The NIS2 Directive (Directive (EU) 2022/2555) introduces substantial financial and professional consequences for organisations that fail to meet cybersecurity obligations.
For executive management and boards, cyber risk is no longer only an operational issue. Under NIS2, it is a regulatory, financial, and governance exposure that can be measured – and sanctioned.
2. What types of failures trigger NIS2 fines?
3. Are risk management measures insufficient? (Article 21)
4. Is there a failure to report significant incidents? (Article 23)
5. Does leadership lack documented oversight? (Article 20)
6. Is third-party risk insufficiently controlled?
7. What are the personal consequences for management?
8. How much can an organisation be fined?
9. How are turnover-based fines calculated?
10. How do authorities determine the final fine?
11. How can organisations reduce the risk of NIS2 penalties?
12. FAQ: Frequently asked questions about NIS2 fines
Essential entities may face fines of up to €10 million or 2% of global annual turnover. Important entities may face fines of up to €7 million or 1.4%. Beyond financial penalties, NIS2 introduces management accountability, potential temporary suspension of executives, and public disclosure of infringements. Structured governance and traceable documentation significantly reduce enforcement risk.
NIS2 enforcement is rarely caused by isolated technical weaknesses. It typically stems from structural governance deficiencies where cybersecurity is not embedded in management systems.
Supervisory authorities assess whether cybersecurity measures are systematic, documented, and integrated into daily operations. Four categories of failure commonly lead to sanctions.
Read more: Why contract management is the foundation of NIS2 compliance.
Article 21 requires organisations to implement “appropriate and proportionate” technical and organisational measures.
Common triggers for fines include:
Authorities evaluate whether risk management is repeatable, updated, and anchored in governance structures.
Fragmented spreadsheets, static documents, or undocumented decisions often indicate weak control environments rather than effective risk management.
Article 23 establishes strict reporting obligations:
Enforcement risk increases when an organisation cannot demonstrate:
Under NIS2, incident reporting is not only about speed. It is about traceability and procedural maturity.
Article 20 places direct accountability on management bodies. Authorities may intervene where:
Cybersecurity under NIS2 is a leadership responsibility. Informal delegation without structured reporting increases enforcement exposure.
NIS2 requires organisations to manage dependencies across their value chain. Fines may be triggered by:
Authorities assess whether third-party risk is legally anchored, operationally monitored, and continuously evaluated. Without structured visibility into contracts and dependencies, organisations may struggle to demonstrate proportional control.
The cost of non-compliance extends beyond corporate fines.
Member States must ensure that management bodies can be held liable for failing to fulfil their cybersecurity obligations. This reinforces that cybersecurity cannot be treated as a secondary IT matter. It is a governance responsibility.
For essential entities, supervisory authorities may temporarily prohibit individuals from exercising managerial functions until compliance is restored. This may include CEOs or other senior executives, subject to national implementation.
Authorities may publicly disclose:
For organisations operating in regulated or trust-based markets, reputational consequences may exceed the financial penalty.
The classification of an entity determines the maximum administrative penalty.
| Entity category | Maximum fixed fine | Maximum % of global turnover | Supervision type |
| Essential Entity | €10,000,000 | 2% | Proactive |
| Important Entity | €7,000,000 | 1.4% | Reactive |
The higher of the fixed amount or the turnover percentage applies.
Read more: The NIS2 24-hour rule: Handling incident reporting requirements.
Fines are calculated using total worldwide annual turnover from the previous financial year.
Example essential entity:
Example important entity:
Actual fines are determined by national authorities based on proportionality.
While the Directive defines maximum thresholds, authorities assess proportionality based on:
In practice, enforcement intensity often reflects the maturity of the organisation’s governance structure. Organisations with structured oversight, clear documentation, and traceable decision-making are significantly better positioned to demonstrate proportional compliance.
Under NIS2, implicit security is viewed as non-existent security. Control must be demonstrable. Practical measures include:
The difference between maximum exposure and reduced sanctions often lies in demonstrable governance maturity.
Read more: NIS2 documentation: What auditors expect to see.
Essential entities operate in sectors critical to societal stability (such as energy, healthcare, and banking) and are subject to proactive supervision. Important entities operate in other high-impact sectors and are generally subject to reactive supervision.
Yes. Under Article 32, authorities may temporarily suspend individuals from managerial functions in essential entities until compliance is restored, subject to national implementation.
They are based on total worldwide annual turnover from the previous financial year. For example, a €1 billion turnover could result in a €20 million fine for an essential entity.
No. Documentation does not replace security measures. However, without structured, traceable documentation, an organisation cannot demonstrate that it has implemented “appropriate and proportionate” measures as required under Article 21.
Disclaimer: House of Control is a software company. We do not offer NIS2 compliance consulting services. Thus, following this guidance does not guarantee compliance with all NIS2 legal requirements. The content of this article is based on our own research of the NIS2 requirements and our experience with regulatory compliance, and includes inspiration from various actors offering compliance services. We do not assume any responsibility or liability for any failure to comply with NIS2 requirements or resulting from the use of this guidance.