Year After Implementation”.
Read full response

Meeting with John Berrigan (Director-General Financial Stability, Financial Services and Capital Markets Union)

29 Jan 2020 · Risk Management, Solvency II