Get an overview of the potential penalties for NIS2 non-compliance.
Penalties for NIS2 Violations
The NIS2 Directive sets out specific penalties for non-compliance, these include:
- Non-monetary remedies
- Administrative fines
- Criminal sanctions
These penalties can be imposed on essential entities and important entities for infraction such as failture to meet security requirements and failure to report incidents.
The specific fines will vary depending on the Member State, but the Directive establishes a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations.
NIS2 gives national supervisory authorities the authority to enforce non-monetary remedies, including:
- compliance orders
- binding instructions
- security audit implementation orders
- threat notification orders to entities’ customers.
With regard to administrative fines, the NIS2 directive carefully distinguishes between essential and important entities.
For essential entities, it requires Member States to provide a maximum fine level of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.
For important entities, NIS2 requires Member States to fine for a maximum of at least €7,000,000 or 1,4% of the global annual revenue, whichever is higher.
Essential ENTITIES (EE)
Important eNTITIES (IE)
Criminal Sanctions For Management
In an attempt to lower the pressure put on IT departments to single-handedly ensure the security of the organization and to change the sentiment of whose responsibility cybersecurity is, NIS2 includes new measures to hold top management personally liable and responsible for gross negligence in the event of a security incident.
Specifically, NIS2 allows Member State authorities to hold organization managers personally liable if gross negligence is proven after a cyber incident. This includes:
- Ordering that organizations make compliance violations public.
- Making public statements identifying the natural and legal person(s) responsible for the violation and its nature.
- And if the organisation is an essential entity, temporarily ban an individual from holding management positions in case of repeated violations.
These measures are designed to hold C-level management accountable and to prevent gross negligence in the management of cyber risks.