NIS2 Guide · 8 min
NIS2 fines and penalties: how much, who is liable, and how to avoid them
NIS2 gives regulators real teeth: turnover-based fines, binding orders, and, for essential entities, the power to temporarily suspend a certification or ban a senior manager from their role. This guide explains what the penalties are, who is personally on the hook, how supervision differs for essential and important entities, and the practical way to stay out of trouble: implement the Article 21(2) measures and keep continuous, dated evidence that you do.
Key takeaways
- Maximum fines are turnover-based: up to €10M or 2% of total worldwide annual turnover for essential entities, and €7M or 1.4% for important entities, whichever is higher.
- The management body must approve and oversee the security measures (Art. 20) and can be held personally liable; for essential entities, regulators can temporarily ban a senior manager from their function (Art. 32(5)).
- Fines are a last resort: the day-to-day exposure is binding orders, audits and the cost of proving diligence. Continuous, evidenced supply-chain monitoring is the cheapest insurance.
What NIS2 penalties cover
NIS2 (Directive (EU) 2022/2555) is transposed into national law by each member state, so the exact figures and procedures are set nationally, but the Directive fixes the floors for maximum administrative fines and the enforcement toolbox. Penalties attach to an entity's failure to meet its obligations: the Article 21(2) risk-management measures, the Article 23 incident-reporting duties, registration, and cooperation with the authorities.
Crucially, NIS2 is not only about money. Article 32 (essential entities) and Article 33 (important entities) give competent authorities a graduated set of powers, from warnings to binding instructions to, for essential entities, suspension and management bans. The fine is the headline; the operational measures are what most entities will actually encounter.
The maximum fines
Essential entities
Up to €10,000,000 or 2% of total worldwide annual turnover (preceding financial year), whichever is higher.
Larger operators in high-criticality sectors: energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, ICT service management, public administration, space.
Important entities
Up to €7,000,000 or 1.4% of total worldwide annual turnover (preceding financial year), whichever is higher.
Other medium and large entities in the covered sectors, including postal and courier services, waste management, chemicals, food, manufacturing, digital providers and research.
These are maximum caps set by the Directive (Art. 34). Actual fines are decided nationally and must be effective, proportionate and dissuasive, taking into account the gravity, the duration and your cooperation. Confirm the exact rules in your country's transposition with qualified advice.
Personal and management liability
NIS2 deliberately puts cybersecurity on the board's desk. Under Article 20, the management body must approve the cyber risk-management measures, oversee their implementation, and can be held liable for failures. Members of management bodies must also follow training and are expected to offer similar training to their staff.
For essential entities, Article 32(5) goes further: where other enforcement has failed, competent authorities may temporarily suspend a certification or authorisation, and temporarily prohibit a person at CEO or legal-representative level from exercising managerial functions. That personal exposure is why NIS2 governance now reaches the top of the organisation.
See how your suppliers actually score
7-day free trial · no credit card · cancel anytime
The enforcement toolbox (beyond fines)
Before or alongside a fine, authorities can apply a range of binding measures (Art. 32 and 33). In practice, these are what you are most likely to face:
- Warnings and binding instructions to remedy specific shortcomings within a deadline.
- Orders to comply, to inform affected customers of a significant threat, or to implement audit recommendations.
- Mandatory security audits and on-site inspections, at your own cost.
- Designation of a monitoring officer to oversee your compliance for a set period.
- Public disclosure of the infringement, and orders to make aspects of the breach public.
- For essential entities only: temporary suspension of certification or authorisation, and a temporary management ban (Art. 32(5)).
Supervision differs by tier
Essential entities face proactive (ex-ante) and reactive (ex-post) supervision under Article 32: regular and targeted audits, on-site inspections, security scans and requests for information can happen whether or not there is any suspicion of a problem.
Important entities are supervised only ex-post under Article 33: authorities act when there is evidence or an indication of non-compliance, typically after an incident or a complaint. Either way, the burden is on you to demonstrate that appropriate measures were in place, which is far easier with continuous records than a once-a-year snapshot.
Sources: Directive (EU) 2022/2555 (NIS2), Articles 20, 32, 33 and 34 Maximum fine figures are set by the Directive; national transpositions set the exact rules and procedures. This guide is general information, not legal advice.
How norppa.io reduces your exposure
Most penalties trace back to two failures: inadequate Article 21(2) measures (especially supply-chain security), and an inability to prove diligence when asked. norppa.io addresses both by monitoring every supplier domain continuously and mapping each finding to the NIS2 article it informs.
Because every monitoring cycle is logged, you hold a continuous, dated audit trail, the evidence that supervision under Articles 32 and 33 asks for, rather than a point-in-time snapshot. That is what turns “we intended to” into “here is the record”, and it is the cheapest insurance against the fines and orders above.