NIS2 Fines and Penalties: The Complete 2025 Guide

TL;DR

NIS2 fines can reach €10 million (Essential Entities) or €7 million (Important Entities), whichever is higher when compared to the percentage of global turnover. Managers can also face personal liability. Germany, Belgium, and the Netherlands already have active enforcement regimes.

The NIS2 Directive introduces the toughest cybersecurity sanctions in EU history. For compliance officers and executives, understanding the penalty framework precisely is important, not least because managers can now face personal liability.

This guide explains the fine structure, the factors authorities consider when calculating penalties, real enforcement examples, and concrete steps to avoid sanctions.

NIS2 Fine Structure at a Glance

Essential Entities

€10M

or 2% of global annual turnover (whichever is higher)

• Proactive authority supervision (ex-ante)
• Regular audits, including unannounced
• Annex I sectors: energy, health, water, transport, banking, digital infrastructure

Important Entities

€7M

or 1.4% of global annual turnover (whichever is higher)

• Reactive authority supervision (ex-post)
• Inspection based on specific cause
• Annex II sectors: postal, waste, chemicals, food, manufacturing, digital services, research

An important point many organisations miss: the cap is not just €10 million, but €10 million OR 2% of global annual turnover, whichever is higher. A company with €2 billion in global annual turnover could theoretically face up to €40 million.

Personal Liability of Management

This is NIS2's most significant departure from its predecessor: Article 20 makes management bodies personally responsible for cybersecurity breaches.

👤

Who is affected?

Board members, managing directors, CEOs, and equivalent management bodies of all NIS2-affected entities. Senior employees can also be affected if they were given specific responsibilities.

📚

Training obligation

Article 20 requires management bodies to participate in cybersecurity training and keep their knowledge current. Attendance must be documented.

⚖️

Suspension possible

Authorities can require the temporary suspension of executives from their management functions where the entity has grossly neglected its obligations. This sanction is temporary but can be made public.

What Triggers NIS2 Enforcement?

Authorities can impose fines for various violations. The most common triggers are:

Violation	Legal basis	Severity
No authority registration	Art. 3	High
Failure to notify in 24h/72h	Art. 23	Very high
Inadequate risk management measures	Art. 21	High
No management training	Art. 20	Medium
Missing supply chain risk management	Art. 21(2)(d)	High
Obstruction of authority audits	Art. 32/33	Very high
No cryptography or encryption policy	Art. 21(2)(h)	Medium
No MFA for critical systems	Art. 21(2)(j)	High

📊 Quick Test

Find out if your company is in scope

Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?

Check NIS2 Scope →

How Are Fines Calculated?

NIS2 gives authorities significant discretion in calculating fines. The following factors feed into the calculation:

▸Severity and duration of the violation

▸Whether the violation was intentional or due to negligence

▸Measures taken to mitigate the damage

▸Previous violations by the same entity

▸Degree of cooperation with the authority

▸Number of persons and services affected

▸Financial damage caused to others

▸Size and market share of the entity

Enforcement in Practice: What Has Happened So Far

The NIS2 Directive took effect on 17 October 2024. Countries that transposed the directive early have already taken or announced first enforcement actions. Here are the key developments:

🇩🇪 GermanyActive

BSI has activated its notification platform. The NIS2UmsuCG (NIS2 Implementation and Cybersecurity Strengthening Act) has been fully in force since March 2025. First registration obligations for affected entities are active. BSI emphasised in 2024 that companies failing to register face consequences.

🇧🇪 BelgiumActive

The CCB (Centre for Cybersecurity Belgium) completed one of the earliest NIS2 transpositions in the EU. The CyberFundamentals Framework is recognised as evidence. The CCB has announced several sector audits and built a public register of affected entities.

🇳🇱 NetherlandsActive

The Netherlands transposed NIS2 through multiple sector-specific regulators, with NCSC-NL coordinating across them. Several sector authorities (energy, water, health) began actively enforcing compliance requirements in 2025.

🇫🇷 FranceActive

ANSSI completed NIS2 transposition through the 'loi de programmation militaire' and specific cybersecurity legislation. ANSSI is known for strict enforcement and had already issued significant fines under NIS1.

Fine Calculation: A Concrete Example

Imagine a mid-sized German pharmaceutical company (Essential Entity, health sector) with €500 million in global annual turnover. The company suffered a ransomware attack and missed the 72h notification deadline by 3 days.

Fine framework

Fixed amount (cap): €10.000.000

Turnover percentage (2%): €10.000.000

(€500M × 2% = €10M, so both are equal)

Mitigating factors

+Cooperation with BSI after the delay
+No prior violations
-Multiple-day delay (3 days)
-Patients were affected

In comparable GDPR cases (which use similar calculation factors), notification deadline violations are typically penalised at 10-30% of the maximum fine where cooperation is present. Here that would correspond to a fine of €1-3 million. Where there is deliberate disregard or concealment, authorities can go significantly higher.

How to Avoid NIS2 Fines

Check whether NIS2 applies: consider sector, size thresholds, and special rules
Register with the national competent authority before the deadline
Implement all 10 Article 21 security measures with written documentation
Establish a 24h/72h incident notification process and test it regularly with tabletop exercises
Train your management board and document attendance with certificates
Conduct annual supply chain risk assessments and record them in writing
Actively prepare for authority inspections: documentation and the ability to demonstrate compliance are decisive
Cooperate with authorities during inspections and incidents, which demonstrably reduces fines

How is your NIS2 compliance posture?

Use our free gap assessment to check your Article 21 measures before the authority does.

📊 Start Gap Assessment 🎯 Check Scope

FAQ

Can NIS2 fines exceed €10 million?▾

Yes. The cap is €10 million OR 2% of global annual turnover, whichever is higher. For large multinationals, the turnover percentage can be far above €10 million.

When does NIS2 enforcement start?▾

The Directive took effect 17 October 2024. National enforcement began immediately in countries with full transposition. Germany, Belgium, and the Netherlands had active enforcement regimes by end of 2024.

Can fines be reduced if we cooperate?▾

Yes. NIS2 requires authorities to consider the degree of cooperation when calculating fines. Early voluntary disclosure of incidents and proactive collaboration can lead to significant reductions.

Can GDPR fines and NIS2 fines be imposed at the same time?▾

Yes. If an incident constitutes both a NIS2 violation and a GDPR personal data breach, both authorities could theoretically impose fines. In practice, many countries coordinate jurisdiction to avoid double penalties, but there is no legal obligation to do so.

Does management liability also apply to supervisory board members?▾

This depends on national transposition. In many EU countries, supervisory board members fall under Article 20 where they have active oversight functions and are involved in cybersecurity decisions. Have your specific governance structure reviewed legally.