NIS2 introduces some of the highest cybersecurity fines in EU history — up to 10 million EUR or 2% of global annual turnover, plus personal liability for management. Here's everything you need to know.
EUR 10M
or 2% of global annual turnover — whichever is higher
EUR 7M
or 1.4% of global annual turnover — whichever is higher
The German Federal Office for Information Security (BSI) issued the first significant NIS2 fine in Europe — EUR 850,000 against a mid-sized cloud service provider for failing to implement adequate incident detection measures and for late reporting of a security incident. This case sets a precedent for active enforcement across the EU.
NIS2 Article 20 holds management personally accountable.
Directors and senior management must approve cybersecurity risk management measures and oversee implementation. If they fail to do so, they can be:
Failure to implement the 10 minimum security measures (NIS2 Article 21)
Missing the 24-hour early warning deadline for significant incidents
Missing the 72-hour incident notification deadline
Missing the 1-month final report deadline
Failure to register with the competent authority
Failure to report incidents affecting supply chain partners
Failure to train management on cybersecurity risks
Failure to conduct regular risk assessments
Failure to maintain business continuity and incident response plans