NIS2 Penalties, Enforcement & Supervision: What Happens in Practice

The NIS2 Directive (Directive (EU) 2022/2555) fundamentally restructured the European Union's approach to cybersecurity enforcement. Whilst much of the public discussion has focused on technical requirements under Article 21 and incident reporting obligations under Article 23, it is the enforcement and supervision regime that ultimately determines whether organisations take the Directive seriously. The penalties are substantial. The supervisory powers are extensive. And for the first time in EU cybersecurity law, individual executives face personal liability.

This article provides a comprehensive, practical analysis of how NIS2 enforcement works: the penalty framework, the types of sanctions available, the distinction between proactive and reactive supervision, what regulators actually examine during inspections, and how organisations should prepare. Whether your organisation is classified as Essential or Important, understanding what happens when the competent authority arrives is critical to both compliance and risk management.

NIS2 Penalty Framework

NIS2 establishes a two-tier administrative fine structure deliberately modelled on the approach taken by the General Data Protection Regulation (GDPR). The Directive sets penalty floors — minimum thresholds that Member States must provide in their national transposition — but leaves Member States free to impose higher maximums. This means the figures below represent the minimum ceiling, not the absolute maximum.

Essential Entities (Article 34(4))

Essential entities are subject to the higher tier of administrative fines. These are organisations operating in sectors deemed critical to the functioning of the economy and society:

• Maximum fine: EUR 10,000,000 or 2% of total annual worldwide turnover in the preceding financial year, whichever is higher
• Sectors: Energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space
• Size threshold: Generally large enterprises (250+ employees or EUR 50M+ turnover), though certain entity types — qualified trust service providers, TLD name registries, DNS service providers — qualify regardless of size

Important Entities (Article 34(5))

Important entities face the second tier of administrative fines. These are organisations in sectors that, whilst significant, are not classified at the highest criticality level:

• Maximum fine: EUR 7,000,000 or 1.4% of total annual worldwide turnover in the preceding financial year, whichever is higher
• Sectors: Postal and courier services, waste management, chemicals manufacturing, food production and distribution, manufacturing (medical devices, computers, electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networking platforms), and research organisations
• Size threshold: Generally medium enterprises (50+ employees or EUR 10M+ turnover)

Types of Sanctions

One of the most significant aspects of NIS2's enforcement regime is that penalties are not limited to financial fines. The Directive provides competent authorities with a comprehensive toolkit of sanctions, many of which can be more operationally disruptive than monetary penalties. Understanding the full range of available sanctions is essential for accurate risk assessment.

Administrative Fines

Financial penalties calculated as the higher of the fixed amount (EUR 10M or EUR 7M) and the percentage of worldwide turnover (2% or 1.4%). These fines are administrative in nature, meaning they are imposed by the competent authority without requiring criminal prosecution. Member States determine the procedural framework for imposing fines, including rights of appeal.

Binding Instructions

Competent authorities may issue binding instructions requiring an entity to take specific remedial actions within a defined timeframe. These are not advisory recommendations — failure to comply with a binding instruction constitutes a separate enforceable violation that can trigger escalated penalties. Binding instructions may require an entity to:

• Implement specific security measures identified during an inspection
• Conduct a security audit and implement the resulting recommendations
• Remediate identified vulnerabilities within a specified deadline
• Notify affected individuals or organisations of a particular risk

Orders to Implement Specific Measures

Beyond binding instructions, competent authorities can order entities to bring their cybersecurity risk-management measures or reporting obligations into compliance with specific requirements. These orders may prescribe particular technical or organisational measures that the authority considers necessary based on the entity's risk profile and identified deficiencies.

Temporary Suspension of Certification

For Essential entities, competent authorities may request that a court or other competent body temporarily suspend a certification or authorisation for part or all of the relevant services provided by the entity. This measure can effectively halt business operations in regulated sectors and represents one of the most severe enforcement tools available under the Directive. It is intended as a last-resort measure where other interventions have proven insufficient.

Temporary Ban on Natural Persons from Management Functions

Specific to Essential entities, competent authorities may request that a court temporarily prohibit a natural person from exercising managerial functions at CEO or legal representative level. This is an extraordinary measure with no direct precedent in EU cybersecurity law and is designed to address situations where management failures directly contribute to persistent non-compliance.

Public Disclosure of Non-Compliance

Competent authorities may make public statements identifying the entity responsible for an infringement and the nature of that infringement. For many organisations, the reputational damage from public disclosure significantly exceeds the financial impact of administrative fines. Public disclosure may include identification of the entity, the individuals responsible, details of the infringement, and the enforcement measures imposed.

Periodic Penalty Payments

To compel ongoing compliance, competent authorities may impose periodic penalty payments — recurring fines that accrue for each day or period that an entity remains in non-compliance following an enforcement action. This mechanism ensures that entities cannot simply absorb a one-off fine and continue operating in violation of the Directive. The accumulating nature of periodic payments creates strong financial incentives for rapid remediation.

Personal Liability for Management

One of the most consequential innovations in NIS2 is the introduction of explicit personal liability for management bodies under Article 20. This provision is designed to ensure that cybersecurity governance is elevated from an IT department concern to a board-level priority. The implications for directors, officers, and senior executives are substantial.

What Article 20 Requires

Member States must ensure that management bodies of both Essential and Important entities:

• Approve the cybersecurity risk-management measures adopted by the entity pursuant to Article 21
• Oversee the implementation of those measures on an ongoing basis
• Can be held liable for infringements of the entity's obligations under the Directive
• Undergo training to gain sufficient knowledge and skills to identify cybersecurity risks and assess risk-management practices, and encourage similar training for employees on a regular basis

Consequences for Individuals

The personal consequences for management body members who fail to fulfil their Article 20 obligations include:

• Temporary ban from exercising managerial functions: For Essential entities, competent authorities may request a court to temporarily prohibit a natural person from exercising managerial functions at CEO or legal representative level (Article 32(5)(b)). This measure can effectively end a career.
• Named in enforcement actions: Public disclosure provisions may identify the natural persons responsible for an infringement, not just the corporate entity. Being publicly named as responsible for a cybersecurity governance failure creates lasting professional and reputational consequences.
• Personal administrative fines: Depending on national transposition, some Member States may provide for personal fines against management body members who fail to fulfil their oversight obligations.
• Civil liability exposure: Directors and officers may face civil claims from shareholders, customers, or other affected parties where governance failures contributed to a cybersecurity incident.

How This Differs from GDPR

Under the GDPR, personal liability for management is less explicit. The GDPR focuses enforcement on the data controller or processor as a legal entity, and the Data Protection Officer (DPO) enjoys specific protections against dismissal. NIS2, by contrast, makes management bodies directly and personally accountable for approving and overseeing cybersecurity measures. The temporary management ban provision in NIS2 has no GDPR equivalent and represents a materially different enforcement philosophy — one that recognises cybersecurity governance as a personal obligation of the executive, not merely a corporate one.

Supervision: Essential vs Important Entities

The supervision model is one of the most operationally significant distinctions between Essential and Important entity classification under NIS2. The difference is not merely one of intensity — it is a fundamentally different regulatory philosophy.

Essential Entities: Proactive (Ex-Ante) Supervision

Essential entities are subject to proactive supervision under Article 32. This means competent authorities can and will monitor compliance at any time, without waiting for an incident, complaint, or other triggering event. The shift from NIS1's largely reactive approach to proactive supervision for Essential entities is one of the most significant practical changes in the new regime.

Under proactive supervision, competent authorities may:

• Conduct on-site inspections at any time, including unannounced visits
• Perform regular and targeted security audits, either directly or through qualified third parties at the entity's expense
• Carry out ad hoc audits where justified by a significant incident or suspected infringement
• Execute security scans of externally facing systems
• Request any data, documents, or information necessary for compliance assessment
• Request evidence of implementation of cybersecurity policies and measures

Important Entities: Reactive (Ex-Post) Supervision

Important entities are subject to reactive supervision under Article 33. Competent authorities take supervisory action only when provided with evidence or indications suggesting potential non-compliance. This does not mean that Important entities can avoid scrutiny — it means that scrutiny is triggered by specific events rather than occurring as routine monitoring.

Reactive supervision is triggered by:

• Incident notifications submitted under Article 23
• Information provided by other competent authorities, CSIRTs, or ENISA
• Complaints or reports from customers, suppliers, or the public
• Intelligence from national or EU-level threat intelligence sources
• Results of security scans or publicly available information

What Supervisory Authorities Actually Check

Understanding the theoretical framework is important, but organisations preparing for supervision need practical insight into what inspectors actually examine. Based on established regulatory practice across EU Member States, comparable regimes (such as the supervisory approaches used by financial regulators and data protection authorities), and the specific requirements of the Directive, supervisory inspections tend to focus on the following areas.

Policies and Procedures Review

Inspectors examine whether the organisation has documented policies and procedures that address the ten risk-management measures specified in Article 21(2). They assess whether policies are current (not outdated versions that have not been reviewed), whether they are approved by the management body (not just drafted by the IT department), and whether they are specific to the organisation's risk profile (not generic templates). Key documents typically requested include:

• Information security policy and supporting sub-policies
• Risk assessment methodology and current risk register
• Incident response plan and escalation procedures
• Business continuity and disaster recovery plans
• Supply chain security policy and third-party risk assessment methodology
• Access control policy and privileged access management procedures
• Cryptography and encryption policy
• Human resources security policy, including onboarding and offboarding procedures

Evidence of Implementation

Inspectors distinguish between organisations that have policies and those that implement them. The focus shifts rapidly from documentation to evidence of operational effectiveness. Typical evidence requests include:

• Records showing that risk assessments were conducted, reviewed, and updated at defined intervals
• Evidence that security controls are actively monitored and managed (not just configured once)
• Patch management records demonstrating timely vulnerability remediation
• Access reviews showing periodic recertification of user entitlements
• Change management records demonstrating controlled system modifications
• Monitoring and logging evidence demonstrating operational security oversight

Incident Response Capability

Given NIS2's multi-stage incident reporting requirements under Article 23, inspectors pay close attention to incident response readiness. They examine whether the organisation can meet the 24-hour early warning requirement, whether response procedures have been tested, and whether the team has the skills and authority to execute the response plan. Focus areas include:

• Incident detection and triage capabilities — can the organisation identify a significant incident within hours, not days?
• Escalation procedures that meet the 24-hour early warning timeline
• Records of incident response exercises and tabletop simulations
• Lessons learned documentation from previous incidents or exercises
• CSIRT relationship and established reporting channels

Supply Chain Management

Article 21(2)(d) requires entities to address supply chain security, and inspectors are increasingly focused on how organisations manage third-party cyber risk. They examine:

• Critical supplier inventory and risk classification
• Third-party security assessment methodology and results
• Contractual security clauses in supplier agreements
• Ongoing supplier monitoring and periodic reassessment processes
• Supplier incident notification requirements and response procedures

Board Governance and Training Records

Article 20's management body obligations are a specific inspection focus. Inspectors verify that:

• Management body members have undertaken cybersecurity training — with records of content, provider, and competence assessment
• The management body formally approved the Article 21 risk-management measures — not merely received a briefing or delegated to a committee
• Regular management review of cybersecurity posture occurs at defined intervals with documented decisions and action items
• Accountability is clearly mapped — specific individuals are responsible for specific obligations

Technical Security Audits

In some inspections, particularly where technical vulnerabilities or incidents have been identified, inspectors may conduct or commission technical security assessments. These may include:

• Review of network architecture and segmentation
• Examination of firewall rules and intrusion detection configurations
• Assessment of multi-factor authentication deployment
• Review of encryption implementation for data at rest and in transit
• Verification of backup and recovery procedures through testing

Supervisory Powers

NIS2 provides competent authorities with a comprehensive range of investigative and corrective powers. Understanding these powers helps organisations anticipate what may be requested and prepare accordingly.

Investigative Powers

• On-site inspections: Authority to enter the entity's premises, examine systems, observe operations, and interview personnel. For Essential entities, inspections may be unannounced.
• Off-site supervision: Remote monitoring, document review, and information requests conducted without a physical visit. This allows authorities to maintain oversight with lower resource requirements.
• Security audits (regular and ad hoc): Authority to require the entity to undergo a security audit by a qualified independent body, at the entity's own expense. Regular audits may be part of a supervisory programme; ad hoc audits respond to specific concerns.
• Security scans: Proactive scanning of the entity's externally facing systems based on objective, non-discriminatory, fair, and transparent risk assessment criteria.
• Requests for evidence: Authority to request any data, documents, or information reasonably necessary for the assessment of compliance, including the results of security audits, risk assessments, and incident records.
• Access to data and documents: Broad authority to access information held by the entity relevant to its NIS2 obligations, subject to proportionality requirements.

Corrective Powers

• Formal warnings: Written notification of identified infringements with expectation of voluntary remediation
• Binding instructions: Mandatory remediation requirements with defined timelines and specific prescribed actions
• Compliance orders: Requirements to bring cybersecurity risk-management measures or reporting obligations into compliance within a specified period
• Orders to cease: Instructions to stop conduct that infringes the Directive
• Orders to inform: Requirements to notify affected natural or legal persons of significant cyber threats or incidents
• Orders to implement audit recommendations: Binding requirement to implement the findings of a security audit within a specified timeframe
• Temporary suspension of certifications: For Essential entities, request to a court or competent body to suspend part or all of the entity's certifications or authorisations
• Temporary management bans: For Essential entities, request to a court to temporarily ban a natural person from exercising managerial functions

Enforcement Actions Across Member States

Because NIS2 is a Directive rather than a Regulation, it requires transposition into national law by each Member State. This creates the potential for meaningful variation in how enforcement operates across the EU — in the competent authorities involved, the procedural frameworks applied, and the intensity of supervisory activity.

National Competent Authorities

Each Member State designates one or more national competent authorities responsible for NIS2 supervision and enforcement. The institutional landscape varies considerably:

• Germany: The Federal Office for Information Security (BSI) serves as the primary competent authority, building on its existing role under NIS1 and the IT Security Act 2.0.
• France: The National Agency for Information Systems Security (ANSSI) has traditionally held the supervisory role and continues under NIS2.
• Other Member States: Some have established new agencies, whilst others distribute responsibilities across existing regulatory bodies based on sector — with telecommunications regulators, financial supervisors, and health authorities each handling their respective sectors.

Role of ENISA

The European Union Agency for Cybersecurity (ENISA) plays a coordinating role under NIS2, though it does not directly supervise or enforce against individual entities. ENISA's functions include maintaining the European vulnerability database, supporting the Cooperation Group, facilitating information sharing between national CSIRTs, and producing guidance on risk assessment methodologies and security measures. ENISA's guidance can influence how national competent authorities interpret and apply NIS2 requirements, creating a degree of soft harmonisation across the EU.

Cross-Border Cooperation

For entities operating across multiple Member States, NIS2 introduces mechanisms for cross-border supervisory cooperation. Where an entity provides services in more than one Member State, the competent authorities of those States must cooperate and assist each other in exercising their supervisory tasks. This includes sharing information about infringements, coordinating enforcement actions, and conducting joint supervisory activities. In practice, cross-border cooperation means that enforcement action in one jurisdiction can trigger scrutiny in others.

Practical Variation

Multi-country organisations should be aware that:

• Penalty levels may exceed the NIS2 floor in some Member States — certain countries may align NIS2 maximums with GDPR levels for consistency
• Procedural rules for investigations, hearings, and appeals follow national administrative law, creating significant procedural differences
• Some Member States may supplement the administrative regime with criminal sanctions under national law
• Supervisory intensity and resource allocation vary — some authorities are better resourced and more active than others
• Some Member States have extended NIS2's scope to include additional sectors or lower the size threshold, bringing more entities into scope

How to Prepare for Supervision

Preparation for NIS2 supervision requires a shift from project-based compliance to operational readiness. The organisations that handle supervisory inspections successfully are those that treat compliance as an ongoing operational reality, not a one-off exercise.

Maintain Audit-Ready Evidence

The single most important preparation step is maintaining an organised, current repository of compliance evidence that can be produced quickly during an inspection. This means:

• Centralised evidence repository with clear indexing against Article 21 requirements
• Version-controlled policies and procedures with approval records
• Current risk assessments with documented review and update history
• Incident logs with full lifecycle documentation — detection, triage, response, reporting, lessons learned
• Third-party risk assessment records and supplier monitoring evidence
• Training records for management body members and relevant staff
• Audit reports and remediation tracking

Designate a Regulatory Liaison

Organisations should designate a specific individual or team as the point of contact for supervisory authorities. This liaison should have authority to coordinate inspection logistics, gather and produce evidence, and communicate with the competent authority. The liaison role is not about gatekeeping — it is about ensuring that inspection requests are handled efficiently and consistently.

Practise Responding to Inspection Requests

The 24-hour early warning requirement under Article 23 demands that organisations can respond at pace. Similarly, inspection requests for documentation should be met within the authority's specified timeframe — typically days, not weeks. Organisations should periodically test their ability to produce key evidence under time pressure through internal readiness exercises. These exercises should simulate:

• Receipt of a document request with a 5-day response deadline
• An unannounced on-site inspection notification (for Essential entities)
• A request for live demonstration of incident response capability
• A demand for evidence of management body oversight activities

Keep Governance Records Current

Board-level governance evidence is an area where many organisations are found wanting during inspections. Ensure that:

• Board meeting minutes document cybersecurity discussions, decisions, and action items — not just that cybersecurity was "noted"
• Management body training is documented with dates, content, and competence assessment outcomes
• Risk-management measure approvals are traceable to specific board decisions with dates and signatures
• Management review reports are produced at defined intervals and include trend analysis, risk posture assessment, and forward-looking action plans

The organisations that struggle during supervision are not typically those with weak technical controls. They are those that cannot demonstrate governance, cannot produce evidence quickly, and cannot show that what they documented on paper is actually operational in practice.

NIS2 vs GDPR Enforcement Comparison

Many organisations subject to NIS2 are also subject to the GDPR, and understanding the similarities and differences between the two enforcement regimes helps inform an integrated compliance strategy.

The critical takeaway for organisations subject to both regimes: NIS2's fine ceilings may be lower than the GDPR's upper tier, but the non-monetary sanctions — particularly temporary management bans, mandatory third-party audits at the entity's expense, and certification suspension — introduce enforcement tools that have no GDPR equivalent. An integrated compliance programme should map overlapping requirements to avoid duplication whilst ensuring that both sets of obligations are independently satisfied.

Frequently Asked Questions