NIS2 Fines in 2026: €10 Million or 2% of Turnover — What Your Board Needs to Know

A midsized energy company in Germany receives a letter from the BSI. Their NIS2 registration deadline passed three months ago. They never registered. The fine? Up to €10 million — or 2% of their global annual turnover, whichever is higher. And under Article 20 of the NIS2 Directive, the board members who failed to approve cybersecurity measures can be held personally liable.

This is not a hypothetical scenario. (If you want to understand the full range of enforcement powers beyond fines, read our earlier analysis: 7 NIS2 Penalties That Are Worse Than Money.) Germany's NIS2 implementation law has been in force since December 2025, and approximately 29,500 companies are now under BSI supervision. The Netherlands, France, and a dozen other EU Member States are following close behind.

If your organisation falls under NIS2 and your board has not yet acted, the window to prepare without pressure is closing fast.

How NIS2 Fines Actually Work

The NIS2 Directive (EU 2022/2555) establishes two tiers of penalties under Article 34. The amounts depend on whether your organisation is classified as an essential or important entity.

Essential entities — energy, transport, healthcare, banking, digital infrastructure, water, and ICT service providers — face fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher.

Important entities — postal services, waste management, food production, chemicals, manufacturing, and digital providers — face fines of up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher.

The "whichever is higher" clause is critical. For a company with €800 million in annual revenue, 2% equals €16 million — far above the €10 million floor. The fixed amounts only cap smaller organisations.

These fines apply to failures in two areas: not implementing the required cybersecurity measures (Article 21) and not meeting incident reporting obligations (Article 23). National authorities can also impose periodic penalty payments to compel ongoing compliance.

A concrete example

Consider a managed IT service provider with €50 million in annual turnover, classified as an essential entity. If a regulator finds they lack proper incident response procedures and supply chain security controls, the maximum fine exposure is €10 million (since 2% of €50M is €1M, the fixed cap applies). That is 20% of their annual revenue — enough to threaten the survival of the business.

Your Board Is Personally on the Hook

Article 20 of the NIS2 Directive introduces something many directors have not fully grasped: management body accountability for cybersecurity.

Your board must:

1. Approve the cybersecurity risk-management measures your organisation implements under Article 21
2. Oversee the implementation of those measures
3. Complete regular cybersecurity training — and ensure employees receive ongoing training too
4. Accept liability for infringements of Article 21

This is not a delegation-friendly obligation. The directive explicitly states that management bodies can be held liable for non-compliance. For essential entities, Articles 32 and 33 go further: competent authorities can request courts to temporarily ban individual directors from exercising managerial functions until the organisation achieves compliance.

The exact scope of personal liability varies by Member State — Germany, Italy, and Belgium have already implemented specific personal liability mechanisms in their national laws. But the direction is clear across the EU: cybersecurity is now a board-level responsibility, not an IT department problem.

What this means in practice

If your organisation suffers a significant cybersecurity incident and the regulator finds that the board never approved a cybersecurity policy, never completed training, and never reviewed the organisation's risk posture — the personal consequences for directors extend beyond the corporate fine.

The 10 Measures Your Organisation Must Implement

Article 21 prescribes ten minimum cybersecurity risk-management measures. These are not optional, and they apply to every entity in scope:

1. Risk analysis and information security policies — documented, board-approved
2. Incident handling — procedures that support the 24/72-hour reporting deadlines
3. Business continuity — backup management, disaster recovery, and crisis management
4. Supply chain security — security requirements for direct suppliers and service providers
5. Security in system acquisition, development, and maintenance — including vulnerability handling
6. Effectiveness assessment — policies and procedures to evaluate whether your measures actually work
7. Cyber hygiene and training — basic practices for all employees
8. Cryptography policies — including encryption where appropriate
9. Human resources security, access control, and asset management
10. Multi-factor authentication — and secured communications where appropriate

Article 21 — 10 NIS2 Cybersecurity Measures
🛡️
Article 21
10 Cybersecurity Measures
📊
Governance & Strategy
1Risk analysis & information security policies
6Effectiveness assessment of security measures
🚨
Incident & Continuity
2Incident handling & notification
3Business continuity & disaster recovery
🔗
Supply Chain & Systems
4Supply chain security
5Security in network & information systems development
🔐
Technical Controls
8Cryptography & encryption
10Multi-factor authentication & secure communications
👥
People & Assets
7Cyber hygiene & training
9HR security & access control

The measures most commonly lacking in midsized organisations are supply chain security, formal incident handling procedures, effectiveness assessment, and MFA deployment beyond email. These are also the areas where regulators are expected to focus first.

Not sure if your organisation meets these 10 requirements? Take the free NIS2 Quick Scan — it maps your current posture against Article 21 in under 10 minutes.

Incident Reporting: The 24-72-30 Timeline

Article 23 sets strict reporting deadlines that many organisations are not prepared for:

Stage	Deadline	What you must report
Early warning	24 hours after becoming aware	Whether the incident is suspected malicious; potential cross-border impact
Incident notification	72 hours after becoming aware	Updated information, initial severity assessment, indicators of compromise
Final report	1 month after notification	Root cause analysis, mitigation measures taken, full impact assessment

NIS2 Incident Reporting Timeline
24h
⚡
Early Warning
Notify the competent authority (CSIRT/NCA) within 24 hours of becoming aware of a significant incident.
Step 1
72h
📋
Incident Notification
Submit a detailed notification within 72 hours with an initial assessment of severity, impact and indicators of compromise.
Step 2
1mo
📊
Final Report
Deliver a comprehensive final report within one month covering root cause, remediation taken and cross-border impact.
Step 3
24h
⚡
Early Warning
Notify the competent authority (CSIRT/NCA) within 24 hours of becoming aware of a significant incident.
72h
📋
Incident Notification
Submit a detailed notification within 72 hours with an initial assessment of severity, impact and indicators of compromise.
1mo
📊
Final Report
Deliver a comprehensive final report within one month covering root cause, remediation taken and cross-border impact.

Missing these deadlines exposes your organisation to the same Article 34 fines as failing to implement security measures. The 24-hour early warning is particularly challenging — it requires your organisation to have monitoring, classification, and escalation processes already in place before an incident occurs.

Where Enforcement Stands Right Now

The enforcement landscape across Europe is uneven, but accelerating:

Germany is fully operational. The NIS2UmsuCG entered into force on 6 December 2025. The BSI registration portal opened on 6 January 2026, with a registration deadline of 6 March 2026. Approximately 29,500 entities are in scope — up from 4,500 under the previous NIS1 regime.

The Netherlands is close behind. The Cyberbeveiligingswet (Cbw) was in parliamentary debate as of late March 2026, with entry into force expected in Q2 2026. The RDI will supervise digital infrastructure; ILT covers transport. Registration infrastructure is already available for early preparation.

France has launched its ReCyF framework through ANSSI (March 2026) with 20 security objectives for essential entities and 15 for important entities. However, France's transposition law is not yet enacted — parliamentary examination is scheduled for July 2026.

Belgium, Italy, Croatia, Hungary, and several other Member States have fully transposed the directive. The European Commission issued reasoned opinions to 19 Member States in May 2025 for missing the original October 2024 deadline.

NIS2 Implementation Status by Country (2025–2026)
✅
Fully in force
🇧🇪Belgium
🇭🇷Croatia
🇭🇺Hungary
🇱🇹Lithuania
🇱🇻Latvia
🇮🇹Italy
6 countries
📋
Adopted — late 2025
🇩🇪Germany
🇨🇿Czech Republic
🇫🇮Finland
3 countries
⏳
In progress — expected 2026
🇳🇱Netherlands
🇫🇷France
🇪🇸Spain
🇵🇱Poland
🇦🇹Austria
🇸🇪Sweden
🇮🇪Ireland
7 countries

The bottom line: enforcement is not a future concern. In multiple EU countries, it is happening now.

What Your Board Should Do This Week

You do not need to solve everything at once. But your board does need to start — visibly, formally, and documented.

Step 1: Determine your classification. Are you an essential or important entity? The thresholds are clear: 50+ employees or €10M+ turnover in a covered sector. Some entities (DNS providers, trust services) are always in scope regardless of size.

Step 2: Get your board formally involved. Schedule a board resolution approving a cybersecurity risk-management approach. Document it. This directly addresses the Article 20 liability requirement.

Step 3: Book management training. The directive requires it. One session will not suffice — this needs to be ongoing. Ensure your board members can demonstrate they understand the organisation's cyber risk posture.

Step 4: Assess your current gaps. Map your existing security measures against the 10 Article 21 requirements. Where are you weakest? Supply chain security and incident response are common gaps.

Step 5: Prepare your reporting capability. Can your organisation detect, classify, and report an incident within 24 hours? If not, that process needs building now — not after the first incident.

Want to know where your organisation stands? Start the free NIS2 readiness scan — it takes 10 minutes and gives you a clear picture of your compliance gaps against Article 21.

The Cost of Waiting

Every month of delay increases your risk exposure. Germany is already enforcing. The Netherlands is weeks away. France, Spain, and Poland are in advanced stages of transposition.

NIS2 fines are designed to be proportionate but meaningful — large enough that ignoring the directive is never the economically rational choice. And with personal board liability now written into EU law, the consequences extend beyond the balance sheet.

The organisations that act now will spend less, face fewer surprises, and avoid the rush when enforcement begins in earnest. The compliance journey is manageable — but only if you start before the regulator does.

---

Related reading: 7 NIS2 Penalties That Are Worse Than Money — Beyond fines, NIS2 gives regulators the power to ban directors, name your organisation publicly, and suspend your operations. Know the full picture.