NIS2
High Sanctions

NIS2 Sanctions and Penalties

What are the consequences of non-compliance?

The NIS2 directive introduces strict penalties for non-compliance, aiming to ensure organizations take cybersecurity seriously. Sanctions can be financial, administrative, and even criminal for top management.

Financial Penalties

Essential Entities

Fixed Maximum€10 000 000
Global Turnover2%

The higher of the two amounts applies.

Important Entities

Fixed Maximum€7 000 000
Global Turnover1.4%

Example: For a company with €600M turnover, 2% is €12M, which exceeds the fixed €10M limit, so the fine could be up to €12M.

Comparison with GDPR

GDPR€20M / 4%
NIS2 (NIS2 Essential)€10M / 2%
NIS2 (NIS2 Important)€7M / 1.4%

While caps are lower than GDPR, NIS2 applies accurately defined requirements and strict reporting deadlines.

Personal Liability

NIS2 holds management bodies personally responsible for cybersecurity governance.

Key Responsibilities

  • Approve cybersecurity risk-management measures
  • Oversee implementation of measures
  • Follow regular training
  • Address and approve incident handling

Consequences for Management

  • Temporary Ban

    Regulators can ban executives from exercising managerial functions in Essential entities.

  • Liability for Damages

    Direct personal liability for damages caused to the company by negligence.

  • Public Naming

    Public disclosure of the individual responsible for the breach.

In practice, C-level executives can no longer claim 'IT handles security'. They must be involved.

Other Supervisory Powers

Administrative Orders

  • Order to cease conduct and desist
  • Order to bring security measures into compliance
  • Order to inform customers of a threat

Operational Restrictions

  • Suspension of certification or authorization
  • Designation of a monitoring officer
  • Public warning about the entity

Reputational damage from a publicized breach often exceeds the cost of fines.

Real World Scenarios

Unreported Incident

A company suffered a breach but failed to report it within 24 hours to the CSIRT.

Sanction: Fine for failure to report, independent of the breach itself.

Neglected Updates

A critical vulnerability was known but the company delayed patching for months, leading to data loss.

Sanction: Fine for negligence in duty of care.

Management Ignorance

CEO refused to allocate budget for MFA despite repeated warnings from CISO.

Sanction: CEO temporarily suspended from function; company fined.

Assessment Factors

Aggravating Factors

  • Duration of the infringement
  • Repetition/History of breaches
  • Intent or gross negligence
  • Impact on services and users
  • Lack of cooperation with authorities

Mitigating Factors

  • Immediate action to mitigate damage
  • Effective cooperation with CSIRT
  • Timely reporting
  • Self-reporting of the issue
  • Minor nature of the infringement

How to Avoid Sanctions

Short Term (Now)
  • 1Start NIS2 assessment
  • 2Inform management about liability
  • 3Map critical assets
  • 4Review insurance coverage
Medium Term (6 months)
  • 5Implement ISO 27001 / NIS2 measures
  • 6Train employees and management
  • 7Test incident response plan

Sanctions Summary

Who is liable?Entity + Management
Essential Fine€10M / 2%
Important Fine€7M / 1.4%
EnforcementActive / Ex-post
Personal LiabilityYes (Essential)

Compliance is an investment, not a cost. The cost of non-compliance is far higher.

Don't risk fines

Check your compliance status now with our free assessment.