NIS2 Fines & Penalties 2026
NIS2 introduces some of the highest cybersecurity fines in EU history — up to 10 million EUR or 2% of global annual turnover, plus personal liability for management. Here's everything you need to know.
Fine structure at a glance
EUR 10M
or 2% of global annual turnover — whichever is higher
EUR 7M
or 1.4% of global annual turnover — whichever is higher
How NIS2 fines are calculated
The headline numbers are maximums, not flat fees. For each band the authority applies the figure that is higher — the fixed euro ceiling or the percentage of turnover. The percentage is calculated on total worldwide annual turnover of the preceding financial year, and for a company that belongs to a group it is the group's turnover that counts — which is why the ceiling bites hardest on subsidiaries of large parents.
Within those limits, NIS2 Article 34 tells supervisory authorities to set each fine as effective, proportionate and dissuasive, weighing factors such as:
- Nature, gravity and duration of the infringement
- Whether it was intentional or merely negligent
- Actual damage caused and number of users affected
- Steps taken to prevent or mitigate the harm
- Degree of cooperation with the authority
- Any previous infringements by the entity
Crucially, administrative fines can be imposed in addition to other enforcement measures — binding instructions, security audits at the entity's expense, public disclosure of the breach, and, for essential entities, temporary management bans.
Recent enforcement cases
The German Federal Office for Information Security (BSI) issued the first significant NIS2 fine in Europe — EUR 850,000 against a mid-sized cloud service provider for failing to implement adequate incident detection measures and for late reporting of a security incident. This case sets a precedent for active enforcement across the EU.
NIS2 fines by country: who enforces them
The directive sets the ceilings; each EU member state transposes NIS2 into national law and names its own competent authority. The maximum amounts are harmonised, but the enforcement regime and procedure differ by country.
Germany's transposition law (the NIS2UmsuCG, in force since December 2025) re-enacts the BSIG and is administered by the BSI (Bundesamt für Sicherheit in der Informationstechnik). German fines (Bußgelder) mirror the directive ceilings — up to EUR 10M or 2% of turnover for essential entities and EUR 7M or 1.4% for important entities — and there is no transitional grace period: obligations apply from entry into force, with an estimated ~29,500 entities now in scope.
Italy transposed NIS2 with D.Lgs. 138/2024, enforced by the ACN (Agenzia per la Cybersicurezza Nazionale). The fine ceilings match the EU minimums (€10M/2% for soggetti essenziali, €7M/1.4% for soggetti importanti), with technical measures and notification timelines set progressively through ACN determinazioni.
France's transposition is being finalised through the “Loi Résilience” bill, with ANSSI as the competent authority. The fine framework follows the same NIS2 ceilings; entities should track the final text and ANSSI guidance via MesServicesCyber.
Reglyze ships country-specific NIS2 transposition data and authority-formatted incident reports for Germany, France, Italy, Portugal, Belgium and more — so the fine framework you see matches your jurisdiction.
Full country guides: NIS2 in Germany, NIS2 in Italy and NIS2 in the Netherlands.
Personal liability for directors
NIS2 Article 20 holds management personally accountable.
Directors and senior management must approve cybersecurity risk management measures and oversee implementation. If they fail to do so, they can be:
- Temporarily banned from holding management positions (Essential Entities)
- Held personally liable for damages resulting from non-compliance
- Fined individually in addition to organizational penalties
What triggers fines?
Failure to implement the 10 minimum security measures (NIS2 Article 21)
Missing the 24-hour early warning deadline for significant incidents
Missing the 72-hour incident notification deadline
Missing the 1-month final report deadline
Failure to register with the competent authority
Failure to report incidents affecting supply chain partners
Failure to train management on cybersecurity risks
Failure to conduct regular risk assessments
Failure to maintain business continuity and incident response plans
NIS2 fines — frequently asked questions
How much are NIS2 fines?
NIS2 sets maximum fines of up to EUR 10 million or 2% of total worldwide annual turnover (whichever is higher) for essential entities, and up to EUR 7 million or 1.4% of turnover for important entities. The exact amount in your country depends on national transposition — member states set their fine framework within these EU minimums.
Can company directors be personally fined under NIS2?
Yes. NIS2 Article 20 makes management bodies personally responsible for approving and overseeing cybersecurity risk-management measures. Supervisory authorities can hold directors personally liable for damages, and for essential entities they can temporarily ban an individual from holding a management role until the breach is remedied.
What is the difference between essential and important entity fines?
Essential entities face the higher ceiling — up to EUR 10M or 2% of global turnover — and proactive, ex-ante supervision (authorities can audit without prior suspicion). Important entities face up to EUR 7M or 1.4% and reactive, ex-post supervision (authorities act on evidence of a breach). Your category depends on your sector and company size.
Has anyone been fined under NIS2 yet?
Enforcement is ramping up as member states finalise transposition. Germany transposed NIS2 through the NIS2UmsuCG (in force since December 2025), administered by the BSI, and competent authorities across the EU have started audits and first penalties. Because fines scale with turnover and with reporting failures, even a single missed 24-hour or 72-hour deadline can be expensive.
How can I avoid NIS2 fines?
Most penalties come from three failures: not implementing the 10 minimum security measures in NIS2 Article 21, missing the incident-reporting deadlines (24-hour early warning, 72-hour notification, one-month final report), and failing to register with your national authority. Run a scoping check, close your Article 21 gaps, and put an incident-reporting process in place before an incident — not after.
Want to estimate your own exposure? Try the NIS2 fine calculator.