NIS2 Article 34 sets minimum maximum administrative fine levels for essential and important entities that infringe Article 21 cybersecurity risk-management duties or Article 23 reporting duties.
Use this page to separate EU-level fine ceilings from Member State penalty rules, enforcement measures, public administration treatment, GDPR overlap, and the evidence teams should preserve.
Structured answer sets in this page tree.
Cited legal and guidance references.
NIS2 does not use one flat EU fine. Article 34 requires Member States to make administrative fines effective, proportionate, and dissuasive, with different minimum maximum caps for essential and important entities. The fine exposure is tied mainly to failures under Article 21 risk-management measures and Article 23 incident-reporting obligations, while national implementation determines the competent authority route and additional penalty rules.
For essential entities, NIS2 requires Member States to make Article 21 or Article 23 infringements subject to administrative fines with a maximum of at least EUR 10,000,000 or at least 2% of the total worldwide annual turnover of the undertaking in the preceding financial year, whichever is higher.
For important entities, the corresponding Article 34 ceiling is a maximum of at least EUR 7,000,000 or at least 1.4% of the total worldwide annual turnover of the undertaking in the preceding financial year, whichever is higher. These are EU minimum maximum levels; a local penalty assessment still depends on national law and the facts of the case.
Article 34 points to infringements of Article 21 and Article 23. Article 21 covers appropriate and proportionate technical, operational, and organisational cybersecurity risk-management measures. Article 23 covers significant incident notification to the CSIRT or competent authority, and in relevant cases communication to affected service recipients.
Penalty planning should therefore start with the evidence for those two obligations: control design and operation, incident handling, reporting decisions, notification timestamps, authority communications, and remediation records.
Essential entities face proactive supervisory powers. Competent authorities can use tools such as on-site and off-site supervision, regular and targeted audits, ad hoc audits after a significant incident or suspected infringement, security scans, requests for information, and requests for evidence of implementation.
Important entities are supervised mainly ex post: the authority acts when it has evidence, indications, or information that the entity allegedly does not comply with NIS2, especially Articles 21 and 23. Both categories can face warnings, binding instructions or orders, remediation requirements, public aspects of infringement, and Article 34 fines.
NIS2 is a directive, so Member States implement penalty rules in national law. Article 36 requires Member States to lay down penalties for infringements of national measures adopted under the Directive, and Article 34 lets each Member State decide whether and to what extent administrative fines may apply to public administration entities.
NIS2 also addresses overlap with GDPR. If a GDPR supervisory authority imposes an administrative fine for the same conduct arising from an Article 21 or Article 23 infringement that entails a personal data breach, the NIS2 competent authority must not impose an Article 34 administrative fine for that same conduct, although other NIS2 enforcement measures may still be used.
Use this checklist to make the penalty file reviewable before an incident, audit, authority request, or management-body review. The goal is not to predict a fine; it is to keep the facts needed to show classification, obligation coverage, incident decisions, authority interactions, and remediation.
Keep the country-specific legal position separate from the EU Article 34 baseline so later reviewers can see which claims come from the Directive and which come from national implementation.
For Article 21 or Article 23 infringements, essential entities must be subject under Member State law to administrative fines with a maximum of at least EUR 10,000,000 or at least 2% of total worldwide annual turnover in the preceding financial year of the undertaking, whichever is higher.
For Article 21 or Article 23 infringements, important entities must be subject under Member State law to administrative fines with a maximum of at least EUR 7,000,000 or at least 1.4% of total worldwide annual turnover in the preceding financial year of the undertaking, whichever is higher.
Yes. Article 34 states that administrative fines are imposed in addition to the enforcement measures referred to in Articles 32 and 33, such as warnings, binding instructions, orders to remedy deficiencies, audit recommendations, and public aspects of infringement.
No. Article 34 leaves each Member State to lay down whether and to what extent administrative fines may be imposed on public administration entities, without prejudice to competent-authority powers under Articles 32 and 33.
Sorena can help connect NIS2 Article 21 controls, Article 23 incident records, management-body approvals, and Member State transposition sources into a practical enforcement-readiness file.
Ask source-linked questions about Article 34 fine ceilings, Article 21 controls, Article 23 reporting, and national transposition sources.
Review your NIS2 penalty evidence, authority-response workflow, and source gaps with Sorena.
"effective, proportionate and dissuasive"
"Technical Implementation Guidance"
"NIS2 Directive"
"EU countries"
"technical and methodological requirements"