How much can my company be fined under NIS2?
NIS2 carries penalties of up to €10M or 2% / €7M or 1.4% (essential / important entities). This page breaks down every fine tier by article, explains who is at risk, and shows live enforcement examples.
NIS2 (Directive 2022/2555) imposes cybersecurity and incident reporting obligations on essential and important operators across critical infrastructure. Penalties vary by member state but can reach €10 million or 2% of annual turnover for serious violations.
| Directive | Directive 2022/2555 — NIS2 Directive |
| Implementation Deadline | October 17, 2024 (transposition deadline — Article 41); in force from October 18, 2024 |
| Maximum Fine | €10 million or 2% of annual turnover (varies by member state) |
| Scope | Essential entities (energy, water, transport, health) + Important operators (digital services, cloud, DNS) |
| Enforcer | National competent authorities + Computer Security Incident Response Teams (CSIRTs) |
Common Questions
- What is an essential entity under NIS2?
- Essential entities provide critical services: electricity, gas, heating, oil, water/wastewater, transport, banking, financial markets, DNS, public administration, and space. These entities must meet strict ICT risk management and incident reporting requirements.
- What is an important operator under NIS2?
- Important operators provide key digital services: cloud computing, content delivery networks, web hosting, managed security service providers, social media platforms, online marketplaces, and search engines. They have lighter obligations than essential entities but still must implement risk management and report incidents.
- What incident reporting requirements does NIS2 impose?
- NIS2 requires entities to report significant incidents to their national CSIRT and competent authority within 24 hours of detection, and to provide a final report within 72 hours. "Significant" is defined by threshold criteria (e.g., >1000 people affected, >50,000 households without service).
- Can NIS2 penalties stack with other EU regulations?
- Yes. An essential entity that also processes personal data faces both NIS2 penalties and GDPR penalties for the same incident. A cloud provider subject to NIS2 may also face EU Cloud Code of Conduct or sectoral financial regulation penalties.
- How does NIS2 relate to the old NIS Directive?
- NIS2 replaces the original NIS Directive (2016/1148). It broadens the scope from energy and transport to all critical sectors, adds important operators, strengthens incident reporting, mandates supply chain risk assessment, and significantly increases penalty amounts.
- What are the key NIS2 compliance obligations?
- Implement an ICT risk management system, conduct regular security audits and testing (including penetration tests), assess supply chain security risks, ensure incident detection and reporting capabilities, maintain backup and resilience measures, and establish a contact point for incident reporting.
Maximum fine
€10M
or 2% / €7M or 1.4% (essential / important entities) — whichever is higher
Source: Directive (EU) 2022/2555
How NIS2 penalties work
NIS2 Directive (Article 34) distinguishes between essential entities and important entities. Essential entities face a higher fine ceiling — up to €10M or 2% of global annual turnover — while important entities face a lower ceiling of €7M or 1.4%. Member States have discretion to set actual fine amounts within these ceilings through national transposition legislation.
Fine tiers by article
Essential entities — cybersecurity risk management and incident reporting violations
€10,000,000
or 2% of global turnover
Applies to:
- Failure to implement Art. 21 cybersecurity risk management measures
- Non-reporting of significant incidents within 24-hour initial deadline (Art. 23)
- Failure to notify affected parties of significant incidents
- Inadequate supply chain security measures
- Management body non-compliance with oversight obligations (Art. 20)
Important entities — cybersecurity risk management and reporting violations
€7,000,000
or 1.4% of global turnover
Applies to:
- Same categories as essential entities but applied to 'important' sector organisations
- Energy, transport, healthcare, digital infrastructure entities in the important tier
Stacked exposure with other EU regulations
NIS2 fines can run concurrently with GDPR fines where a cybersecurity incident also involves a personal data breach. An organisation facing a ransomware attack may simultaneously be fined under NIS2 (for inadequate security measures) and GDPR (for the resulting data breach). In the financial sector, DORA and NIS2 obligations partially overlap, though regulators are expected to coordinate to avoid double penalties.
Calculate your stacked fine exposure →Frequently asked questions
What is the maximum NIS2 fine?
Essential entities under NIS2 face a maximum fine of €10,000,000 or 2% of global annual turnover, whichever is higher. Important entities face a lower ceiling of €7,000,000 or 1.4% of global turnover. Exact amounts depend on national transposition legislation in each Member State.
Who is an essential entity under NIS2?
Essential entities include large organisations (250+ employees or €50M+ turnover) in sectors such as energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure (DNS, IXPs, cloud providers, data centres), ICT service management, public administration, and space.
When did NIS2 penalties start applying?
NIS2 penalties apply from each Member State's national transposition date. The EU-wide transposition deadline was 17 October 2024, but several Member States have delayed full transposition. Entities should check their national authority's published guidance.
What is your stacked fine exposure across all EU regulations?
Calculate your combined risk across NIS2, GDPR, NIS2, AI Act, DORA, and more — free, no signup.
Open fine risk calculator — freeFor informational purposes only. This is not legal advice — consult qualified legal counsel for advice specific to your situation.
Last updated: