NIS2 noncompliance penalties

There are three main penalty types for NIS2 violations: administrative fines, non-monetary penalties, and criminal sanctions for management.

Administrative fines

For essential entities, member states are required to fine a maximum level of at least €10,000,000 or 2% of the global annual revenue (whichever is higher).

For important entities, member states are required to fine a maximum of at least €7,000,000 or 1.4% of the global annual revenue (whichever is higher).

Non-monetary fines

Under the NIS2 Directive, national supervisory authorities can enforce:

  • Compliance orders
  • Binding instructions
  • Security audit implementation orders
  • Threat notification orders to entities’ customers

Criminal sanctions for management

A key element of NIS2 is top management accountability, as a way of preventing gross negligence in cyber risk management. The new Directive allows member states to hold managers personally liable if gross negligence is proven after a cyber incident, including:

  • Ordering organisations to make compliance violations public
  • Making public statements identifying those responsible for the violation
  • (For essential entities) enforcing a temporary ban on individuals holding management positions in case of repeated violations

Next section:

Discover how you can support your end-customers.

Next page >

© 2024 Westcon-Comstor

westconcomstor.com | Legal | Privacy and cookies