Free tool
Estimate your maximum NIS2 penalty exposure based on your turnover, entity classification, and country. Updated for 2026 enforcement.
Disclaimer: This is an indicative estimate of the legal maximum. Actual fines depend on the severity of the breach and national authority discretion. Not legal advice.
Global annual turnover. For groups, use consolidated turnover.
The NIS2 Directive (EU 2022/2555) sets maximum fines that EU member states must apply for non-compliance. The structure is:
Because the formula uses "whichever is higher", large multinationals face fines that scale with their revenue. A EUR 1 billion company faces a maximum fine of EUR 20 million as an Essential Entity (2% of EUR 1B), not EUR 10M.
Personal liability: Under Article 20, management can be held personally liable and temporarily banned from management positions. This applies to Essential Entities and is enforced separately from organizational fines.
February 2026 — Germany issues first NIS2 fine
The German BSI fined a mid-sized cloud service provider EUR 850,000 for late incident reporting and inadequate detection measures. This was the first significant NIS2 fine in Europe and signals active enforcement is here. Multiple countries are now investigating cases.
The lesson: even "small" violations can result in 6-figure fines. Maximum exposure is rarely reached, but real fines are now happening.