NIS2: Enforcement and Penalties
Enforcement and Penalties [Art 32-37]
Rule: Member States must establish effective enforcement with significant fines: up to €10M or 2% of global turnover for essential entities, €7M or 1.4% for important entities.
Supervisory Powers [Art 32-33]
| Power | Essential Entities | Important Entities |
|---|---|---|
| On-site inspections | Yes | Yes (after incident) |
| Remote supervision | Yes | Yes (after incident) |
| Security audits | Regular, targeted, ad-hoc | Targeted, ad-hoc |
| Security scans | Yes | Yes |
| Information requests | Yes | Yes |
| Access to data/documents | Yes | Yes |
| Evidence of policies | Yes | Yes |
Proactive vs Reactive Supervision
| Approach | Essential Entities | Important Entities |
|---|---|---|
| Ex-ante (proactive) | Yes — regular checks | No |
| Ex-post (reactive) | Yes | Yes — after incident or evidence of non-compliance |
Enforcement Actions [Art 32(4)]
Competent authorities can issue:
| Action | Description |
|---|---|
| Warnings | Issue warnings for non-compliance |
| Binding instructions | Order specific remedial actions |
| Order cessation | Cease conduct infringing Directive |
| Order measures | Ensure compliance with Art 21, 23, 27 |
| Impose deadlines | Set timeframes for remediation |
| Public disclosure | Make violation and responsible entity public |
| Administrative fines | Impose monetary penalties |
Maximum Fines [Art 34]
| Entity Type | Maximum Fine |
|---|---|
| Essential entities | At least €10,000,000 OR 2% of total worldwide annual turnover (whichever higher) |
| Important entities | At least €7,000,000 OR 1.4% of total worldwide annual turnover (whichever higher) |
Fines for Management [Art 34(5)]
Member States may provide that members of management bodies can be subject to fines for infringements of Art 20 (governance duties).
Factors for Fine Calculation [Art 34(3)]
| Factor | Consideration |
|---|---|
| Gravity | Seriousness of the infringement |
| Duration | How long did non-compliance last? |
| Previous infringements | Repeat offender? |
| Damage caused | Actual harm resulting |
| Intent or negligence | Deliberate or careless? |
| Mitigation | Actions taken to mitigate damage |
| Cooperation | Level of cooperation with authorities |
| Delay | Was reporting delayed? |
| Certifications | Codes of conduct or certifications held |
Management Suspension [Art 32(5)]
For essential entities with continued non-compliance:
- Competent authority can request court to temporarily prohibit management body member from exercising managerial functions
- Applies to CEO, executive directors
- Lasts until necessary measures taken
Penalties for Non-Reporting
Failure to report incidents per Art 23:
- Administrative fines
- Management liability
- Possible public disclosure
Comparison with Other Regimes
| Regime | Maximum Fine |
|---|---|
| NIS2 (essential) | €10M or 2% turnover |
| NIS2 (important) | €7M or 1.4% turnover |
| GDPR | €20M or 4% turnover |
| DORA | Per Member State implementation |
Member State Variation
Each Member State transposes NIS2 into national law:
- Fine amounts may exceed minimums
- Additional enforcement powers possible
- Sector-specific authorities may be designated
- Check local transposition for specifics
Cooperation Between Authorities
| Mechanism | Purpose |
|---|---|
| Cooperation Group | Strategic coordination |
| CSIRTs Network | Technical cooperation |
| EU-CyCLONe | Large-scale incident management |
| Cross-border enforcement | Joint investigations |
Compliance Incentives
Factors that may reduce penalties:
- Robust risk management program in place
- Quick incident response
- Full cooperation with authorities
- Voluntary disclosure
- Certifications (ISO 27001, etc.)
- No previous violations
Practical Risk Mitigation
- Implement Art 21 measures — Full compliance with security requirements
- Report on time — Meet 24h/72h deadlines
- Train management — Fulfil Art 20 governance duties
- Document everything — Evidence of compliance efforts
- Engage early — Cooperate with supervisory activity
- Insurance — Consider cyber insurance coverage