High Sanctions

Sanctions for NIS2 Non-compliance

What you risk if you don't meet requirements

NIS2 introduces some of the toughest sanctions in the history of European cyber legislation. Personal liability of management is a novelty that changes the rules of the game.

Financial Sanctions

Essential Entities

Fixed Amount€10,000,000

% of Turnover2% of global annual turnover

The higher value applies.

Important Entities

Fixed Amount€7,000,000

% of Turnover1.4% of global annual turnover

Example: Company with €100 million turnover can get a fine up to €2 million.

Comparison with GDPR

GDPR€20 mil / 4% turnover

NIS2 (essential)€10 mil / 2% turnover

NIS2 (important)€7 mil / 1.4% turnover

NIS2 has lower maximums than GDPR, but in practice fines will be comparable - a cyber incident often affects thousands of people.

Personal Management Liability

This is the biggest change compared to previous legislation. NIS2 explicitly states that members of management bodies are personally liable.

Management Duties

Approving security measures
Supervising their implementation
Completing cybersecurity training
Ensuring resources for security measures

Sanctions for Management

Personal fine
Member states can impose a fine directly on the person
Temporary ban
Ban on exercising management functions
Public announcement
Publication of the name of the person responsible for the breach

The executive cannot say: 'The IT department takes care of IT, I didn't know.' NIS2 requires active management involvement.

Other Sanctions

Regulator Orders

Order to remedy - implement measures within a set deadline
Order to inform - inform affected persons about the incident
Order to public announcement - publication of breach

Activity Restrictions

Suspension of certifications or permits
Temporary ban on providing services
Exclusion from public tenders

Reputational damage can be worse than a fine. Imagine the headline: '[Your Company] fined for neglecting cybersecurity.'

Violation Examples

Ransomware attack without a plan

Manufacturing company gets ransomware. No incident response plan, production stops for 5 days. Incident not reported in time (deadline is 24 hours).

Sanctions: Fine for missing plan, fine for failure to report, order to remedy.

Unsecured supplier

IT supplier has a data breach affecting your customers. You have no contract with security requirements.

Sanctions: Fine for insufficient supply chain management, order to assess suppliers.

Missing management training

Audit finds that management members have not completed any cybersecurity training.

Sanctions: Warning, order to complete training, fine upon repetition.

What influences the fine amount

Aggravating Circumstances

Intentional violation or gross negligence
Repeated violation (recidivism)
Failure to report incident or concealment
Non-cooperation with regulator
Large scope of impact

Mitigating Circumstances

First violation without prior history
Active cooperation with regulator
Quick remedy after detection
Voluntary reporting of problems
Investments in security

How to avoid sanctions

Now

1Do an assessment - find out where you stand
2Document efforts - even incomplete compliance is better than none
3Set up incident response - at least a basic plan
4Train management - so they know their responsibilities

3-6 months

5Implement basic measures by priority
6Create documentation - policies, plans
7Evaluate suppliers - at least critical ones

Risk Summary

Fine (Essential Entities)€10M / 2% turnover

Fine (Important Entities)€7M / 1.4% turnover

Personal LiabilityYes, including ban on functions

Reputational DamagePublic announcement

Operational RestrictionsSuspension of activity

Sanctions are high, but the main reason for NIS2 compliance should not be the fine. A cyber incident without preparation can cost you much more.

Find out your risk

Take our free assessment and find out which areas you have the highest risk in.