NIS2 Penalties: Fines, Sanctions, and Management Liability Explained

Last verified: March 2026. Penalty provisions are set in NIS2 Articles 32–36. Management liability is established in Article 20. National transposition laws may impose additional or stricter measures.

Non-compliance with the NIS2 Directive is not a technicality. It carries financial penalties that rival GDPR in scale, supervisory powers that extend to on-site raids and forced audits — and a provision that makes directors and senior managers personally liable for cybersecurity failures. That last point is what separates NIS2 from every cybersecurity regulation that came before it.

This guide explains how NIS2 penalties work, who faces them, how fines are calculated, and — critically — what Article 20 means for the people sitting on your board or in your executive team.

1. The NIS2 Penalty Framework: Two Tiers, Escalating Consequences

NIS2 penalties operate within a tiered structure that directly mirrors the two-tier entity classification established in Articles 3 and 4. Your maximum penalty exposure depends on whether your organisation is classified as an essential entity (Annex I sector, generally large organisations) or an important entity (Annex II sector, or medium-sized entities in Annex I sectors) [1].

This classification matters because:

• Essential entities face higher maximum penalties — reflecting their greater impact on societal and economic continuity if disrupted.
• Essential entities are subject to proactive supervision — authorities can audit and inspect before an incident occurs, not just after one.
• Important entities are supervised reactively — enforcement is typically triggered by evidence of non-compliance or a significant incident.

Both tiers are subject to management liability under Article 20. There is no “important entity discount” on personal accountability.

If you haven’t confirmed your entity classification yet, the NIS2 scope guide walks through the full assessment process.

2. Financial Penalties for Essential Entities

Article 34 of NIS2 sets the following maximum administrative fine for essential entities:

€10,000,000 or 2% of total worldwide annual turnover in the preceding financial year, whichever is higher.

The critical phrase is whichever is higher. This is not a cap — it is a floor with an upward scale for large corporations. Here is what it means in practice:

Global Annual Turnover	2% of Turnover	Which Is Higher?	Maximum Fine
€20 million (mid-market)	€400,000	€10 million	€10 million
€50 million (upper mid-market)	€1 million	€10 million	€10 million
€100 million	€2 million	€10 million	€10 million
€500 million	€10 million	Equal	€10 million
€1 billion	€20 million	2% of turnover	€20 million
€5 billion	€100 million	2% of turnover	€100 million

The practical implication for essential entities: the €10 million floor applies to every company below €500 million in global turnover. A healthcare provider with €30 million turnover and a major energy company with €400 million turnover both face the same maximum penalty exposure of €10 million — 33% of the smaller company’s entire annual revenue.

This is deliberate. The regulation’s drafters wanted penalties that are genuinely dissuasive at all company sizes, not fines that a mid-market entity can absorb as a cost of doing business.

On turnover calculation: “Total worldwide annual turnover” means consolidated group revenue, not just the entity being penalised. If your organisation is a subsidiary of a larger corporate group, the group’s global turnover is used to calculate the 2% ceiling. A €50 million subsidiary belonging to a €10 billion group could, in theory, face a maximum fine of €200 million — 2% of €10 billion.

3. Financial Penalties for Important Entities

Article 34 sets a lower but still significant penalty ceiling for important entities:

€7,000,000 or 1.4% of total worldwide annual turnover in the preceding financial year, whichever is higher.

The same “whichever is higher” logic applies. For most important entities (mid-market companies with under €500 million turnover), the effective maximum is €7 million. Above €500 million, the 1.4% scale applies.

Aspect	Essential Entities (Annex I)	Important Entities (Annex II)
Maximum fine	€10M or 2% of global turnover	€7M or 1.4% of global turnover
Floor applies below turnover of	€500 million	€500 million
Supervision mode	Proactive — audits & inspections before incidents	Reactive — triggered by incident or evidence
Management liability	Yes — Article 20	Yes — Article 20
Temporary management ban	Yes — Article 32(5)(g)	Yes — Article 33(5)
Typical sectors	Energy, health, transport, digital infrastructure, banking, water, public admin, space	Postal, waste, chemicals, food, manufacturing, digital providers, research

These are the minimum maximums established by the directive — Member States are free to set higher ceilings in their national transposition laws, and some have done so [2].

4. Management Liability Under Article 20 — The Rule That Changes Everything

If the financial penalties get your board’s attention, Article 20 should keep it. This provision — unique in EU cybersecurity law — makes NIS2 non-compliance a matter of personal legal exposure for senior leaders, not just a corporate compliance problem.

What Article 20 Requires

Management bodies — defined as boards of directors, executive committees, and equivalent governing structures — are required to [3]:

1. Approve the cybersecurity risk-management measures your organisation takes under Article 21.
2. Oversee their implementation on an ongoing basis.
3. Undergo training on cybersecurity topics sufficient to identify risks and assess risk-management practices and their impact on the services provided.

These are not aspirational requirements. They are legal obligations attached to the management body as a governing entity.

Personal Liability for Management Body Members

Article 20(2) states that management body members “may be held liable” for infringements of Article 21 obligations attributable to them. In practice, this means:

• If your organisation suffers a significant cyber incident due to inadequate security measures, investigators will ask not just what failed technically, but who approved the security programme and what oversight was exercised.
• A director who rubber-stamped a budget that knowingly underfunded cybersecurity, or who delegated all oversight to the IT department without seeking regular reporting, is potentially personally exposed.
• National authorities can seek to temporarily ban individuals from exercising management functions in cases of serious or repeated non-compliance (Article 32(5)(g) for essential entities).

For board members and C-suite: NIS2 transforms cybersecurity from an IT department operational concern into a fiduciary duty. The question is no longer “has the CISO handled it?” — it is “has the board approved the measures, received regular reporting, and demonstrated through training that it understands the risk?” The days of plausible deniability on cybersecurity are over.

The Mandatory Training Obligation

Article 20(2) explicitly requires management bodies to acquire “sufficient knowledge and skills” to identify cybersecurity risks and evaluate management practices. This training obligation is not optional, and “we were busy” is not a defence.

The training requirement creates a documentation trail: organisations should maintain records of what training management received, when, and what topics were covered. This evidence becomes critical during supervisory reviews and investigations.

For the full breakdown of NIS2 training requirements at all levels — including what staff training is required — see the NIS2 training requirements guide.

5. Supervisory Measures: What Authorities Can Do Before the Fine

Financial penalties are the end of the enforcement process, not the beginning. Articles 32–36 give national competent authorities an extensive toolkit of supervisory and investigative measures that can be used before any fine is imposed — and some of which are more immediately disruptive than a financial penalty [4].

Supervisory Powers for Essential Entities (Article 32)

For essential entities, supervision is proactive and ex-ante — authorities do not need to wait for an incident. Available measures include:

• Regular audits conducted by qualified, independent bodies
• On-site inspections and off-site supervisory reviews
• Security scans based on objective, non-discriminatory criteria
• Requests for information and access to relevant data and documents
• Requests for evidence demonstrating implementation of security policies

Enforcement Measures for Both Tiers (Articles 32 and 33)

When supervisory activity identifies non-compliance, authorities can escalate to enforcement measures including:

• Binding instructions requiring specific actions to remedy identified deficiencies
• Compliance orders with defined remediation deadlines
• Temporary suspension of certifications or authorisations for specific services
• Temporary prohibition on serving as CEO or legal representative — this is the management ban provision, applicable in cases of serious or repeated non-compliance
• Administrative fines as described in Section 2–3 above

The management ban is particularly significant: it is not tied to a conviction or criminal proceeding. A national competent authority can apply for a temporary ban as an administrative enforcement measure while an investigation is ongoing.

Supervision of Important Entities (Article 33)

Important entities are subject to reactive, ex-post supervision — triggered by evidence of non-compliance or a significant incident. However, once triggered, the same enforcement toolkit applies. The difference is that important entities are unlikely to face routine proactive audits; they are more likely to come to authorities’ attention through incident reports, third-party complaints, or sector-wide reviews.

6. Differences Between Member States

NIS2 sets minimum-maximum penalty levels — Member States can and do impose stricter regimes in their national transposition laws. As of early 2026, several countries have gone beyond the directive’s baseline [5]:

• Germany (NIS2UmsuCG, July 2024): Introduced specific provisions for critical infrastructure operators (KRITIS) with enhanced supervisory powers for the BSI (Federal Office for Information Security). The German law requires critical facility operators to conduct regular certifications and provides for individual fines against responsible management personnel in cases of negligent or deliberate non-compliance.
• Netherlands (Cyberbeveiligingswet, expected 2025): The Dutch implementation extends supervisory powers to the NCSC and sector-specific authorities, with particular focus on healthcare and energy entities. Cross-border supervision cooperation is emphasised.
• Belgium (NIS2 Act, April 2024): One of the first complete transpositions. Belgium established the CCB (Centre for Cybersecurity Belgium) as the primary competent authority, with enforcement powers that include temporary operating restrictions for non-compliant entities in critical sectors.
• Ireland (NIS2 Regulations): The NIS2 Regulations enacted the directive’s penalty framework with the Department of the Environment, Climate and Communications serving as competent authority for energy, and sector-specific authorities handling other covered areas.
• Czech Republic (ZoKB, Act No. 264/2025, November 2025): One of the most granular EU transpositions — NUKIB requires 27 security measures of essential-tier entities, 2.7 times the EU minimum of 10. Mandatory two-year audit cycles apply to higher obligations providers. Fines reach CZK 250M or 2% of global turnover for essential entities; management bans carry a minimum floor of six months with no fixed ceiling. See the Czech Republic NIS2 penalties and enforcement guide.

If your organisation operates across multiple Member States, you may face higher penalty exposure in some jurisdictions than others. The NIS2 directive is the floor; national law is the ceiling — and that ceiling varies. Check the NIS2 Directive overview for the current transposition status across all EU Member States.

7. Recent Enforcement Actions and Precedents

NIS2 became enforceable in October 2024, and the first full cycle of enforcement actions is still developing as of early 2026. However, enforcement patterns from NIS1 and early NIS2 activity provide important signals:

NIS1 Enforcement Precedents

Under the original NIS Directive (NIS1), enforcement was inconsistent but provided notable precedents:

• UK (NCSC/ICO): British Airways was fined £20 million and Marriott International £18.4 million under GDPR (which shares supervisory structures with NIS in the UK) for cybersecurity failures that exposed personal data. While technically GDPR penalties, these cases established the template for how regulators treat inadequate cybersecurity investment as an aggravating factor.
• Germany (BSI): The BSI conducted formal supervisory proceedings against multiple energy and healthcare operators following security incidents, resulting in binding remediation orders and, in several cases, publication of the findings — reputational consequences that organisations in those sectors found more damaging than financial penalties.
• France (ANSSI): ANSSI conducted several formal investigations under NIS1 in the energy and digital infrastructure sectors, with findings that informed France’s approach to the more prescriptive NIS2 transposition.

Early NIS2 Enforcement Signals (2025–2026)

• Multiple national competent authorities issued formal requests for documentation and self-declaration of compliance to essential entities in the energy and healthcare sectors throughout Q4 2024 and Q1 2025 — the first exercise of NIS2’s proactive supervisory powers.
• The European Commission launched infringement proceedings against 19 Member States for failure to transpose NIS2 by the October 2024 deadline, demonstrating that enforcement pressure operates at multiple levels simultaneously.
• Several Member States have publicly announced formal investigations into essential entities in the energy and public administration sectors — details are limited pending formal proceedings, but the investigations confirm that the proactive supervision model is being activated.
• NIS2 Denmark Penalties: Criminal Enforcement, CFCS Powers, and Management Liability

Key takeaway: Enforcement is not hypothetical — it is active. The 12–18 month window post-October 2024 is precisely when national authorities are establishing their enforcement precedents, and early cases typically target high-profile sectors where incidents have occurred or where documentation requests revealed significant gaps.

8. How to Protect Your Organisation and Yourself

The penalty framework is designed to motivate action, and the most effective protection against NIS2 penalties is documented, evidenced compliance. Here is where to focus:

For Your Organisation

1. Determine your entity classification — essential or important. Your penalty exposure and supervisory regime depend on this. Use the NIS2 scope guide if you haven’t already confirmed your status.
2. Implement and document all 10 Article 21 measures — and maintain the evidence trail. Auditors and inspectors look for documented policies, implementation records, and testing results, not just verbal assurances. The NIS2 compliance checklist maps every required action to the corresponding documentation.
3. Establish incident reporting procedures — missing the 24-hour early warning deadline is a standalone compliance breach that triggers enforcement independently of the underlying incident. See the NIS2 requirements guide for the full incident notification framework.
4. Build your document library — the 52 NIS2 compliance templates cover every policy, procedure, and record required under the directive and CIR 2024/2690, ready to customise for your organisation.

For Directors and Senior Management

1. Attend the required cybersecurity training — and document it. Failure to complete training is itself a breach of Article 20, separate from any underlying security failure.
2. Formally approve your organisation’s cybersecurity programme — at board level, with minutes that record the approval. If your CISO or IT team presents a security programme and management neither approves nor challenges it, that ambiguity creates liability.
3. Require regular reporting on cybersecurity status — establish a cadence (quarterly minimum) for the CISO or equivalent to report to the board on risk posture, incidents, and compliance status. This creates the documented oversight trail Article 20 requires.
4. Ensure cybersecurity is on the board agenda before incidents — authorities will scrutinise board minutes in the event of an investigation. A board that only discussed cybersecurity after a breach is in a materially different position to one that has quarterly records of oversight.

Frequently Asked Questions

Can I be personally fined as a director under NIS2?

Yes. Article 20(2) states that management body members “may be held liable” for infringements of Article 21 attributable to them. The specific form of personal consequence varies by Member State: some have introduced individual fines for responsible management personnel; others have focused on temporary bans from exercising management functions. Both are provided for in the directive. Consult your national transposition law for the specifics that apply in your jurisdiction.

Are NIS2 penalties cumulative with GDPR fines?

In principle, yes. A cyber incident involving personal data can trigger both NIS2 enforcement (inadequate security under Article 21) and GDPR enforcement (failure to protect personal data under Article 32 GDPR). Authorities are encouraged to coordinate to avoid disproportionate double-penalisation, but the legal exposure under both frameworks is real. Article 35 of NIS2 provides that when a penalty has been imposed for the same infringement in another Member State, it must be taken into account — but there is no such rule preventing simultaneous NIS2 and GDPR penalties for different aspects of the same incident.

What triggers a NIS2 investigation?

For essential entities: anything. Authorities can open investigations proactively without an incident — routine audits, sector-wide documentation reviews, inadequate responses to information requests. For important entities: typically a significant incident, a failure to meet reporting deadlines, or evidence of non-compliance emerging from another channel. In both cases, the failure to respond to or cooperate with a competent authority’s information request is itself an enforcement trigger.

How are fines calculated — is the maximum always imposed?

The maximum is rarely imposed. Authorities assess each case individually, weighing: seriousness and duration of the infringement, intent vs. negligence, mitigation steps taken, cooperation with investigators, prior infringements, and financial capacity. An organisation with documented security measures, a prompt incident report, and full investigator cooperation will receive a substantially lower penalty than one that had no policies, concealed the incident, and obstructed the process. The maximum figures represent the ceiling for the worst-case, most egregious violations.

Does NIS2 apply to non-EU companies?

Yes, if you provide covered services within the EU. Non-EU organisations providing cloud computing, managed IT services, online marketplace services, search engine services, or social network services to EU customers must designate an EU representative under Article 26 and are then subject to the full NIS2 enforcement regime, including financial penalties and management liability provisions. See the NIS2 scope guide for full applicability rules.

This article provides general information only and does not constitute legal or regulatory advice. Penalty exposure and enforcement practices vary by Member State and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. “Directive (EU) 2022/2555, Articles 3–4” — EUR-Lex, Full text [Entity classification: essential vs important]
2. “Directive (EU) 2022/2555, Article 34” — EUR-Lex [Administrative fines for NIS2 infringements]
3. “Directive (EU) 2022/2555, Article 20” — EUR-Lex; see also nis-2-directive.com commentary [Management body obligations and personal liability]
4. “Directive (EU) 2022/2555, Articles 32–33” — EUR-Lex [Supervisory and enforcement measures for essential and important entities]
5. “NIS2 Directive Transposition Tracker” — European Cyber Security Organisation (ECSO), Tracker [National transposition status and variations]
6. “NIS2 directive explained: Management bodies rules” — DLA Piper, Analysis (November 2025)