Major cyber incidents such as the Maersk case have demonstrated that the lack of cyber security can induce huge operational losses in the maritime sector. Cyber-insurance is an instrument of risk transfer, enabling organisations to insure themselves against financial losses caused by cyber incidents and get access to incident management services. This paper provides an empirical study of the use of cyber-insurance in the Norwegian maritime sector, with a particular emphasis on the effects of the General Data Protection Regulation and the Directive on Security of Network and Information Systems. Norway constitutes a significant case as a country having a highly mature IT infrastructure and well-developed maritime industry. Interviews were conducted with supplier- and demand-side maritime actors. Findings point to a widespread lack of knowledge about cyber-insurance. Furthermore, neither GDPR nor NIS were found to be significant drivers of cyber-insurance uptake among maritime organisations.