NIS2 Penalties: Up to EUR 10 Million for Non-Compliance
NIS2 penalties reach EUR 10M or 2% of turnover. Here's the full penalty framework, what triggers enforcement, and how national approaches differ.
The NIS2 Directive introduced the most significant penalty framework for cybersecurity non-compliance in EU history. For essential entities, the maximum fine is EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities, it is EUR 7 million or 1.4% of turnover.
These numbers are designed to get attention. They are modelled on the GDPR penalty framework, which demonstrated that large fines drive compliance behaviour in a way that voluntary guidance never could. But the headline figures are only part of the picture. NIS2's enforcement regime also includes personal liability for management, operational compliance orders, temporary management bans, and public naming — measures that collectively create pressure across the entire leadership structure of an organisation.
This article covers the full penalty framework, what triggers enforcement, how different member states are approaching implementation, and what proportionality factors supervisory authorities will consider.
The Penalty Framework
Article 34 of the NIS2 Directive sets the ceiling for administrative fines. The structure distinguishes between the two categories of entity.
Essential entities — organisations in sectors such as energy, transport, banking, health, digital infrastructure, and public administration — face maximum fines of at least EUR 10 million or at least 2% of total worldwide annual turnover in the preceding financial year, whichever is higher.
Important entities — covering sectors such as postal services, waste management, chemicals, food production, certain manufacturing, and digital providers — face maximum fines of at least EUR 7 million or at least 1.4% of total worldwide annual turnover, whichever is higher.
The phrase "at least" is significant. These are minimum maximums — member states may set higher ceilings in their national transposition. The directive establishes a floor, not a ceiling. Some member states have transposed the penalty provisions at these exact thresholds; others have opted for higher maximums or additional penalty categories.
It is also worth noting that these penalties apply to the legal entity, not to individual employees. However, the directive contains separate provisions for individual accountability that operate alongside the financial penalties.
Personal Liability Under Article 20
The penalty provisions cannot be understood in isolation from Article 20, which establishes personal accountability for the management body.
Article 20(1) states that members of the management body can be held liable for infringements by the entity. This is not vicarious liability — it is a direct obligation placed on directors and senior executives to approve, oversee, and be accountable for the organisation's cybersecurity risk-management measures.
Recital 53 of the directive goes further, noting that member states should be able to provide for "the temporary prohibition of the exercise of managerial functions by individuals who are held responsible" for serious or repeated infringements.
In practice, this means that a director of an essential entity that suffers a significant cyber incident could face both financial consequences for the organisation and personal consequences for themselves — including temporary bans from holding managerial positions.
This dual structure is deliberate. The financial penalties create organisational incentive. The personal liability provisions create individual incentive. Together, they are designed to ensure that cybersecurity governance receives genuine attention at the board level, not just delegation to the IT department.
We covered the full scope of management body obligations in our Article 20 board training guide. The training format comparison explains why the type of training you provide to management matters for audit purposes.
What Triggers Enforcement
The NIS2 Directive does not impose penalties automatically. Enforcement is triggered by specific failures, and supervisory authorities have discretion in how they respond. Understanding what triggers enforcement — and what escalates it — is essential for calibrating your compliance programme.
Failure to implement risk-management measures (Article 21). Article 21 sets out ten categories of cybersecurity risk-management measure that essential and important entities must implement. These include incident handling, business continuity, supply chain security, encryption, access control policies, and — critically — basic cyber hygiene practices and cybersecurity training. Failure to implement any of these measures in a proportionate manner can trigger supervisory action.
Incident reporting failures (Article 23). Organisations must submit an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month of becoming aware of a significant incident. Missing these deadlines — or failing to report at all — is a standalone enforcement trigger, regardless of whether the underlying incident was preventable.
Failure to provide management body training (Article 20). If the management body has not completed documented cybersecurity training sufficient to meet the Article 20(2) standard, this is a direct compliance failure. Supervisory authorities can request evidence of training at any time, and the absence of that evidence is itself an infringement.
Failure to cooperate with supervisory authorities. Articles 32 and 33 grant supervisory authorities wide-ranging powers, including on-site inspections, security audits, and requests for evidence of compliance. Refusing to cooperate, providing incomplete information, or obstructing an inspection can escalate enforcement action and increase the severity of any resulting penalties.
Repeated infringements. A first infringement met with a warning or a corrective order creates a documented baseline. A second or subsequent failure to address the same issue will be treated more seriously. Supervisory authorities are explicitly empowered to escalate their response if corrective measures are not implemented.
The common thread is that enforcement typically follows a pattern: supervisory action first (audit, inspection, or information request), followed by corrective orders if deficiencies are found, followed by financial penalties if corrective orders are not implemented. Penalties as a first response are reserved for the most serious failures — significant incidents where the organisation's negligence is clear, or deliberate non-cooperation with supervisory authorities.
National Variation in Enforcement
NIS2 is a directive, not a regulation. It sets the framework, but each member state transposes it into national law with its own legislative choices. This creates variation across three dimensions.
Penalty thresholds. Most member states have adopted the EUR 10M/2% and EUR 7M/1.4% thresholds directly. Some have opted for higher maximums. A small number have introduced intermediate penalty bands for less severe infringements, creating a graduated scale rather than a binary compliant/non-compliant assessment.
Supervisory authority structure. Some member states have designated a single national competent authority for NIS2 enforcement. Others have allocated responsibility across multiple authorities — one for each sector, or separate authorities for essential and important entities. The practical consequence is that the supervisory culture, enforcement style, and audit frequency will vary depending on which authority oversees your sector in your jurisdiction.
Enforcement philosophy. Some member states — particularly those with mature cybersecurity governance frameworks — are taking a supervision-first approach, prioritising audits, guidance, and corrective orders before reaching for financial penalties. Others, particularly those that transposed NIS2 late and are now working through a backlog, are likely to use penalties more readily to establish deterrence. If your organisation operates across multiple member states, you may face different enforcement cultures simultaneously.
Personal liability implementation. The directive gives member states discretion in how they implement management body liability. Some have transposed this as civil liability. Others have introduced administrative penalties that can be imposed directly on individuals. The temporary management ban provision has been adopted by several member states, though the threshold for triggering it varies.
For organisations operating across the EU, the practical implication is that compliance cannot be calibrated to the most lenient jurisdiction. The risk-management framework must satisfy the most demanding requirements you face, and the training programme must meet the highest standard applicable across your operational footprint.
Proportionality Factors
Supervisory authorities do not apply maximum penalties in every case. Article 34(3) requires that penalties be "effective, proportionate and dissuasive," and it lists several factors that authorities must consider when setting penalty levels.
The gravity and duration of the infringement. A systemic failure to implement any cybersecurity training programme over several years will be treated more severely than a minor procedural gap identified during a routine audit.
Previous infringements. A first-time failure typically results in corrective action rather than financial penalties. Repeated failures demonstrate a pattern that justifies escalation.
Damage caused. If a security incident results in significant harm — data breaches affecting large numbers of individuals, disruption to essential services, financial losses for third parties — the penalty will reflect the actual impact, not just the theoretical risk.
Intentionality or negligence. Deliberate non-compliance — knowingly failing to implement required measures or actively obstructing supervisory action — is treated more severely than negligent failures. An organisation that made a genuine effort to comply but fell short in specific areas will generally receive more favourable treatment than one that ignored its obligations entirely.
Measures taken to mitigate damage. How the organisation responded to the incident matters. Prompt notification, transparent cooperation with authorities, and rapid remediation all operate as mitigating factors.
Cooperation with the competent authority. Full and timely cooperation during an investigation or audit consistently reduces penalty severity. Obstruction or delay has the opposite effect.
The nature and size of the entity. A multinational with substantial resources faces different expectations than an organisation that has just crossed the size threshold into NIS2's scope. Proportionality means that the penalty should fit both the infringement and the entity.
These factors collectively mean that organisations which invest in genuine compliance — even if their programmes are not yet perfect — face significantly lower penalty risk than those that have done nothing. Progress matters. Documentation matters. Good faith matters. The penalty framework is designed to drive compliance, not to punish organisations that are genuinely working to improve their cybersecurity posture.
Practical Implications
The penalty framework creates clear incentives, but the most important takeaway is not the size of the fines. It is the structure of the obligations.
NIS2 penalties are highest when organisations fail at the basics: no risk-management framework, no incident reporting process, no management training, no evidence of cybersecurity measures. These are not sophisticated technical failures. They are governance failures — and they are entirely preventable.
The organisations that face the lowest penalty risk are those that have implemented the Article 21 measures proportionately, documented their compliance posture, trained their management body, extended training to their workforce, and established clear incident reporting procedures. None of this requires perfection. It requires systematic effort and good documentation.
If you are building or strengthening your NIS2 compliance programme, training is one of the most cost-effective risk-mitigation measures available. It satisfies multiple obligations simultaneously — Article 20 (management training), Article 21(2)(g) (cyber hygiene and training), and the proportionality standard that runs through the entire directive.
Our NIS2 course is designed to produce the evidence trail that satisfies auditors and reduces penalty risk — from board-level governance scenarios to general workforce cyber hygiene training.
Not sure where your gaps are? Our free diagnostic gives you a clear picture of your NIS2 compliance posture in two minutes.