Docply Browse kits
NIS-2

NIS-2 Penalties and Enforcement: What Happens If You're Not Compliant

NIS-2 Penalties and Enforcement: What Happens If You're Not Compliant
By Alessandro Stella · · 12 min read

The penalty regime is the part of NIS-2 that most boards remember after the first briefing. €10 million. 2% of global turnover. Personal liability for directors. Temporary bans from management functions. The numbers are dramatic, and they are not theoretical: the first administrative penalties under NIS-2 were issued in Q1 2026, and Member States are scaling up supervisory capacity throughout the year.

This article walks through the enforcement framework calmly. What the fines actually look like, how they are calculated, what supervisory powers regulators have beyond fines, what personal liability means in practice for management bodies, and what the early enforcement pattern across Europe is starting to reveal. The goal is to help compliance managers, CISOs, and management bodies calibrate their response — neither under-reacting nor over-reacting to the regulatory pressure.

For the broader context of NIS-2 obligations, see the pillar guide on NIS-2 compliance; this article focuses specifically on what happens when those obligations are not met.

The two-tier fine structure

Article 34 of the Directive establishes the harmonised penalty ceilings, with Member States setting the exact amounts within those bounds. The structure differentiates by entity classification.

Essential entities face administrative fines of up to €10 million or 2% of total worldwide annual turnover in the preceding financial year, whichever is higher.

Important entities face administrative fines of up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher.

The “whichever is higher” mechanism is structurally important. For a small essential entity with €50 million turnover, the cap is €10 million (the fixed ceiling, since 2% of €50M would be €1M). For a multinational with €5 billion turnover, the cap is €100 million (2% of revenue, since €10M would be far lower). The Directive deliberately ensures that very large organisations cannot treat the fixed ceiling as a manageable cost of non-compliance — the percentage scales the deterrent.

Member States transposing NIS-2 must set fines that are “effective, proportionate and dissuasive” within these ceilings. Most have aligned closely with the Directive’s structure; some have layered additional provisions on top.

How the fine ceilings translate at national level

Italy’s transposition (D.Lgs. 138/2024, Article 38) replicates the EU ceilings: up to €10M or 2% of global turnover for essential entities, €7M or 1.4% for important entities. It also introduces a specific fine for late or missed registration on the ACN platform — up to 0.1% of global turnover for essential entities and 0.07% for important entities, with an aggravating mechanism that increases concurrent violations by up to threefold when registration is missed.

Germany’s NIS-2 Implementation Act (§65 BSIG) applies the same EU ceilings at organisational level, but additionally targets individual managers personally — up to €500,000 in personal fines for governance failures, separate from any organisational penalty. KPMG Law’s April 2026 analysis confirms this provision is operational, not theoretical.

France’s transposition through ANSSI applies the EU ceilings and gives the agency expanded inspection and enforcement budget — ANSSI conducted over 200 security audits between 2020 and 2024 under NIS-1 and is scaling that capacity significantly under NIS-2.

Belgium and the Netherlands have been particularly active on enforcement timing. Belgium set the first hard NIS-2 conformity assessment deadline (18 April 2026) and accepts ISO/IEC 27001 certification as one of three recognised compliance pathways. The Netherlands fined a telecommunications provider €525,000 under NIS-1 for failing to report a significant incident in a timely manner — among the first NIS-related financial penalties in Europe — and the supervisory posture has carried over into NIS-2 with predictable continuity.

The pattern is consistent: countries that transposed late are enforcing early, partly to demonstrate seriousness to the European Commission and partly because their own regulatory infrastructure is now operational.

Beyond fines: the full supervisory toolkit

Financial penalties are the headline, but they are not the only — or even the most operationally disruptive — enforcement tools available to national authorities.

Article 32 of the Directive equips competent authorities with a broad supervisory toolkit:

The monitoring officer mechanism deserves attention. When an authority designates a monitoring officer, that person — chosen by the regulator, paid by the entity — sits inside the organisation and reports back on remediation progress. Operationally, this is more disruptive than a fine. It is also a strong reputational signal to customers, partners and investors that the regulator has lost confidence in management.

Public disclosure orders are similarly impactful. A fine paid quietly is one thing; a regulator-mandated public statement naming the organisation and the failure is another. Customer and partner reactions to the latter routinely exceed the financial penalty in business cost.

For essential entities, the suspension of certifications or authorisations can be existentially serious. An energy operator stripped of its operating authorisation cannot operate. A trust service provider whose qualified status is suspended loses the legal effect of its services overnight. These are not theoretical levers — they are why “essential entity” supervision is markedly more proactive than “important entity” supervision.

Management body accountability and personal liability

NIS-2 introduces something that NIS-1 lacked: explicit, personal accountability for the management body.

Article 20 requires that management bodies (boards of directors, C-suite, equivalent governing bodies in public administration) approve the cybersecurity risk-management measures, oversee their implementation, and complete training to acquire the knowledge needed to identify and assess risks. The training requirement is non-delegable: a CEO cannot send a deputy to be trained in their place.

Article 32(6) makes this accountability operational. In cases of repeated or gross non-compliance by an essential entity, regulators can:

The temporary ban provision is the one that has shifted boardroom attention most visibly. A fine — even a large one — is a corporate cost. A ban is personal. CEOs and directors who treated cybersecurity as IT’s problem under NIS-1 are now explicitly inside the regulatory perimeter. According to a Gartner forecast, by 2026 around 75% of CEOs will be personally liable for cyber-physical security incidents under regulations like NIS-2 — a prediction that has aged into reality across most Member States during the first half of 2026.

The practical implication is that management body involvement must be evidenced, not assumed. Board minutes that record approval of the cybersecurity programme, training completion records for each board member, and documented oversight reviews are the minimum file an auditor will look for. “The board was generally aware” is not a defence under Article 20.

For the detailed walk-through of management body responsibilities and the documentation required to evidence them, see NIS-2 top management responsibilities.

What triggers enforcement: how authorities actually find non-compliance

Enforcement is not random. National authorities prioritise their limited supervisory capacity using a combination of risk-based triggers.

Reactive triggers — events that pull the regulator’s attention to a specific entity:

Proactive triggers — systematic supervisory activity:

For essential entities, the supervisory model is ex-ante — the authority can audit, inspect and request documentation at any time, without needing a triggering event. For important entities, the model is ex-post — supervision activates when there is evidence of non-compliance, but once activated it has the same teeth.

The first wave of NIS-2 enforcement actions in Q1 and Q2 2026 has shown a consistent prioritisation pattern. Regulators are starting with: late or incomplete registrations (the easiest violation to identify), incident reporting failures (where the 24/72/30-day timeline produces clear evidence of breach), and entities flagged by data protection authorities for incidents with overlapping GDPR implications.

The GDPR overlap: avoiding double punishment

Many incidents that fall under NIS-2 also fall under GDPR — a personal data breach is both an Article 23 reportable incident under NIS-2 and a notifiable breach under GDPR Article 33. Two regulators, two reporting clocks, two potential fines.

Article 35 of the NIS-2 Directive (transposed into Italian law as Article 35 of D.Lgs. 138/2024) addresses this. It requires that penalties imposed under GDPR for the same facts be taken into account when calculating NIS-2 penalties, to prevent disproportionate double punishment. The mechanism does not eliminate parallel proceedings — both authorities can investigate, both can find violations — but it does prevent stacking the maximum financial penalty under both regimes for the identical conduct.

This is narrower than it sounds. Non-monetary penalties under NIS-2 (binding instructions, monitoring officer, suspension of authorisations, public disclosure) can apply alongside GDPR fines for the same incident. And distinct violations — for example, a personal data breach handled improperly under GDPR and an underlying security control failure under NIS-2 Article 21 — are treated as separate facts and penalised separately.

In practice, organisations facing an incident with both NIS-2 and GDPR implications need to coordinate response across both reporting tracks from minute one. The teams that fail this — typically because the legal/privacy function and the cybersecurity function operate in silos — end up with worse outcomes on both sides.

Aggravating and mitigating factors

When competent authorities calibrate the actual fine within the legal ceiling, Article 32 of the Directive lists factors they must consider. The list is worth knowing because it tells you what regulators look for when deciding whether to impose the maximum or a reduced fine.

Aggravating factors that push the fine upward:

Mitigating factors that pull the fine downward:

The mitigation list is, in effect, a description of a mature compliance programme. Organisations that can show ISO 27001 certification, evidenced board engagement, documented training, and a tested incident response plan land in a markedly different position than organisations that started thinking about NIS-2 the morning the regulator arrived.

What the early enforcement pattern reveals

It is too early in 2026 for a confident statistical picture, but two patterns are already visible across Member States.

First, paperwork failures lead. The first wave of administrative actions has heavily concentrated on registration failures and incident reporting failures rather than substantive Article 21 control failures. This makes regulatory sense: paperwork violations are unambiguous, easy to evidence, and politically uncontroversial. Article 21 control failures are harder to prove and require deeper inspection. Expect the substantive enforcement wave to follow once authorities have built the inspection capacity.

Second, public disclosure is being used aggressively. Several Member States have made early use of the public disclosure power — sometimes as the primary sanction, sometimes alongside a financial penalty. The reputational impact has consistently exceeded the direct cost.

The implication for compliance programmes is straightforward: the obligations regulators check first are the ones least defensible to fail. Registration on the national platform, incident reporting capability aligned with the 24/72/30-day cascade, and management body approval evidence — these are the artefacts to have ready first, not last.

What “audit-ready” actually means

A compliance programme is audit-ready when it can produce the documentation a regulator asks for, in the order they ask for it, without scrambling. The minimum file looks like this:

Organisations that have these artefacts ready, current, and consistent are in defensible shape regardless of whether the regulator arrives tomorrow or in eighteen months.

For the comprehensive checklist of audit-ready documentation, see NIS-2 audit readiness.

How Docply fits in

The Docply NIS-2 Total Kit is designed specifically around the documentation set regulators look for first. Each of the 77 documents is mapped to the relevant Article 21 measure or Article 23 obligation, written in the language regulators expect, and includes the evidence templates needed to demonstrate operation — incident register, training records, management review minutes, audit reports.

Three sample documents are downloadable from the NIS-2 Total Kit page, including a project launch decision template that records management body approval — the first piece of evidence in any defensible NIS-2 file.

Get audit-ready documentation now. 77 audit-ready NIS-2 documents covering all eight bundles, written to the language regulators expect, with evidence templates included. Lifetime updates included. See the NIS-2 Total Kit →

Sources and further reading

Last updated: 1 June 2026.