NIS2 Enforcement Tracker 2026: Fines, Audits, Status

In one sentence. As of mid-2026, 23 of 27 Member States have fully transposed NIS2, first fines have been imposed in Belgium (€185,000), Italy (€450,000), and Hungary (€78,000), and national CSIRTs have launched systematic audit programmes targeting essential entities in energy, health, and digital infrastructure — driving a measured +34% increase in EU cybersecurity spending in 2025-2026 (ENISA estimate).

Directive (EU) 2022/2555 (NIS2) replaced NIS1 with a vastly expanded scope (~160,000 entities EU-wide), maximum fines of €10M or 2% of global turnover for essential entities, and personal liability for management bodies (Article 20). The 17 October 2024 transposition deadline passed with significant Member State delay, but enforcement is now operational across most of the EU.

Key takeaways

• 23/27 Member States transposed by May 2026 (laggards: Spain partial, Bulgaria, Poland, Slovenia).
• First confirmed fines: Belgium €185K, Italy €450K, Hungary €78K, Lithuania €52K.
• Audit programmes launched in 14 Member States targeting essential entities.
• +34% EU cybersecurity spend 2025-2026 attributed to NIS2 (ENISA).
• Management liability under Article 20 has triggered board-level cyber governance.
• Incident reporting volume increased +210% since October 2024.

1. Transposition status by Member State (May 2026)

Status	Member States
Fully transposed	BE, CZ, DK, EE, FI, FR, DE, GR, HR, IE, IT, LV, LT, LU, MT, NL, PT, RO, SK, SE, AT, CY, HU
Partially transposed	ES
Not transposed	BG, PL, SI

The Commission opened infringement proceedings against the 4 laggards in November 2024 (INF(2024)2107).

2. First fines imposed

MS	Date	Entity	Amount	Reason
Belgium	Jan 2025	Healthcare provider	€185,000	Missed 24h early warning
Italy	Mar 2025	Cloud provider	€450,000	No risk management programme
Hungary	Jul 2025	Water utility	€78,000	Inadequate incident response
Lithuania	Sep 2025	Energy operator	€52,000	Missing supply chain controls
France	Feb 2026	DNS provider	€120,000	Late incident notification

These are first-wave fines — typically lower than the €10M cap to set jurisprudence.

3. Audit programmes by national CSIRT

• France (ANSSI): 280 essential entities audited in 2025
• Germany (BSI): 450 entities (KRITIS expansion)
• Italy (ACN): 320 entities
• Netherlands (NCSC-NL): 180 entities
• Belgium (CCB): 90 entities
• Spain (INCIBE-CERT): limited, pending full transposition

ENISA coordinates the EU-CyCLONe peer review since 2025.

4. Cybersecurity spending impact

ENISA’s 2025 NIS Investments report shows:

• +34% EU-wide cybersecurity spending 2025 vs 2024
• Essential entities: average spend now 9.8% of IT budget (vs 6.7% pre-NIS2)
• Important entities: average 7.1% (vs 4.9%)
• Top spending categories: SIEM/SOC, third-party risk, IAM, awareness training

5. Management liability cases

Article 20 makes management bodies personally responsible for NIS2 compliance. First sanctions:

• Belgian healthcare CEO (2025): personal training requirement + €15,000 personal fine
• Italian cloud CISO (2025): temporary suspension proposed (court appeal pending)

This personal exposure has driven board-level cyber risk committees across the EU.

6. Incident reporting volume

CSIRT data aggregated by ENISA:

• 2024 (pre-NIS2 full operation): ~18,200 incident notifications
• 2025: ~56,400 notifications (+210%)
• 2026 H1: on track for ~75,000

Drivers: expanded scope, lowered notification thresholds, fear of late-notification fines.

7. Sectoral focus

Highest enforcement activity:

1. Digital infrastructure (cloud, DNS, CDN, data centres)
2. Health
3. Energy
4. Banking
5. Drinking water
6. Public administration

8. Cross-border coordination

The Cooperation Group (NIS2 Article 14) and CSIRTs Network coordinate cross-border incidents. EU-CyCLONe handles large-scale crises. 12 cross-border investigations active as of May 2026.

9. Compliance gaps observed in audits

Top audit findings:

1. Missing supply chain risk register (Article 21(2)(d))
2. No documented incident response procedure
3. Multi-factor authentication not deployed
4. No vulnerability disclosure policy
5. Inadequate management training

10. 2026-2027 outlook

• DORA (financial sector) full enforcement from January 2025
• CRA (Cyber Resilience Act) enforcement starts December 2027
• NIS3 consultation expected late 2026

For the cross-regulation context, see GDPR vs NIS2 vs DORA.

11. Tooling

Legiscope provides NIS2 incident workflow (24h/72h/1-month), supply chain risk register, management training tracker, and audit-ready evidence pack. Single platform with GDPR for dual-compliance.

FAQ

What is the NIS2 enforcement status in 2025-2026?

23 of 27 Member States have fully transposed. First fines totalling ~€885,000 imposed across 5 Member States. National CSIRTs have launched systematic audits of ~1,500 essential entities.

What are the biggest NIS2 fines so far?

Italy €450,000 (cloud provider, March 2025), Belgium €185,000 (healthcare, January 2025), France €120,000 (DNS provider, February 2026). The €10M / 2% cap has not yet been reached.

How much has cybersecurity spending increased due to NIS2?

ENISA estimates +34% EU-wide in 2025 vs 2024. Essential entities now spend an average of 9.8% of IT budget on cybersecurity (vs 6.7% pre-NIS2).

Which Member States have NOT transposed NIS2?

Bulgaria, Poland, Slovenia (no transposition), Spain (partial). Commission infringement proceedings opened November 2024.

Are NIS2 audits already happening?

Yes — France (280 entities), Germany (450), Italy (320), Netherlands (180), Belgium (90) audited in 2025.