NIS2 Enforcement Is Underway: What Early EU Penalties Mean for Your Organisation
EU member states have begun issuing formal NIS2 enforcement actions. Germany has issued 47 formal notices, France has ordered remediation across energy and transport, and personal liability for senior executives is now active. What CISOs need to bring to the board.
The NIS2 Directive entered into force across EU member states in October 2024, and for the first six months, enforcement activity was minimal. National competent authorities were building their registries, entities were scrambling to understand their classification, and the common expectation was that substantive enforcement would wait until late 2025 at the earliest.
That window has closed. In the first half of 2026, Germany, France, and Italy have all moved from registration compliance into substantive enforcement — and the early actions carry implications that every board should be aware of, regardless of sector.
What Has Happened So Far
Germany (Bundesamt für Sicherheit in der Informationstechnik — BSI): In Q4 2025, the BSI issued 47 formal notices (Anordnungen) to entities primarily for two failures: failure to register in the national NIS2 entity register, and failure to designate a point of contact for cyber incidents with the authority. These are the baseline compliance obligations under NIS2 — the equivalent of not having filed your registration. The BSI has signalled that the next phase of enforcement will focus on risk management measures and incident reporting quality.
France (ANSSI): In early 2026, ANSSI issued remediation orders to 23 essential entities across the energy and transport sectors for inadequate risk management measures. The orders are not fines — they are binding instructions to remediate specific deficiencies within a defined timeframe, with financial penalties applicable if the remediation orders are not met. ANSSI has made clear that its audit programme for essential entities will continue through 2026.
Italy (Agenzia per la Cybersicurezza Nazionale — ACN): Italy is scaling its enforcement capacity and has announced systematic audit programmes for essential entities beginning in mid-2026. Financial penalties have not yet been publicly announced, but the framework is in place.
The general pattern: Enforcement is following a graduated path — registration and governance first, substantive security measures second, financial penalties for persistent non-compliance third. This graduated approach gives organisations a meaningful runway to remediate — but only if they’re paying attention.
The Penalty Structure
The fine levels under NIS2 are materially higher than most organisations have factored into their compliance risk assessments:
| Entity type | Maximum fine |
|---|---|
| Essential entities | €10 million or 2% of global annual turnover (whichever is higher) |
| Important entities | €7 million or 1.4% of global annual turnover (whichever is higher) |
For context, an essential entity with €500 million in global revenue faces a potential fine of €10 million for significant non-compliance. The GDPR comparison is useful here: NIS2 fines are lower than GDPR’s maximum of 4% of global turnover, but they apply to a different and broader set of organisations — including many that have historically operated under lighter regulatory regimes.
Personal Liability: The Overlooked Provision
The element most frequently absent from NIS2 briefings is Article 20’s management accountability provision. NIS2 requires that the management body of essential and important entities approve cybersecurity risk management measures and oversee their implementation. Critically, management bodies are held personally liable for infringements.
The practical consequences, which member states are now implementing:
- Competent authorities can temporarily ban individuals from management functions for essential entities where the entity has failed to remediate after receiving a binding instruction
- Board members and senior executives can face personal fines in member states that have implemented this provision in national law
- The accountability cannot be fully delegated — while the CISO is operationally responsible, the board retains legal accountability for the organisation’s NIS2 compliance posture
This is a structural shift. Before NIS2, cybersecurity regulatory liability in Europe sat primarily with the organisation as a legal entity. Under NIS2, it sits with the individuals on the management body.
What Your Board Needs to Understand
1. Scope clarification is urgent. Many organisations still have not conclusively determined whether they are classified as essential or important under the national transpositions in each member state where they operate. NIS2 scope is defined by sector and size — entities above 50 employees or €10 million revenue in listed sectors are likely in scope. The national competent authority registers are the authoritative source in each jurisdiction.
2. The incident reporting obligation has real teeth. NIS2 requires notification to the competent authority within 24 hours of becoming aware of a significant incident, with a full report within 72 hours and a final report within one month. Failure to notify, or notifying late, is a direct enforcement trigger. Incident response plans must include the NIS2 notification track explicitly.
3. Supply chain security is a first-order obligation. Article 21 requires that entities implement security measures covering their supply chain, including their direct suppliers and service providers. This is not a best-practice recommendation — it is a compliance obligation. Third-party risk management programmes that were previously voluntary are now regulatory requirements for NIS2-scoped entities.
4. Board documentation matters. Article 20’s management accountability provision means that evidence of board oversight is a practical defence. Boards should formally approve the organisation’s NIS2 risk management measures at least annually, with that approval documented in board minutes. If a regulator is assessing personal liability, documented board engagement with cybersecurity is a meaningful mitigating factor.
Actions for the Next 90 Days
For organisations that have not already done so:
- Register with every relevant national authority in EU member states where you operate. The registration deadline has passed; late registration is still better than no registration.
- Map your incident reporting obligations against current IR playbooks. Every significant incident must have a notification track built in before the incident occurs.
- Brief the board formally on Article 20. Senior executives need to understand that their personal accountability under NIS2 is not theoretical — it is active, and enforcement is underway.
- Review your supply chain security documentation. ANSSI and BSI have both indicated that supply chain security measures will be an early focus of substantive audits.
The graduated enforcement model that national authorities have adopted gives organisations that are behind a meaningful window to catch up. It is a window with a closing date.