NIS2 Fines: Who Is Liable and How High Are the Penalties?

Why NIS2 Fines Can Affect Every Company

With the NIS2 Directive, the European Union has fundamentally tightened the framework for cybersecurity requirements. The transposition into German law through the NIS2 Implementation Act (NIS2UmsuCG) affects an estimated 30,000 companies in Germany. And the sanctions regime is substantial: The fines are deliberately modelled on the GDPR and are intended to have a deterrent effect.

For executives, IT managers, and information security officers, the topic becomes very concrete. Because unlike many previous IT security regulations, this is not just about corporate penalties. The personal liability of the management level is expressly enshrined in the law.

This article explains the NIS2 fine structure, liability rules, BSI supervisory powers, and what you as a responsible person can do now to protect your company and yourself.

The Fine Framework: Up to EUR 10 Million

The NIS2 Directive defines two categories of entities and assigns them different fine frameworks. The level of penalties depends on whether your company is classified as an essential or important entity.

Essential Entities

For essential entities, the stricter fine framework applies:

• Up to EUR 10 million or
• 2% of total global annual revenue of the preceding financial year

Whichever amount is higher applies. For a company with EUR 800 million in annual revenue, this would be up to EUR 16 million.

Essential entities include companies in the sectors of energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.

Important Entities

For important entities, lower but still significant upper limits apply:

• Up to EUR 7 million or
• 1.4% of total global annual revenue

Again, the higher value applies. Important entities include sectors such as postal and courier services, waste management, chemicals, food, manufacturing, digital service providers, and research.

What This Means in Practice

The revenue-linked nature of the fines is crucial. A mid-market company with EUR 50 million in revenue risks a fine of up to one million euros as an essential entity. A corporation with EUR 5 billion in revenue could theoretically face up to EUR 100 million. The fixed upper limit of EUR 10 million serves as a minimum threshold, not a cap, because the percentage calculation can exceed this amount.

Personal Liability of Management

Perhaps the most significant paradigm shift of NIS2 concerns the personal responsibility of company leadership. Article 20 of the NIS2 Directive and the corresponding German transposition make clear: Management must approve cybersecurity risk management measures, oversee their implementation, and can be held personally liable for violations.

What Executives Must Specifically Observe

The management bodies — managing directors at a GmbH, board members at an AG, or personally liable partners at a KG — bear responsibility for three central obligations:

1. Approval of risk management measures As a managing director, you must actively approve your company's cybersecurity strategy. A mere rubber stamp is not sufficient. You must understand the key risks and be able to assess the adequacy of the measures taken.

2. Oversight of implementation It is not enough to adopt a strategy once. Management must regularly verify whether the approved measures are actually implemented and effective. This requires reporting structures and clear responsibilities.

3. Participation in training NIS2 expressly obligates management to participate in cybersecurity training. This is not voluntary professional development but a legal obligation. Anyone who does not undergo training is in violation of the directive.

Consequences of Personal Liability

Personal liability encompasses multiple dimensions:

• Damages claims from your own company: If a fine is imposed because management failed to fulfil its duties, the company can seek recourse. Management is liable to the company for the damage incurred.
• No delegation possible: Responsibility for approving and overseeing cybersecurity measures cannot be delegated to the CISO, IT manager, or external consultants. Execution can be delegated — responsibility cannot.
• Removal and activity ban: In severe cases, supervisory authorities can impose a temporary ban on exercising management functions for essential entities.

D&O Insurance as a Safety Net?

Many executives rely on their D&O insurance (Directors and Officers) or a cyber insurance policy. Caution is warranted here. Whether D&O insurance covers NIS2 violations depends heavily on the specific insurance terms. Intentional acts or deliberate omissions are generally not covered. If you as a managing director demonstrably failed to approve cybersecurity measures and did not attend training, the insurer could refuse to pay. Clarify this early with your insurer.

Which Violations Are Sanctioned and How

Not every violation automatically leads to the maximum fine. The sanctioning authorities consider various factors when determining the amount. The NIS2 Directive provides supervisory authorities with a catalogue of criteria that play a role in setting the fine level.

Severe Violations

The highest fines are expected for:

• Missing or inadequate risk management measures: If your company has not implemented appropriate technical and organisational measures, this constitutes a fundamental violation of the core NIS2 obligations.
• Missed reporting obligations: NIS2 prescribes a three-stage reporting system. A security incident must be reported as an early warning within 24 hours, as a detailed report within 72 hours, and as a final report within one month. Missing these deadlines risks significant fines.
• Refusal to cooperate with authorities: Ignoring official orders or obstructing inspections is treated as an aggravating circumstance.

Mitigating and Aggravating Circumstances

The following factors, among others, influence the fine amount:

• Severity and duration of the violation: A one-time lapse is assessed differently than systematic ignoring of obligations over months.
• Intent or negligence: Deliberate violations are punished more severely than negligent ones. Anyone who demonstrably ignored cybersecurity despite known risks must expect the upper range of fines.
• Remediation measures taken: Those who act quickly and decisively after an incident, implement measures, and cooperate with authorities can expect a milder assessment.
• Previous violations: Repeat offenders face significantly harsher sanctions.
• Financial advantage gained: If it can be demonstrated that a company saved costs by omitting security measures, this factors into the fine amount.

Essential vs. Important Entities: The Differences in Detail

The difference between essential and important entities is not limited to the fine amount. It affects the entire supervisory regime.

Supervisory Approach

Essential entities are subject to proactive, ex-ante oversight. This means: Authorities can conduct inspections at any time and without specific cause, request evidence, and order security audits. The BSI does not need to wait for an incident.

Important entities are subject to reactive, ex-post oversight. Here, authorities generally only act when there are indications of a violation — for example, after a reported security incident or based on third-party information.

Enforcement Measures

For essential entities, authorities have a broader spectrum of enforcement instruments:

• Binding instructions to implement specific measures
• Ordering security audits at the company's expense
• Temporary suspension of certifications or authorisations
• Temporary ban on management activities for responsible persons
• Appointment of a monitoring officer

For important entities, the measures are broadly similar, but the activity ban for management is generally not applicable.

Classification Criteria

Classification is primarily based on sector and company size:

There are exceptions: Certain companies are considered essential regardless of their size, such as DNS service providers, TLD registries, or trust service providers.

BSI Supervisory Powers

The Federal Office for Information Security (BSI) becomes the central supervisory authority for cybersecurity in Germany through NIS2. Its powers are significantly expanded.

Inspection Rights

The BSI can take the following actions:

• On-site inspections: Inspectors can visit your company and examine systems, processes, and documentation. You are obligated to cooperate.
• Regular security audits: For essential entities, the BSI can order regular audits, including by qualified third parties. The company bears the costs.
• Ad-hoc reviews: After security incidents or in cases of suspicion, event-driven inspections are possible at any time.
• Evidence requests: The BSI can request evidence of security measure implementation at any time. This requires comprehensive documentation.

Order Powers

If the BSI identifies deficiencies, it can issue binding orders:

• Implementation of specific security measures within a set deadline
• Informing affected customers or the public about a security incident
• Appointment of an independent monitoring officer at the company's expense
• Suspension of authorisations or certifications until deficiencies are remedied

You can appeal these orders, but experience from other regulatory areas shows that authorities generally substantiate their orders carefully and courts rarely intervene.

Comparison with GDPR Fines: Putting Things in Perspective

Comparing with the GDPR helps contextualise the scale of NIS2 fines. The GDPR has shown since 2018 that EU institutions are serious when they define high fine frameworks.

Parallels

• Revenue-linked calculation: Both regulatory frameworks tie the fine amount to global annual revenue. The GDPR allows up to 4% (for severe violations), NIS2 up to 2% for essential entities.
• Fixed minimum amounts: The GDPR provides for up to EUR 20 million, NIS2 up to EUR 10 million. In absolute figures, the GDPR is higher, but the NIS2 amounts can still be existentially threatening for many companies.
• Deterrent effect: Both frameworks explicitly aim at deterrence. Fines are intended to be high enough that it never makes economic sense to forego compliance measures.

Differences

• Personal liability: NIS2, with its explicit personal liability for management, goes significantly further than the GDPR. Under the GDPR, the company as the data controller is primarily liable.
• Activity bans: The ability to temporarily exclude management from their duties has no equivalent in the GDPR. This is a sharp instrument that directly affects careers.
• Enforcement maturity: The GDPR has been enforced since 2018; authorities have routine. NIS2 is starting fresh. Experience suggests supervisory authorities act somewhat more cautiously in the early phase but then tighten their approach. Anyone speculating that enforcement will not happen initially is playing a risky game.

Practical Examples from the GDPR as a Warning

GDPR enforcement practice shows what is possible: Meta was fined EUR 1.2 billion in 2023, Amazon received EUR 746 million. Fines in the double-digit millions have also been imposed in Germany — for example against H&M (EUR 35.3 million) or Deutsche Wohnen (EUR 14.5 million). These amounts show: Authorities use the framework available to them. There is no reason to assume NIS2 will be any different.

What Executives Should Do Now

The good news: Those who act early can significantly reduce the fine and liability risk. The following steps form a pragmatic roadmap.

1. Clarify Whether You Are Affected

First check whether your company falls under NIS2 and which category it is classified in. Classification depends on sector and company size. In case of doubt, seek legal advice, as borderline cases are not always clear-cut.

2. Conduct a Gap Analysis

Compare your current information security posture with NIS2 requirements. Where are there gaps in technical measures? Where are organisational processes missing? What about documentation? An honest assessment is the foundation for everything that follows.

3. Build or Adapt Risk Management

NIS2 requires a risk-based approach. You need systematic risk management that identifies threats, assesses them, and derives appropriate measures. If you already operate an ISMS based on ISO 27001, you have a solid foundation. If not, now is the right time to build one.

4. Establish Reporting Processes

The tight reporting deadlines of 24 and 72 hours require well-practised processes. Define clear responsibilities, escalation paths, and communication templates. Test the procedures regularly in exercises. When an emergency occurs, there must be no debate about who reports what to whom.

5. Ensure Management Training

Plan regular cybersecurity training for the entire management level. This is not only a legal obligation but also a practical necessity. Only those who understand the risks can make informed decisions and credibly fulfil their supervisory duty.

6. Use Documentation as a Shield

In fine proceedings, what counts is what you can prove. Systematically document all measures, decisions, risk analyses, and training sessions. An ISMS tool like ISMS Lite maintains the audit trail automatically and logs every change with a timestamp and responsible person. Comprehensive documentation is your best defence when the BSI comes asking. It demonstrates that you took your obligations seriously.

7. Address the Supply Chain

NIS2 requires you to also consider the cybersecurity of your supply chain. Review the security measures of your key service providers and suppliers using a structured supplier assessment. Anchor security requirements contractually and regularly request evidence.

8. Seek Legal Advice Early

The interfaces between IT security law, corporate law, and insurance law are complex. Seek early advice, particularly on personal liability, D&O insurance, and the concrete implementation of requirements in your company.

Conclusion: Act Rather Than Wait

NIS2 fines are not a paper tiger. With upper limits of EUR 10 million or 2% of global annual revenue, combined with personal liability for management, the directive creates a sanctions framework that definitively makes cybersecurity a top management concern.

Experience with the GDPR has shown: High fine frameworks are indeed used to their full extent. Those who now invest in a solid ISMS, build risk management processes, and establish reporting obligations protect not only their company from penalties but also reduce the personal liability risk of management.

Further Reading

• NIS2 for SMEs: What You Need to Know and What to Do Now
• NIS2 Reporting Deadlines at a Glance: 24h, 72h, 1 Month — What Is Due When
• NIS2 vs. ISO 27001: Differences, Similarities, and How Both Fit Together
• Building an ISMS: The Complete Guide for Companies with 50 to 500 Employees
• Key ISMS Roles: ISO, CISO, Risk Owner — Who Does What?

The question is not whether the fines will come. The question is whether you are prepared.