What are the key NIS2 obligations for EU businesses?

Implement cybersecurity risk management measures. Report significant incidents within 24-72 hours. Assess supply chain security. Ensure management body oversight. Conduct regular security audits.

What is the maximum fine for NIS2 non-compliance?

The maximum fine under NIS2 is €10M or 2% of global turnover.

When does NIS2 apply or what is the enforcement deadline?

NIS2 deadline: October 17, 2024 (transposition deadline).

Which sectors does NIS2 affect?

NIS2 applies to: Energy, Transport, Healthcare, Digital Infrastructure, Financial Services.

NIS2 Directive

NIS2 expands cybersecurity obligations to essential and important entities across critical sectors. It mandates risk management, incident reporting, and supply chain security.

What does NIS2 require and when does it apply?

NIS2 applies to Energy and Transport organisations across all EU member states. The key deadline is October 17, 2024 (transposition deadline). Non-compliance carries a maximum penalty of €10M or 2% of global turnover. Core obligations include implement cybersecurity risk management measures and report significant incidents within 24-72 hours.

Implement cybersecurity risk management measures
Report significant incidents within 24-72 hours
Assess supply chain security
Ensure management body oversight
Conduct regular security audits

Deadline	October 17, 2024 (transposition deadline)
Max fine	€10M or 2% of global turnover
Primary sectors	Energy, Transport, Healthcare

Source: Official Journal of the EU — NIS2 DirectiveReviewed: 2026-05-01

TL;DR

NIS2: €10M or 2% of global turnover max fine

NIS2 applies to Energy and Transport organisations in all EU member states. Key deadline: October 17, 2024 (transposition deadline).

Source: Official Journal of the European Union — NIS2 Directive

Deadline

October 17, 2024 (transposition deadline)

Max Fine

€10M or 2% of global turnover

Sectors Affected

Energy, Transport, Healthcare

€10Mmaximum fine

The highest penalty for non-compliance with NIS2 in the EU.

EU Official Journal

How do I comply with NIS2?

Implement cybersecurity risk management measures
Report significant incidents within 24-72 hours
Assess supply chain security
Ensure management body oversight
Conduct regular security audits

Does NIS2 apply to your business?

Find out in 2 minutes with our free regulation checker.

Check now — free

Related Regulations

AI Act

The EU AI Act classifies AI systems by risk level and imposes obligations on providers and deployers. High-risk systems face mandatory conformity assessments, documentation, and human oversight requirements.

GDPR

GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.

CRA

The CRA establishes cybersecurity requirements for products with digital elements sold in the EU. Manufacturers must ensure security by design and provide vulnerability handling.

Next step — classify

Classify your AI systems

Use the free regulation checker to find out exactly which NIS2 obligations apply to your business in 2 minutes.