NIS2 Fines

Get an overview of the potential penalties for NIS2 non-compliance.

Penalties for NIS2 Violations

The NIS2 Directive sets out specific penalties for non-compliance, these include:

  • Non-monetary remedies
  • Administrative fines
  • Criminal sanctions

These penalties can be imposed on essential entities and important entities for infraction such as failture to meet security requirements and failure to report incidents.

The specific fines will vary depending on the Member State, but the Directive establishes a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations.

Non-monetary Penalties

NIS2 gives national supervisory authorities the authority to enforce non-monetary remedies, including:

  • compliance orders
  • binding instructions
  • security audit implementation orders
  • threat notification orders to entities’ customers.

Administrative Fines

With regard to administrative fines, the NIS2 directive carefully distinguishes between essential and important entities.

For essential entities, it requires Member States to provide a maximum fine level of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.

For important entities, NIS2 requires Member States to fine for a maximum of at least €7,000,000 or 1,4% of the global annual revenue, whichever is higher.

Essential ENTITIES (EE)

  • Includes public and private companies in sectors such as transport, finance energy, water, space, health, public administration, and digital infrastructure
  • Fine level: €10MM or 2% of global annual revenue.

Important eNTITIES (IE)

  • Includes public and private companies in sectors such as foods, digital providers, chemicals, postal services, waste management, research, manufactoring.
  • Fine level: €7MM or 1,4% of global annual revenue.
Fines and penalties on NIS2

Criminal Sanctions For Management

In an attempt to lower the pressure put on IT departments to single-handedly ensure the security of the organization and to change the sentiment of whose responsibility cybersecurity is, NIS2 includes new measures to hold top management personally liable and responsible for gross negligence in the event of a security incident.

Specifically, NIS2 allows Member State authorities to hold organization managers personally liable if gross negligence is proven after a cyber incident. This includes:

  • Ordering that organizations make compliance violations public.
  • Making public statements identifying the natural and legal person(s) responsible for the violation and its nature.
  • And if the organisation is an essential entity, temporarily ban an individual from holding management positions in case of repeated violations.

These measures are designed to hold C-level management accountable and to prevent gross negligence in the management of cyber risks.

Do You Want To Know More?