Who should read this: C-Suite, In-house Counsel, Compliance Officers, Risk Leaders
The NIS2 Directive, like its predecessor NIS1, establishes administrative sanctions for non-compliance. However, the stakes have increased substantially. Articles 34 and 35 set out a tiered penalty structure that can impose fines of up to EUR 10 million for serious violations and EUR 7 million for other breaches of the directive’s core obligations.
For senior leaders and compliance teams, these penalties create a direct financial incentive to ensure NIS2 compliance is genuine, timely, and documented. A EUR 10 million fine is material—it rivals significant cybersecurity breaches in terms of financial impact, but it is entirely avoidable through proper compliance.
This post unpacks the NIS2 fine framework: which violations trigger which penalties, how Member States enforce these provisions, what mitigating factors may apply, and how organisations can demonstrate good faith compliance to regulators. Understanding the penalties in detail clarifies the regulatory priorities and helps shape compliance investment decisions.
The Two-Tier Penalty Structure
NIS2 establishes two tiers of administrative fines, corresponding to two categories of breach:
Tier 1 (EUR 10 million): Infringements of the core operational obligations defined in Articles 20-26. These articles require entities to implement technical and organisational measures, report incidents, undergo audits, and cooperate with competent authorities. A violation of these provisions—for example, failing to implement proportionate cybersecurity controls, failing to report a significant incident, or refusing to cooperate with a regulatory investigation—can trigger fines up to EUR 10 million.
Tier 2 (EUR 7 million): Infringements of other provisions of the directive, such as obligations for Member States, designations of competent authorities, or implementation timelines. These are typically less directly related to an entity’s operational cybersecurity posture and more related to administrative compliance.
Importantly, Articles 34 and 35 also authorise “proportionate” fines below these caps. Regulators must calibrate penalties based on the severity of the breach, the organisation’s size and resources, the duration of non-compliance, the degree of culpability, and the effectiveness of remediation.
Which Violations Trigger Tier 1 Fines (EUR 10 Million)
Article 34 specifies that the following breaches of operational obligations may trigger fines up to EUR 10 million:
Failure to implement proportionate technical and organisational measures (Article 21): This is the core obligation. An entity required to implement “appropriate” cybersecurity controls proportionate to its risk profile must actually implement them. An entity that conducts a risk assessment, identifies the need for network segmentation, and then fails to segment its networks would violate this obligation. Similarly, an entity that acknowledges the necessity for incident response procedures but operates without a documented procedure could face enforcement.
Failure to report significant incidents (Article 23): NIS2 requires essential service providers to notify competent authorities and CSIRTs without undue delay and in any case within 24 hours of detecting a significant incident. An entity that detects a breach meeting the significance threshold and fails to notify authorities is in clear violation. The 24-hour clock is binding; a delayed notification, depending on the circumstances, could trigger enforcement.
Failure to undergo security audits or provide audit results (Article 26): Essential service providers must allow authorities to conduct security audits to verify compliance. An entity that refuses an audit request, fails to cooperate during an audit, or withholds audit results from authorities violates this obligation.
Failure to cooperate with competent authorities or CSIRTs (Article 23 and general cooperation obligations): Authorities have investigative powers. An entity that ignores regulatory requests, delays responses, or provides incomplete information may face fines.
Failure to manage third-party risk (Article 22): Entities must ensure that third-party suppliers and service providers implement proportionate cybersecurity measures. An entity that contracts with a managed service provider, cloud vendor, or IT support company without establishing clear cybersecurity requirements, monitoring compliance, or requiring incident notification falls short of this obligation.
These are not technical violations; they go to the heart of NIS2’s objective: ensuring that entities managing critical infrastructure implement and maintain genuinely proportionate cybersecurity programmes.
The Role of Proportionality and Member State Discretion
A critical feature of the NIS2 fine framework is that penalties must be “proportionate.” Articles 34 and 35 set maximum fines, but Member State regulators must calibrate actual penalties based on factors such as:
Severity of the infringement: Did the breach create genuine risk to public security, health, or the functioning of essential services? A failure to implement access controls exposes systems to unauthorized use; a failure to patch known vulnerabilities exposes systems to known exploits. These are severe. A failure to update an incident response procedure is less severe.
Duration of non-compliance: Was the violation a one-time oversight, quickly remedied, or a persistent pattern spanning months or years? A failure to report a single incident might result in a lower fine than a systematic pattern of under-reporting.
Degree of culpability: Did the entity knowingly ignore NIS2 requirements, or did it make a good-faith effort to comply but fall short? Willful non-compliance is treated more severely than negligent non-compliance.
Size and resources of the entity: A EUR 10 million fine represents a catastrophic penalty for a small healthcare clinic; for a large telecommunications operator, it is material but manageable. Regulators must adjust penalties to ensure they are proportionate to the entity’s financial capacity.
Effectiveness of remediation: Did the entity, upon discovering a violation, immediately take corrective action? An entity that self-reports a breach, implements remediation, and provides evidence of corrective action may receive a reduced penalty.
Prior history of compliance: An entity with a history of non-compliance faces higher fines than a first-time offender.
Because proportionality is required, the maximum fine (EUR 10 million) is unlikely to be imposed except in cases of egregious, willful, or persistent non-compliance. However, proportionate fines in the range of EUR 1-5 million are certainly possible for significant breaches.
Illustrative Scenarios
To ground this discussion, consider several scenarios:
Scenario 1: Ransomware incident not reported. A hospital experiences a ransomware attack that encrypts its EHR system, forcing a shift to paper records. The hospital’s IT team detects the attack after 36 hours but does not notify the competent authority until five days later. This is a clear violation of Article 23 (the 24-hour reporting window). The hospital’s failure directly contravened a core NIS2 requirement. If the competent authority determines that the hospital should have had adequate threat detection to notice the attack more quickly, the violation is even more severe (implying inadequate controls under Article 21). A fine of EUR 3-7 million would be proportionate.
Scenario 2: No incident response procedure. A financial system operator maintains a comprehensive cybersecurity programme with network segmentation, threat detection, and access controls, but has no documented incident response procedure. An incident occurs, and the operator’s response is ad hoc and delayed. The operator is in violation of Article 21 (which implicitly requires incident response planning) and Article 23 (which requires timely reporting). However, the breach of operational controls is indirect (the absence of a procedure, not the absence of controls themselves). A fine of EUR 1-3 million would be proportionate.
Scenario 3: Repeated non-cooperation with audits. A cloud service provider subject to NIS2 receives audit requests from multiple Member States. It delays responding, provides incomplete information, and eventually refuses to cooperate with a particular audit, claiming commercial sensitivity. This is a persistent pattern of non-cooperation under Article 26. The provider has not immediately violated core operational requirements (its controls may be adequate), but it has systematically obstructed regulatory oversight. A fine of EUR 2-5 million would be proportionate.
Scenario 4: Third-party risk management failure. A health data processor contracts with a smaller cloud vendor to store patient records. The processor does not conduct due diligence on the vendor’s cybersecurity practices, does not include cybersecurity requirements in the contract, and does not monitor the vendor’s compliance. The vendor experiences a breach, exposing patient data. The processor is in violation of Article 22 (failure to ensure third-party risk management). The violation is serious—it allowed a preventable breach—but the processor’s own controls may be adequate. A fine of EUR 500,000 to EUR 2 million would be proportionate, depending on the scale of the breach and the processor’s size.
Enforcement Mechanisms and Investigation Powers
Article 34 establishes that Member States designate competent authorities responsible for enforcing NIS2. These authorities have investigative powers, including the ability to request information from entities, conduct audits, and access facilities (subject to legal constraints).
An enforcement action typically begins with an authority notifying an entity of suspected non-compliance, requesting information or documentation, and providing an opportunity for the entity to respond. If the entity’s response is inadequate or if the authority finds evidence of violations, it may issue an enforcement order (requiring specific remedial action) and/or impose a fine.
Importantly, Member States must afford entities due process rights. An entity against which a fine is proposed typically has the right to a hearing, the opportunity to present evidence in mitigation, and the right to appeal the decision to a court.
For organisations, this means that alleged violations do not automatically result in fines. Cooperation with authorities, prompt remediation of identified shortcomings, and a credible explanation for any non-compliance can significantly influence the outcome. An entity that, upon notification of a violation, immediately implements corrective action and provides evidence of remediation may have the fine reduced or eliminated (if the authority determines that the violation was not serious or was quickly cured).
Mitigation Strategies and Good Faith Compliance
Several strategies can mitigate the risk and impact of fines:
Timely compliance: The most obvious strategy is to ensure NIS2 compliance is implemented on schedule. Member States began designating essential service providers in 2024, with full implementation expected by October 2024 (for essential service providers) and October 2025 (for important digital service providers). Entities that have achieved compliance by these deadlines demonstrate good faith and reduce the likelihood of enforcement.
Comprehensive documentation: Maintain detailed documentation of cybersecurity policies, risk assessments, controls, audits, and incident response. This documentation demonstrates to regulators that the entity has given genuine thought to NIS2 compliance, has tailored controls to its specific risk profile, and has implemented controls rather than merely planning them.
Incident reporting discipline: If an incident occurs, report it promptly. A 24-hour report is binding; attempting to investigate before reporting, hoping to avoid disclosure, or delaying to manage the narrative are not viable strategies. Authorities view prompt, transparent reporting as a mitigating factor.
Cooperation with regulators: Respond promptly to information requests, provide complete and accurate information, and schedule audits cooperatively. An entity that obstructs oversight or stonewalls regulators will face higher fines.
Third-party contracts: Establish clear cybersecurity requirements in contracts with vendors, service providers, and partners. Require attestations of compliance, specify incident notification requirements, and reserve audit rights. This demonstrates that the entity has taken third-party risk management seriously.
Self-assessment and remediation: Conduct internal reviews of NIS2 compliance, identify gaps, and implement corrective action. If you discover and remediate a violation before a regulator does, you demonstrate good faith and are likely to receive leniency.
Key Takeaways
- NIS2 establishes a two-tier fine structure: up to EUR 10 million for violations of core operational requirements (Articles 20-26), and up to EUR 7 million for other breaches.
- Tier 1 violations include failure to implement proportionate controls, failure to report significant incidents within 24 hours, failure to cooperate with audits, and failure to manage third-party cybersecurity risk.
- Proportionality is mandatory: actual fines must be calibrated based on violation severity, duration, culpability, entity size, effectiveness of remediation, and prior compliance history. The maximum fine is unlikely except in egregious cases.
- Regulatory enforcement begins with notification and the opportunity to respond; entities have due process rights, including the ability to appeal fines to courts. Cooperation and prompt remediation are powerful mitigating factors.
- Good faith compliance, comprehensive documentation, timely incident reporting, and transparent cooperation with regulators significantly reduce the likelihood of fines and can result in reduced penalties if violations are discovered.
- Third-party risk management is explicitly enforceable; contracts should establish clear cybersecurity expectations and include audit and monitoring rights.
