NIS2 Penalties: What Happens If You Don't Comply

The NIS2 Directive (Directive (EU) 2022/2555) introduced the most significant cybersecurity enforcement framework in European regulatory history. Unlike its predecessor (NIS1), which gave Member States wide discretion on penalties and resulted in minimal enforcement, NIS2 establishes mandatory minimum penalty thresholds that national authorities cannot water down. The transposition deadline was 17 October 2024. As of April 2026, 22 of 27 Member States have completed transposition, and enforcement actions have already begun in Germany, the Netherlands, and France.

This article examines the NIS2 penalties framework in detail: the fine structure under Art. 34, the distinction between essential and important entities, the unprecedented management liability provisions under Art. 20, and early enforcement patterns from transposing Member States.

Key Takeaways

• Essential entities face fines of up to EUR 10 million or 2% of global annual turnover (whichever is higher).
• Important entities face fines of up to EUR 7 million or 1.4% of global annual turnover.
• Art. 20 NIS2 makes management bodies personally liable for approving and overseeing cybersecurity measures.
• National enforcement has already begun – Germany’s BSI issued formal notices to 47 entities in Q4 2025.

The NIS2 Fine Structure: Art. 34

Art. 34 of the NIS2 Directive establishes the penalty framework, requiring Member States to lay down rules on penalties that are “effective, proportionate and dissuasive.” Unlike NIS1, which set no minimum penalty levels, NIS2 imposes floors that national legislators must meet or exceed.

Essential Entities

Entities classified as essential under Annex I of NIS2 – covering sectors such as energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space – face administrative fines of at least:

• EUR 10,000,000, or
• 2% of the total worldwide annual turnover of the undertaking to which the entity belongs in the preceding financial year,

whichever is higher.

For a multinational energy company with EUR 5 billion in annual turnover, the maximum NIS2 fine per infringement is EUR 100 million. This mirrors the upper tier of GDPR fines under Art. 83(5) – a deliberate alignment by the EU legislature to signal that cybersecurity non-compliance now carries the same financial weight as data protection violations.

Important Entities

Entities classified as important under Annex II – covering sectors such as postal services, waste management, manufacture of chemicals, food production, manufacturing of medical devices, computer and electronics manufacturing, research, and digital providers (online marketplaces, search engines, social networking) – face lower but still substantial penalties:

• EUR 7,000,000, or
• 1.4% of the total worldwide annual turnover,

whichever is higher.

The differentiation between essential and important entity penalties reflects the risk-proportionate approach: essential entities provide services where disruption poses the greatest societal impact, justifying higher deterrents.

National Implementation Variations

NIS2 sets minimum floors, not ceilings. Member States can – and several have – implemented higher penalties:

Germany: The BSI Act amendment (BSI-Gesetz Novelle 2024) implemented NIS2 with fines up to EUR 20 million for essential entities, double the NIS2 minimum. Individual managers face fines up to EUR 500,000 for governance failures.

Netherlands: The Wbni (Wet beveiliging netwerk- en informatiesystemen) revision aligns penalties with the NIS2 floors but adds specific daily penalty payments of up to EUR 100,000 for continuing non-compliance.

France: The ANSSI-overseen implementation maintains the NIS2 floors but introduces accelerated enforcement procedures for critical infrastructure operators, allowing ANSSI to impose remediation orders with 48-hour compliance deadlines in urgent cases.

Italy: The ACN (Agenzia per la Cybersicurezza Nazionale) implementation includes fines up to EUR 10 million for essential entities and specific penalties for failure to register in the national NIS2 entity register.

Management Body Liability: Art. 20

Art. 20 NIS2 introduces what is arguably the most consequential provision in the directive – not because of fine amounts, but because of personal accountability.

Art. 20(1) requires that “management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities” and oversee their implementation. Management bodies can be held liable for infringements.

Art. 20(2) requires that “members of the management bodies of essential and important entities are required to follow training” to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices.

This creates three layers of personal exposure:

1. Approval liability: The management body must formally approve the organisation’s cybersecurity measures under Art. 21. If those measures are inadequate and lead to an incident, the approval decision creates a direct link between the board and the failure.

2. Oversight liability: Passive governance is not a defence. The management body must actively oversee implementation, not merely approve a policy document and delegate everything to the CISO.

3. Training liability: Board members who cannot demonstrate adequate cybersecurity training are in breach of Art. 20(2) regardless of whether an incident occurs. This is a standalone obligation.

National transposition determines the specifics of personal sanctions. Germany’s implementation allows personal fines for management body members. France’s implementation exposes directors to personal liability under existing corporate governance law, reinforced by the NIS2 obligations. The Netherlands permits the Dutch DPA and sector-specific regulators to impose personal enforcement measures.

The practical effect: CISOs and compliance officers now have regulatory leverage to demand board-level engagement with cybersecurity governance. Art. 20 transforms cybersecurity from an IT issue to a board-level legal obligation with personal consequences.

Enforcement Powers Beyond Fines

NIS2 penalties are not limited to administrative fines. Art. 32 (for essential entities) and Art. 33 (for important entities) grant national authorities a comprehensive enforcement toolkit:

For essential entities (Art. 32):

• On-site inspections and off-site supervision
• Targeted security audits (at the entity’s cost)
• Ad hoc audits triggered by significant incidents
• Security scans based on objective, non-discriminatory criteria
• Requests for information necessary to assess cybersecurity measures
• Binding instructions to remedy identified deficiencies
• Orders to implement security audit recommendations within a specified timeframe
• Temporary suspension of certifications or authorisations
• Temporary prohibition of a natural person from exercising managerial functions (the “director disqualification” power)

For important entities (Art. 33):

• Same powers as above, but exercised ex post (after evidence of non-compliance) rather than proactively
• No proactive supervision authority – important entities are supervised reactively

The distinction matters: essential entities face proactive, ongoing supervision. Important entities are supervised only when non-compliance is suspected or after an incident. This does not reduce the penalty exposure – just the likelihood of detection in the absence of an incident.

Early Enforcement: What Has Happened So Far

While NIS2 enforcement is still in its early phase, several patterns are emerging:

Germany (BSI): Issued 47 formal notices (Anordnungen) to entities in Q4 2025, primarily for failure to register in the national NIS2 entity register and failure to designate a point of contact. The BSI has prioritised energy sector entities and digital infrastructure providers. No major fines yet, but the escalation path is clear.

Netherlands (NCSC/RDI): Conducted compliance assessments of 120 essential entities in the digital infrastructure sector during H2 2025. Published anonymised findings showing that 38% had not implemented adequate incident reporting procedures and 52% lacked management body-approved cybersecurity policies. Formal enforcement is expected in 2026.

France (ANSSI): Focused initial enforcement on operators of essential services (OES) already regulated under NIS1, extending requirements to the broader NIS2 scope. ANSSI issued remediation orders to 23 entities in the energy and transport sectors for inadequate risk management measures. The French approach emphasises remediation before fines.

Italy (ACN): Prioritised registration enforcement. The ACN reported that as of March 2026, over 4,800 entities had registered in the national NIS2 register, but an estimated 2,000 entities that should have registered had not. Enforcement proceedings are underway.

These early enforcement patterns suggest that supervisory authorities are following a graduated approach: registration and governance compliance first, substantive security measures second, penalties for persistent non-compliance third. This mirrors how GDPR enforcement evolved between 2018 and 2020 before significant fines began flowing.

What Triggers NIS2 Penalties

Art. 34(2) lists the factors national authorities must consider when determining penalty amounts:

• The gravity and duration of the infringement
• Previous infringements by the entity
• Material damage caused, including financial and economic losses, effects on other services, and number of affected users
• Any intentional or negligent character of the infringement
• Actions taken to mitigate damage
• Degree of responsibility and applicable compliance measures
• Degree of cooperation with competent authorities
• The manner in which the infringement became known to the authority (self-reporting vs external discovery)

This mirrors GDPR’s Art. 83(2) criteria almost exactly – and for good reason. The EU legislature designed NIS2’s enforcement framework to benefit from the enforcement experience that DPAs have built under GDPR.

For compliance teams, the implication is clear: organisations with documented NIS2 risk management programs, management body approval on record, and established incident reporting procedures are positioned to argue for significantly lower penalties if a compliance gap is identified. Organisations with no documented program face maximum exposure.

How to Reduce Penalty Exposure

Five concrete steps to minimise NIS2 penalty risk:

1. Classify your entity correctly. Determine whether you are essential (Annex I) or important (Annex II) under NIS2’s scope criteria. Misclassification in either direction creates risk.

2. Secure management body approval. Document board-level approval of your cybersecurity risk management measures. This is not optional under Art. 20. Minutes of board meetings, signed policy documents, and training records are your primary evidence.

3. Implement Art. 21 measures. Deploy the ten categories of cybersecurity measures required under Art. 21(2). Document each measure and its proportionality to your risk profile.

4. Establish incident reporting procedures. Build and test your 24-hour early warning and 72-hour notification workflows before an incident forces you to use them. Time-based obligations cannot be met retroactively.

5. Register and designate. Complete national registration requirements and designate your point of contact. These are the lowest-effort, highest-consequence compliance steps – failure is indefensible.

FAQ

What is the maximum NIS2 fine?

For essential entities, the maximum fine is EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities, it is EUR 7 million or 1.4% of turnover. These are minimum floors set by Art. 34 NIS2 – Member States can and have implemented higher penalties. Germany, for example, has set the ceiling at EUR 20 million for essential entities.

Can company directors be personally fined under NIS2?

Yes. Art. 20 NIS2 requires management bodies to approve and oversee cybersecurity measures and mandates cybersecurity training for board members. National transpositions define the specific personal sanctions, which can include personal fines and temporary disqualification from exercising managerial functions under Art. 32(5)(b). Germany’s implementation includes personal fines up to EUR 500,000.

What is the difference between essential and important entity penalties?

Essential entities face higher penalties (EUR 10 million / 2% turnover vs EUR 7 million / 1.4% turnover) and are subject to proactive, ongoing supervision under Art. 32. Important entities face lower penalties and are supervised reactively (only after non-compliance is suspected or an incident occurs) under Art. 33. Both categories face the same management liability requirements under Art. 20.

Has any company been fined under NIS2 yet?

As of April 2026, no major NIS2 fines have been publicly announced. Enforcement is in the early stage, focused on registration compliance, governance requirements, and remediation orders. Germany’s BSI has issued 47 formal notices, and France’s ANSSI has issued 23 remediation orders. The pattern mirrors early GDPR enforcement (2018-2019), where significant fines followed an initial period of warnings and corrective measures. Financial penalties are expected to increase substantially through 2026-2027.