A historic engraved map of Europe — the per-country enforcement landscape NIS2 fines now play out across
Photo: British Library on Unsplash
← All posts NIS2 9 min read

NIS2 Penalties by Country: A Complete 2026 Guide

The NIS2 penalty framework under Article 34, plus how it actually varies across member states — fine ceilings, personal liability, registration deadlines, and early enforcement patterns in Germany, the Netherlands, France, Belgium, and beyond.

NIS2 Penalties by Country: A Complete 2026 Guide

NIS1 gave member states wide discretion on penalties, and the result was minimal enforcement — a patchwork of unused powers. NIS2 fixes that by setting mandatory minimum penalty ceilings that national authorities cannot water down. But "minimum ceiling" is the operative phrase: member states can and do go higher, add personal sanctions, and enforce on very different timelines.

This article covers the Article 34 framework, then maps the country-by-country variation as it stands in mid-2026. For the broader regulatory context, start with the complete NIS2 and DORA compliance guide.

This is not legal advice. National transpositions are the operative text and several are still finalising secondary legislation — verify exposure against your jurisdiction's implementing law.

The Article 34 framework

Article 34 NIS2 sets the EU-wide minimum maxima — the fine ceiling that every member state must provide for, at minimum:

Entity type Maximum administrative fine
Essential entities €10 million OR 2% of total worldwide annual turnover, whichever is higher
Important entities €7 million OR 1.4% of total worldwide annual turnover, whichever is higher

Three structural points define how these ceilings work:

  1. "Whichever is higher" cuts against large entities. A €2 billion-turnover essential entity faces a 2% ceiling of €40 million — far above the €10 million flat figure. For most SMEs, the flat figure (€10M / €7M) is the binding ceiling because 2% of their turnover is lower.
  2. These are maxima, not tariffs. Article 34(1) requires fines to be "effective, proportionate and dissuasive." A first-time, low-harm breach by a 60-person SME will not attract a €10 million fine. The ceiling describes the worst case, not the expected case.
  3. Member states may exceed the EU minimum. Several have set higher national ceilings for specific infringement categories.

What attracts a penalty

The fine ceilings apply to breaches of the two core obligation sets: the Article 21 risk management measures and the Article 23 reporting obligations. Article 32 and 33 (supervision) give competent authorities a graduated set of enforcement tools that escalate before reaching financial penalties:

  • Warnings and formal notices
  • Binding instructions and compliance orders with deadlines
  • Orders to inform affected service recipients of incidents or threats
  • Orders to implement audit recommendations
  • Designation of a monitoring officer
  • Public disclosure of the infringement
  • For essential entities: temporary suspension of certifications or authorisations, and temporary bans on management body members exercising managerial functions

The management-body ban (Article 32(5)) is among the most consequential non-monetary sanctions, and it applies only to essential entities.

Non-monetary sanctions and personal liability

NIS2's penalty regime extends beyond entity-level fines. Article 20 makes the management body accountable, and national transpositions add the specific personal sanctions. The variation here is significant — see NIS2 Board-Level Accountability: Personal Liability Explained for the full treatment. The penalty-relevant summary: some member states transposed personal financial penalties for management body members; some route liability through existing corporate law; some, such as Denmark, did not transpose personal liability at all.

Country-by-country: the 2026 picture

As of early 2026, the European Cyber Security Organisation (ECSO) transposition tracker recorded 21–22 of 27 member states having completed transposition into national law. Enforcement has begun in several. The country detail below reflects mid-2026 status and should be re-verified before relying on it — transposition continues to move.

Germany

Germany's NIS2 implementing law, the NIS2UmsuCG, completed its protracted parliamentary process and was passed in November 2025, after the law's progress was delayed by the early federal elections of February 2025.

  • Registration: Essential and important entities must register with the BSI (Bundesamt für Sicherheit in der Informationstechnik); the registration deadline was set for April 2026
  • Entity-level fines: aligned to the Article 34 ceilings (€10M / 2% for essential; €7M / 1.4% for important)
  • Personal fines: Germany's implementation provides for personal fines on management body members of up to €500,000
  • Enforcement posture: BSI is expected to move quickly to audits post-enactment, consistent with the "transposed late, enforce early" pattern

Netherlands

The Dutch transposition, the Cyberbeveiligingswet (Cbw), passed the House of Representatives on 15 April 2026 and is expected to take effect in Q2 2026.

  • Reporting: three-step model — 24-hour early warning, 72-hour follow-up, 30-day final report, all via the NCSC portal
  • Entity-level fines: aligned to the Article 34 ceilings (€10M / 2%; €7M / 1.4%)
  • Personal liability: governing bodies must formally approve cybersecurity measures, oversee implementation, and complete training; failure to do so creates direct personal exposure
  • Enforcement posture: the Dutch supervisory tradition is pragmatic and risk-based — historically prioritising oversight of the most critical entities rather than broad horizontal enforcement. Note: under NIS1, Dutch authorities fined a telecommunications provider €525,000 for late incident reporting — one of the earliest NIS-related financial penalties in Europe, and an indication that the Dutch regulator does use its powers.

France

France integrated NIS2 into its existing national cybersecurity framework under ANSSI, via legislation strengthening the resilience of critical infrastructures.

  • Supervisory approach: ANSSI's established model emphasises sector-specific guidance and cooperative engagement with regulated entities before moving to enforcement
  • Fine ceilings: France adopted higher penalty thresholds than the directive minimum for certain categories of infringement
  • Enforcement posture: active — France is among the member states where audits are under way and enforcement is being applied

Belgium

Belgium was an early adopter. The Belgian NIS2 law has been fully active since October 2024.

  • Registration: the registration deadline in the CCB (Centre for Cybersecurity Belgium) Safeonweb@work portal passed in March 2025 — a Belgian entity that has not registered is already in violation
  • Conformity assessment: Belgium set the first conformity assessment deadline on 18 April 2026
  • Fine ceilings: aligned to the Article 34 ceilings, with personal administrative fines transposed
  • Enforcement posture: among the most advanced enforcement regimes in the EU, given the early transposition

Denmark

Denmark's NIS-2-loven (Bill L 141) entered into force on 1 July 2025.

  • Registration: self-registration with CFCS had a deadline of 1 October 2025
  • Fine ceilings: aligned to the Article 34 ceilings — Denmark did not gold-plate the penalty maxima
  • Personal liability: not transposed — Danish management body members do not face personal NIS2 sanctions
  • Enforcement posture: CFCS audits commenced Q1 2026 with an early-cycle focus on remediation over fines

Full Danish detail in NIS2 Compliance Denmark.

Other member states — status snapshot

  • Austria — NISG 2026 Act published; enters into force October 2026; registration within 3 months of entry into force
  • Sweden — Cyber Security Act and Ordinance effective January 2026
  • Portugal — final draft entering into force April 2026
  • Ireland, Luxembourg, Poland, Spain — in final stages of adoption as of early 2026
  • Croatia, Hungary, Lithuania — among the earliest transposers, having begun legislative processes well before the October 2024 deadline

📨 27 transpositions, 27 enforcement timelines, and the picture moves monthly. Risk Letters tracks penalty frameworks and enforcement actions across the EU. Free weekly briefing.

The enforcement reality in 2026

Two facts define the mid-2026 enforcement landscape, and they point in opposite directions.

Fact one: enforcement infrastructure is now real. Enforcement is active in Germany, France, the Netherlands, and Belgium — regulators are auditing, registration deadlines have passed, and the supervisory powers under Articles 32 and 33 are being exercised. The "transposed late, enforce early" pattern means countries that missed the October 2024 deadline are not enforcing leniently to compensate — several are moving directly to audit cycles.

Fact two: large headline fines have not yet landed. As of April 2026, no major NIS2 fines had been publicly reported. Early-cycle regulatory behaviour across the EU has favoured remediation orders, compliance deadlines, and warnings over financial penalties. This is the normal pattern in the first year of a new enforcement regime — regulators build casework and precedent before reaching for the maximum.

The practical implication for SMEs: the immediate risk in 2026 is not a €10 million fine. It is a compliance order with a deadline, a public disclosure of non-compliance, and — increasingly — failure to win or retain contracts because in-scope customers require supplier NIS2 attestation. The commercial cost is arriving before the regulatory cost.

A widely cited April 2026 industry survey of in-scope business leaders found that around 84% of organisations facing active enforcement considered themselves not ready — a figure that had not meaningfully improved in six months. The enforcement gap is real, and it is the reason regulators are expected to escalate from remediation toward penalties through 2026 and 2027.

How to think about your exposure

A pragmatic exposure assessment for an SME:

  1. Identify your tier — essential or important. This sets your ceiling (€10M/2% vs €7M/1.4%) and your supervision model (proactive vs reactive). See NIS2 Essential vs Important Entities.
  2. Check your national personal-liability transposition — does your jurisdiction sanction management body members personally? If yes, board documentation is individual protection, not just entity protection.
  3. Confirm your registration status — an unregistered in-scope entity in Belgium, Germany, or Denmark is already non-compliant, independent of any technical control gap.
  4. Assess the commercial exposure — for most SMEs in 2026, lost contracts from missing supplier attestation outweigh the regulatory fine risk.
  5. Document good-faith progress — competent authorities in the remediation-first phase reward demonstrable effort. An entity with a proportionality memo, a gap assessment, and a dated remediation plan is in a materially different position from one with nothing.

Frequently asked questions

What's the maximum fine under NIS2? For essential entities, €10 million or 2% of global annual turnover, whichever is higher. For important entities, €7 million or 1.4%. Member states may set higher ceilings for specific infringements.

Have any large NIS2 fines been issued? As of mid-2026, no major NIS2 fines had been publicly reported. Enforcement to date has favoured remediation orders and compliance deadlines.

Can I be personally fined? It depends on your member state. Germany transposed personal fines up to €500,000. Denmark did not transpose personal liability at all. Check your jurisdiction's implementing law.

Is the fine based on entity turnover or group turnover? Article 34 refers to "total worldwide annual turnover." Where an entity is part of a group, the relevant turnover figure can be assessed at group level depending on the national transposition and the group structure.

What happens if I haven't registered? Failure to register by the national deadline is itself a non-compliance event in member states with passed registration deadlines (Belgium, Germany, Denmark). Register late with a documented reason rather than not at all.

Do penalties differ for essential vs important entities? Yes. Essential entities face higher ceilings (€10M/2%) and proactive supervision; important entities face lower ceilings (€7M/1.4%) and reactive supervision. The Article 21 obligations are identical for both.

Will my country enforce leniently because it transposed late? The observed pattern is the opposite. Member states that transposed late are generally moving directly to audit cycles — "transposed late, enforce early."

The bottom line

Three takeaways:

  1. The €10M / €7M ceilings are EU minimums, not the whole story. National variation in personal liability and infringement-specific ceilings is significant.
  2. 2026's real cost is commercial, not regulatory. Lost contracts from missing supplier attestation outweigh the fine risk for most SMEs this year.
  3. Documented good-faith progress is your best protection. In the remediation-first enforcement phase, demonstrable effort changes outcomes.

For the SME-scaled compliance approach that produces this documented progress, see Minimum Viable NIS2 Compliance for SMEs.


Sources & further reading

#nis2#penalties#enforcement#article-34#guide