EuroComply
Zarejestruj się
Fine exposure

How much can my company be fined under NIS2?

NIS2 carries penalties of up to €10M or 2% of global turnover. This page breaks down every fine tier by article, explains who is at risk, and shows live enforcement examples.

Maximum fine

€10M

or 2% of global turnover — whichever is higher

Source: Directive (EU) 2022/2555

How NIS2 penalties work

NIS2 Directive (Article 34) distinguishes between essential entities and important entities. Essential entities face a higher fine ceiling — up to €10M or 2% of global annual turnover — while important entities face a lower ceiling of €7M or 1.4%. Member States have discretion to set actual fine amounts within these ceilings through national transposition legislation.

Fine tiers by article

Art. 34(4)

Essential entities — cybersecurity risk management and incident reporting violations

€10,000,000

or 2% of global turnover

Applies to:

  • Failure to implement Art. 21 cybersecurity risk management measures
  • Non-reporting of significant incidents within 24-hour initial deadline (Art. 23)
  • Failure to notify affected parties of significant incidents
  • Inadequate supply chain security measures
  • Management body non-compliance with oversight obligations (Art. 20)
EUR-Lex — Art. 34(4)
Art. 34(3)

Important entities — cybersecurity risk management and reporting violations

€7,000,000

or 1.4% of global turnover

Applies to:

  • Same categories as essential entities but applied to 'important' sector organisations
  • Energy, transport, healthcare, digital infrastructure entities in the important tier
EUR-Lex — Art. 34(3)

Stacked exposure with other EU regulations

NIS2 fines can run concurrently with GDPR fines where a cybersecurity incident also involves a personal data breach. An organisation facing a ransomware attack may simultaneously be fined under NIS2 (for inadequate security measures) and GDPR (for the resulting data breach). In the financial sector, DORA and NIS2 obligations partially overlap, though regulators are expected to coordinate to avoid double penalties.

Calculate your stacked fine exposure →

Frequently asked questions

What is the maximum NIS2 fine?

Essential entities under NIS2 face a maximum fine of €10,000,000 or 2% of global annual turnover, whichever is higher. Important entities face a lower ceiling of €7,000,000 or 1.4% of global turnover. Exact amounts depend on national transposition legislation in each Member State.

Who is an essential entity under NIS2?

Essential entities include large organisations (250+ employees or €50M+ turnover) in sectors such as energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure (DNS, IXPs, cloud providers, data centres), ICT service management, public administration, and space.

When did NIS2 penalties start applying?

NIS2 penalties apply from each Member State's national transposition date. The EU-wide transposition deadline was 17 October 2024, but several Member States have delayed full transposition. Entities should check their national authority's published guidance.

What is your stacked fine exposure across all EU regulations?

Calculate your combined risk across NIS2, GDPR, NIS2, AI Act, DORA, and more — free, no signup.

Open fine risk calculator — free
NIS2 compliance guide

For informational purposes only. This is not legal advice — consult qualified legal counsel for advice specific to your situation.

Last updated: