EnforcementEU

EU NIS2 Directive (EU) 2022/2555 Penalties and Fines

Understand supervision powers and fine thresholds tied to Article 21 and Article 23.

Output: an enforcement-risk mitigation plan based on evidence, governance, and rapid incident reporting.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

Penalties are the "why" behind evidence. NIS2 gives competent authorities broad supervision and enforcement powers, and ties administrative fines to infringements of Article 21 (controls) and Article 23 (reporting). Use this page to understand the enforcement surface and to build an evidence-first mitigation plan.

Section 1

Supervision: essential vs important entities (what to expect)

Both essential and important entities must implement Article 21 controls and Article 23 reporting. The difference is how supervision is applied.

  • Essential entities: authorities have powers including on-site inspections, off-site supervision, regular/targeted/ad hoc audits, security scans, information requests, and evidence requests (Article 32).
  • Important entities: authorities act when provided with evidence/indications of non-compliance and use ex post supervisory measures such as inspections, targeted audits, scans, and evidence requests (Article 33).
  • Practical implication: essential entities should assume more proactive interaction and maintain a continuously current evidence pack.
Section 2

Enforcement measures (what authorities can require)

Authorities can issue warnings, adopt binding instructions, order remediation, require compliance with Article 21/23 in specified manner/timeframes, order communications to affected recipients, require implementation of audit recommendations, and make aspects of infringements public.

  • Authorities can order you to implement Article 21 measures or fulfil Article 23 reporting obligations within a specified period.
  • Authorities can request documented policies and evidence (including audit results and underlying evidence).
  • Authorities can designate a monitoring officer (for essential entities) to oversee compliance with Articles 21 and 23 for a determined period.
  • Enforcement actions consider seriousness, duration, repeat violations, failure to notify/remedy incidents, obstruction, and false information, among other factors.
Recommended next step

Use EU NIS2 Directive (EU) 2022/2555 Penalties and Fines as a cited research workflow

Research Copilot can take EU NIS2 Directive (EU) 2022/2555 Penalties and Fines from understanding exposure and enforcement with cited answers to a reusable workflow inside Sorena. Teams working on EU NIS2 Directive (EU) 2022/2555 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for EU NIS2 Directive (EU) 2022/2555 Penalties and Fines

Start from EU NIS2 Directive (EU) 2022/2555 Penalties and Fines and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through EU NIS2 Directive (EU) 2022/2555

Review your current process, evidence gaps, and next steps for EU NIS2 Directive (EU) 2022/2555 Penalties and Fines.

Explore next step
Section 3

Administrative fines (Article 34) - the EU-level thresholds

Article 34 sets minimum maxima for fines when essential or important entities infringe Article 21 or Article 23. National law transposition determines the final regime, but these thresholds anchor expectations.

  • Essential entities: maximum of at least EUR 10,000,000 or at least 2% of total worldwide annual turnover (whichever is higher).
  • Important entities: maximum of at least EUR 7,000,000 or at least 1.4% of total worldwide annual turnover (whichever is higher).
  • Fines are imposed in addition to other enforcement measures; some Member States may use periodic penalty payments to compel compliance.
  • Member States lay down penalties for national measures and notify the Commission by a specified date (Article 36).
Section 4

Mitigation playbook (reduce enforcement risk with evidence, not rhetoric)

The fastest way to reduce enforcement risk is to build an evidence pack that demonstrates control effectiveness and rapid reporting capability.

  • Implement Article 21 control register with owners, KPIs, and control tests (Article 21(2)(f)).
  • Run incident reporting table-top exercises and keep decision logs (significant incident triggers + 24h/72h templates).
  • Maintain management oversight evidence (Article 20): approvals, training records, and risk acceptance decisions.
  • Keep remediation tracking and exception register with expiry dates and management approval.
  • Validate national reporting routes and portals via transposition overlays before an incident happens.
Primary sources

References and citations

Related guides

Explore more topics

Applicability Test | EU NIS2 Directive (EU) 2022/2555 | In Scope? Essential vs Important?
A grounded NIS2 applicability test: map each legal entity to Annex I or Annex II, apply the NIS2 size-cap rule and regardless-of-size triggers.
Article 21 Control Baseline | EU NIS2 Directive (EU) 2022/2555 | Cybersecurity Risk Management Measures
A practical Article 21 control baseline for NIS2: translate Article 21(2)(a) to (j) into owned controls, KPIs, tests, and evidence.
Checklist | EU NIS2 Directive (EU) 2022/2555 | Audit-Ready Owners, Evidence, Acceptance Criteria
An audit-ready EU NIS2 compliance checklist: scope (Annex I/II + size-cap rules), essential vs important classification, Article 21 control baseline.
Compliance Guide | EU NIS2 Directive (EU) 2022/2555 | Build an Audit-Ready Program
A practical EU NIS2 compliance guide: how to run scope and classification, build Article 21 controls, implement Article 23 reporting workflows.
Deadlines and Compliance Calendar | EU NIS2 Directive (EU) 2022/2555 | 16 January 2023, 17 October 2024, 17 April 2025
A practical EU NIS2 deadlines and compliance calendar with the legal anchor dates that matter: entry into force on 16 January 2023.
FAQ | EU NIS2 Directive (EU) 2022/2555 | Scope, Essential vs Important, Article 21, Article 23 (24h/72h)
High-intent EU NIS2 FAQ: who is in scope, how essential vs important works, what Article 21 requires.
Incident Reporting Workflow | EU NIS2 Directive (EU) 2022/2555 | 24h Early Warning, 72h Notification, Final Report (1 Month)
A practical NIS2 incident reporting workflow grounded in Article 23 and Commission Implementing Regulation (EU) 2024/2690: define significant incidents.
Management Body Accountability | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Training, Liability
A practical Article 20 governance guide for EU NIS2: what the management body must approve and oversee, how liability and training work.
National Transposition Tracker | EU NIS2 Directive (EU) 2022/2555 | How to Track Local Laws, Authorities, Portals
A practical NIS2 national transposition tracker: monitor Member State implementation, find competent authority and CSIRT routes.
NIS2 vs ISO/IEC 27001 | How to Reuse Your ISMS for EU NIS2 Directive (EU) 2022/2555
A practical NIS2 vs ISO/IEC 27001 mapping: how to reuse an ISMS (risk assessment, policies, internal audits, management review.
NIS2 vs ISO/IEC 27017 | Cloud Security Mapping for EU NIS2 Directive (EU) 2022/2555
A practical mapping for cloud teams: how NIS2 Article 21 controls and Article 23 reporting apply to cloud service providers and cloud-dependent organisations.
NIS2 vs NIS1 | Directive (EU) 2022/2555 vs Directive (EU) 2016/1148 | Scope, Supervision, Reporting
A practical comparison of NIS2 vs NIS1: what changed in scope and sectors, how essential vs important works.
Requirements | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Article 21 Controls, Article 23 Reporting
A practical EU NIS2 requirements breakdown grounded in Articles 20 to 23, the Article 3 and Article 4 guidelines, and Implementing Regulation (EU) 2024/2690.
Scope: Essential vs Important | EU NIS2 Directive (EU) 2022/2555 | Article 3 Classification + What Changes
A practical guide to NIS2 scope classification: how essential vs important entities work (Article 3).
Supply Chain Security Program | EU NIS2 Directive (EU) 2022/2555 | Article 21(d) Supplier Risk + Evidence
A practical NIS2 supply chain security program (Article 21(d)): vendor tiering, security requirements, onboarding/offboarding controls, continuous assurance.