What is the maximum NIS2 fine?

Essential entities face fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher. Important entities face fines of up to EUR 7 million or 1.4% of global annual turnover. Both calculations use 'whichever is higher' so larger organizations face proportionally larger fines.

How are NIS2 fines calculated?

Each EU member state sets its own fine amounts within the directive's maximum limits. National authorities consider the severity, duration, and impact of non-compliance, whether it was a first offence, the level of cooperation, and the financial situation of the entity. The first NIS2 fine in Germany (February 2026) was EUR 850,000 for late incident reporting and inadequate detection — well below the maximum.

Can directors be personally fined under NIS2?

Yes. Under NIS2 Article 20, management bodies must approve cybersecurity risk management measures and oversee their implementation. Directors who fail in this duty can be temporarily banned from holding management positions and held personally liable for damages.

Free tool

NIS2 Fine Calculator

Estimate your maximum NIS2 penalty exposure based on your turnover, entity classification, and country. Updated for 2026 enforcement.

Disclaimer: This is an indicative estimate of the legal maximum. Actual fines depend on the severity of the breach and national authority discretion. Not legal advice.

Annual turnover (EUR millions)

Global annual turnover. For groups, use consolidated turnover.

NIS2 classification

EU member state

How NIS2 fines work

The NIS2 Directive (EU 2022/2555) sets maximum fines that EU member states must apply for non-compliance. The structure is:

Essential Entities: Up to EUR 10 million OR 2% of global annual turnover — whichever is higher.
Important Entities: Up to EUR 7 million OR 1.4% of global annual turnover — whichever is higher.

Because the formula uses "whichever is higher", large multinationals face fines that scale with their revenue. A EUR 1 billion company faces a maximum fine of EUR 20 million as an Essential Entity (2% of EUR 1B), not EUR 10M.

Personal liability: Under Article 20, management can be held personally liable and temporarily banned from management positions. This applies to Essential Entities and is enforced separately from organizational fines.

For the full picture — recent enforcement, the country-by-country authorities and how to avoid penalties — read our guide to NIS2 fines and penalties.

How the maximum is calculated — three worked examples

The "whichever is higher" rule means the turnover percentage only beats the flat ceiling once a company is large enough. For an Essential Entity (10M / 2%):

EUR 8M turnover: 2% = EUR 160,000, well below the EUR 10M flat cap → maximum is EUR 10 million.
EUR 500M turnover: 2% = EUR 10 million, exactly the flat cap → maximum is EUR 10 million.
EUR 1 billion turnover: 2% = EUR 20 million, above the flat cap → maximum is EUR 20 million.

The crossover point is EUR 500M turnover for Essential Entities and EUR 500M for Important Entities (1.4% of EUR 500M = EUR 7M). Below it, almost every SME's maximum is the flat ceiling, not a percentage — which is why the headline 10M / 7M figures matter most for small and medium organisations.

What makes a real fine bigger or smaller

The calculator shows the legal maximum. Actual fines are set by national authorities under Article 34, which lists the factors they must weigh:

The seriousness, scale and duration of the breach, and the number of affected users.
Whether the breach was intentional or negligent, and whether it was a first offence or a repeat.
The degree of cooperation with the authority and any action taken to mitigate the damage.
Whether relevant technical and organisational measures were in place — a documented, audited compliance programme is the single strongest mitigating factor.
Financial benefits gained or losses avoided through the non-compliance.

The practical takeaway: maximum exposure is rarely reached, but a demonstrable compliance posture — policies, an incident process, and evidence you acted promptly — is what moves a fine from six figures toward zero.

Who sets and collects the fine

Each EU member state enforces NIS2 through its own authority, within the directive's maximum limits:

Germany: the BSI, under the NIS2UmsuCG / BSIG 2025. The fine schedule (§ 65) stages seven severity tiers from EUR 100,000 up to the 10M / 2% ceiling. See NIS2 in Germany.
Italy: the ACN, under D.Lgs 138/2024. Italy can also impose individual administrative fines on directors. See NIS2 in Italy.
France: a dedicated commission des sanctions (not ANSSI directly) imposes the fine, after ANSSI's graduated warnings and orders.

For recent enforcement cases and the full country-by-country breakdown, read our guide to NIS2 fines and penalties.

Recent enforcement reality

February 2026 — Germany issues first NIS2 fine

The German BSI fined a mid-sized cloud service provider EUR 850,000 for late incident reporting and inadequate detection measures. This was the first significant NIS2 fine in Europe and signals active enforcement is here. Multiple countries are now investigating cases.

The lesson: even "small" violations can result in 6-figure fines. Maximum exposure is rarely reached, but real fines are now happening.

Avoid fines — start compliant

Reglyze helps SMEs become NIS2 compliant in weeks, not months. Scoping, gap assessment, AI-generated policies, and incident reporting — free to start, Pro from EUR 499/year, far less than a single fine.