İçeriğe geç
NISDESK

NIS2 Fines & Penalties

NIS2 Article 34 establishes a two-tier fine structure based on whether an organisation is an Essential Entity or an Important Entity. Fines apply to security failures, missed incident notifications and supervisory non-compliance.

Essential Entities

€10M

or 2% of global annual turnover

(whichever is higher)

Applies to: Annex I sectors (energy, transport, banking, health, digital infrastructure, etc.) — large organisations.

Important Entities

€7M

or 1.4% of global annual turnover

(whichever is higher)

Applies to: Annex II sectors + medium-sized Annex I entities (manufacturing, food, chemicals, digital providers, research, etc.).

What can trigger a NIS2 fine?

Management liability (NIS2 Article 20): Management bodies must approve security measures and oversee implementation. They can face personal liability for infringements, including temporary bans from management roles in Essential Entities.

Frequently asked questions

What are the maximum NIS2 fines?

Under NIS2 Article 34, Essential Entities face fines up to €10 million or 2% of global annual turnover (whichever is higher). Important Entities face fines up to €7 million or 1.4% of global annual turnover. Actual fines depend on national enforcement and the severity of the breach.

What triggers a NIS2 fine?

Fines can be imposed for: failure to implement appropriate security measures (Article 21), failure to notify significant incidents within the 72-hour deadline (Article 23), failure to register with the national authority, or failure to cooperate with supervision. Supervisory authorities have broad discretion.

Who imposes NIS2 fines?

National competent authorities in each EU member state are responsible for imposing NIS2 fines. The specific authority varies by country — for example BSI in Germany, ANSSI in France, ACN in Italy. Each authority may have different enforcement priorities.

Can management be held personally liable under NIS2?

Yes. NIS2 Article 20 requires management bodies to approve and oversee security measures. Member states must ensure that management bodies can be held liable for NIS2 infringements, including potential temporary bans from management roles.

Assess your NIS2 compliance risk

Find out if you are in scope, which fines tier applies and where your gaps are.

Free scope check →

Figures based on NIS2 Article 34. Actual enforcement varies by national authority.