What Happens If You Don't Comply with NIS2? Fines, Risks, and Timelines
The NIS2 Directive is no longer a future concern. It became enforceable across EU member states in October 2024, and national competent authorities are now actively building their audit and enforcement frameworks. For organizations that fall within its scope, the question has shifted from “do we need to comply?” to “what happens if we don’t?”
The answer is concrete and consequential: significant financial penalties, personal liability for management, operational restrictions, and reputational damage. This article breaks down exactly what is at stake.
The Penalty Framework
NIS2 establishes a two-tier penalty structure based on how an organization is classified. The classification depends on your sector and size, and it determines both your obligations and the maximum penalties you face.
Essential Entities
Essential entities include organizations in sectors such as energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Large organizations (250+ employees or 50M+ euros turnover) in these sectors are automatically classified as essential.
Maximum penalties for essential entities:
- Up to 10,000,000 euros, or
- Up to 2% of total annual worldwide turnover (whichever is higher)
To put this in perspective: for a company with 100 million euros in annual revenue, the maximum fine is 2 million euros. For a company with 400 million euros in revenue, it is 8 million euros. These are not theoretical maximums. NIS2 explicitly instructs member states to ensure penalties are “effective, proportionate, and dissuasive.”
Important Entities
Important entities include organizations in sectors such as postal and courier services, waste management, chemicals, food production and distribution, manufacturing (medical devices, computers, electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networking platforms), and research organizations.
Maximum penalties for important entities:
- Up to 7,000,000 euros, or
- Up to 1.4% of total annual worldwide turnover (whichever is higher)
While lower than the essential entity tier, these penalties are still substantial enough to materially impact an SMB’s financial position.
Management Liability: The Personal Stakes
Perhaps the most significant change NIS2 introduces compared to its predecessor is the explicit focus on management accountability. Article 20 of the directive states that management bodies of essential and important entities must approve and oversee the implementation of cybersecurity risk-management measures.
This is not a vague recommendation. The directive establishes that:
- Management bodies can be held personally liable for infringements of the directive’s cybersecurity requirements.
- Members of management must undergo cybersecurity training and must ensure that similar training is offered to employees on a regular basis.
- Member states can implement measures that allow temporary prohibition of exercising managerial functions for individuals found responsible for non-compliance in essential entities.
In practical terms, this means that a CEO, CTO, or board member who fails to ensure adequate cybersecurity measures cannot claim ignorance. The directive places the obligation squarely on the management body. If a breach occurs and the organization is found to have been non-compliant, the individuals who approved (or failed to approve) the security measures face personal consequences.
Beyond Fines: Operational Consequences
Financial penalties are the most discussed consequence, but they are not the only one. NIS2 gives national authorities a broad toolkit of enforcement measures:
- Binding instructions. Authorities can issue mandatory instructions requiring specific remediation actions within defined timelines.
- Implementation orders. Authorities can order organizations to implement specific security measures or audit recommendations.
- Security audit mandates. Non-compliant organizations can be required to undergo targeted security audits at their own expense.
- Threat notification orders. Authorities can require organizations to inform their customers or users about significant cyber threats.
- Public disclosure. Authorities can make public statements identifying the entity responsible for non-compliance. For organizations that depend on customer trust, this reputational impact can exceed the financial penalty.
- Appointment of monitoring officers. For essential entities, authorities can appoint an independent monitoring officer to oversee compliance efforts, at the entity’s expense.
The Timeline: Where We Stand Now
Understanding the timeline is critical for assessing urgency:
- January 2023: NIS2 Directive entered into force at the EU level.
- October 17, 2024: Deadline for member states to transpose NIS2 into national law. The directive is now enforceable.
- April 17, 2025: Deadline for member states to establish the list of essential and important entities. Organizations should know their classification by this date.
- 2025-2026: National competent authorities are building audit programs and enforcement capacity. Early audits and inspections are underway in several member states.
- 2026 and beyond: Full enforcement, including active inspections, incident response reviews, and penalties for non-compliance.
If you have not started compliance work yet, you are behind schedule. The regulatory framework is live, the deadlines have passed, and enforcement is ramping up. The grace period, to the extent one ever existed, is over.
Common Compliance Gaps
Based on early audit findings and industry assessments, several compliance gaps appear repeatedly across SMBs:
- No asset inventory. NIS2 requires organizations to identify and manage assets that support critical services. Many SMBs cannot produce a complete, accurate list of their IT assets, let alone demonstrate that those assets are managed throughout their lifecycle.
- No incident response plan. NIS2 mandates incident handling capabilities, including detection, response, and reporting. The directive requires reporting significant incidents to national authorities within 24 hours (early warning) and 72 hours (full notification). Many organizations have no documented incident response procedure.
- No supply chain risk management. NIS2 requires organizations to assess and manage cybersecurity risks in their supply chain and relationships with service providers. For most SMBs, this is entirely uncharted territory.
- No cybersecurity training program. The directive explicitly requires that management bodies undergo training and that regular training is provided to employees. Many organizations have no formal security awareness program.
- No business continuity planning. NIS2 requires measures for business continuity, including backup management, disaster recovery, and crisis management. Many SMBs have informal approaches but no documented, tested plans.
- Inadequate access control. The directive requires appropriate policies for access control and asset management. Spreadsheet-based tracking and manual access provisioning do not meet this standard.
How to Start Complying Now
Compliance with NIS2 is not a single project. It is an ongoing program that requires sustained attention. However, there is a pragmatic starting sequence for organizations that need to build from a low baseline:
Step 1: Determine Your Classification
Before anything else, establish whether your organization falls within NIS2’s scope and whether you are classified as essential or important. This determines your specific obligations and the penalty tier that applies to you. If you are unsure, seek legal counsel with expertise in EU cybersecurity regulation.
Step 2: Build Your Asset Inventory
You cannot protect what you do not know you have. Create a comprehensive inventory of all IT assets, including hardware, software, network infrastructure, and cloud services. This is the foundation of every other compliance activity. Use a proper IT asset management system, not a spreadsheet.
Step 3: Conduct a Gap Assessment
Map your current security measures against NIS2’s requirements (Article 21). Identify where you meet the standard and where you fall short. Prioritize gaps based on risk and effort required to close them.
Step 4: Implement Core Security Measures
Focus on the measures that address the highest-risk gaps first. Typically, this means: incident response procedures, access control policies, business continuity plans, and supply chain security assessments. Document everything. NIS2 compliance requires demonstrable evidence, not just good intentions.
Step 5: Establish Governance
Assign clear responsibility for cybersecurity oversight at the management level. Ensure management is trained and actively engaged. Create a reporting structure that keeps leadership informed of the security posture and any incidents.
Step 6: Test and Improve
Conduct regular testing of your security measures, including incident response drills and vulnerability assessments. Use the results to identify weaknesses and improve. NIS2 is not a checkbox exercise. It requires continuous improvement.
The Cost of Inaction vs. The Cost of Action
Implementing NIS2 compliance measures requires investment: in tools, in people, and in process changes. For an SMB, the cost of building a compliance program from scratch might range from 20,000 to 100,000 euros depending on current maturity and scope.
Compare that with the potential consequences of non-compliance: fines up to 10 million euros, personal liability for management, mandatory audits at your expense, public disclosure of non-compliance, and the operational disruption of responding to enforcement actions. The math is not complicated.
More importantly, the security measures NIS2 requires are not arbitrary bureaucratic requirements. They are fundamental practices that protect your organization from real threats. The companies that comply are not just avoiding fines. They are building resilience against cyberattacks that are increasing in frequency and sophistication every year.
The directive is live. The deadlines have passed. The auditors are coming. The time to act is now.
Ready to assess your compliance?
Start your free assessment today and find out where you stand with GDPR, NIS2, DORA, ISO 27001, and more.
Written by
Metrica.uno Team
Content Team
Metrica.uno Team is part of the Metrica.uno team, helping organizations navigate AI compliance with practical insights and guidance.
Related Articles
3 Questions Every NIS2 Auditor Will Ask About Your Devices
Prepare for your NIS2 audit: the 3 key questions and how to answer them.
NIS2 and Communications: Asset Management for Telecom Operators
Antennas, network nodes, exchanges, fiber equipment. Telecom operators are essential entities under NIS2.
NIS2 and Digital Infrastructure: Asset Inventory for Cloud Providers and Data Centers
Servers, switches, firewalls, load balancers. If you operate digital infrastructure, NIS2 requires documenting every component.