Sanctions (NIS2)

Non-compliance with NIS2 can lead to significant administrative sanctions. For essential entities, fines can reach up to EUR 10 million or 2% of global annual turnover. For important entities, the maximum is EUR 7 million or 1.4% of global turnover.

Back to Dictionary

Fine levels under NIS2

NIS2 Article 34 establishes the minimum fine levels that national authorities may impose. The amounts depend on the category to which the organisation belongs:

Essential entities:

Maximum fine: EUR 10,000,000 or at least 2% of total global annual turnover, whichever is higher

Important entities:

Maximum fine: EUR 7,000,000 or at least 1.4% of total global annual turnover, whichever is higher

These are minimum levels for Member States: The directive sets the minimum fine ceilings. Member States may choose to set higher fines in their national implementing legislation.

Other types of sanctions

Beyond fines, authorities under NIS2 may apply a broader range of sanctions and enforcement measures:

Warnings and orders: Requirements to bring the infringement to an end within a specified deadline.
Binding instructions: Authorities may issue instructions specifying particular measures the organisation must implement.
Security audits: Requirements to undergo an independent security audit at the organisation's expense.
Public disclosure: Public notification of the infringement, sometimes referred to as naming and shaming.
Temporary management ban: In serious cases, management members may be temporarily prohibited from exercising management functions.

What can trigger sanctions?

Sanctions may be imposed for non-compliance with NIS2 requirements, including:

Failure to implement adequate security measures
Failure to report incidents or late incident reporting
Failure to register with the competent authority
Failure to cooperate with supervisory authorities
Failure to ensure management engagement and training

Personal liability for management

NIS2 introduces provisions for holding management bodies personally accountable for non-compliance with cybersecurity risk management obligations. This represents a significant shift from earlier legislation, where sanctions were typically directed solely at the organisation.

Frequently Asked Questions about Sanctions (NIS2)

What is the maximum fine under NIS2?

For essential entities, fines can reach EUR 10 million or 2% of global annual turnover, whichever is higher. For important entities, the maximum is EUR 7 million or 1.4% of global turnover.

Can individuals be sanctioned under NIS2?

Yes. NIS2 allows management members to be temporarily banned from exercising management functions in serious cases. This is a new provision that did not exist under the earlier NIS Directive.

What triggers NIS2 sanctions?

Sanctions can be triggered by failure to implement adequate security measures, failure to report incidents within prescribed timeframes, failure to register with authorities, failure to cooperate with supervisory authorities, and failure to ensure management engagement.

Are NIS2 fines the same across all EU Member States?

No. NIS2 sets minimum fine ceilings. Member States may implement higher fines in their national legislation. The actual fine level in a specific case depends on national law and the severity of the infringement.

How do NIS2 fines compare to GDPR fines?

NIS2 fines for essential entities (EUR 10 million or 2% of turnover) are lower than the maximum GDPR fines (EUR 20 million or 4% of turnover). However, NIS2 introduces additional enforcement tools such as management bans that GDPR does not include.