NIS2 Penalties: What You Actually Risk
Four penalty tiers, concrete calculation examples for three company sizes, realistic enforcement scenarios, and the management personal liability that D&O insurance probably does not cover.
The Penalty Framework Is Real – But Proportionate
NIS2 penalties are modeled on the GDPR penalty structure – designed to be large enough that companies cannot treat fines as a cost of doing business. The maximum amounts (up to €10M or 2% of global turnover) make headlines, but the reality for most mid-market companies is more nuanced. Fines are assessed based on the severity of the violation, the company's size, whether the company acted in good faith, and what corrective steps were taken.
That said, the penalty framework is not theoretical. The BSI has enforcement powers, the fines are codified in §65 BSIG, and management personal liability under §38 is a separate legal mechanism. Ignoring NIS2 is not a viable risk management strategy. Understanding the actual penalty structure helps you make proportionate decisions about compliance investment – neither panicking nor dismissing the risks.
Up to €10,000,000 or 2% of global annual turnover
Essential entities – cybersecurity measure violations
Applies to besonders wichtige Einrichtungen (essential entities, Annex I sectors) that fail to implement adequate cybersecurity measures under §30 BSIG, fail to report significant incidents under §32, or otherwise violate substantive NIS2 obligations. The fine is the HIGHER of €10M or 2% of the previous fiscal year's global turnover.
Up to €7,000,000 or 1.4% of global annual turnover
Important entities – cybersecurity measure violations
Applies to wichtige Einrichtungen (important entities, Annex II sectors) for the same substantive violations. Lower ceiling reflects the NIS2 Directive's proportionality principle – important entities are in lower-criticality sectors. The fine is the HIGHER of €7M or 1.4% of the previous fiscal year's global turnover.
Up to €500,000
Registration violations
Specific penalty for failing to register with the BSI under §33 BSIG or providing incorrect registration information. This is a standalone violation – you can be fined for non-registration even if your actual cybersecurity measures are adequate. The registration penalty applies to both essential and important entities.
Up to €500,000
Reporting violations
Specific penalty for failing to report significant incidents within the required timelines (24h early warning, 72h notification, 1 month final report) or for failing to provide required information during BSI investigations. Each reporting failure is a separate potential violation.
| Company type | Annual turnover | Max fine (essential) | Max fine (important) |
|---|---|---|---|
| Small mid-market | €15,000,000 | €10,000,000 (fixed cap applies – 2% would be only €300,000) | €7,000,000 (fixed cap applies – 1.4% would be only €210,000) |
| Medium mid-market | €50,000,000 | €10,000,000 (fixed cap applies – 2% would be only €1,000,000) | €7,000,000 (fixed cap applies – 1.4% would be only €700,000) |
| Large enterprise | €200,000,000 | €10,000,000 (fixed cap applies – 2% would be €4,000,000) | €7,000,000 (fixed cap applies – 1.4% would be €2,800,000) |
Four Realistic Enforcement Scenarios
What actually triggers BSI enforcement and what the consequences look like in practice.
Late or missing BSI registration
Your company meets the NIS2 scope criteria but has not registered with the BSI under §33 BSIG. The BSI identifies you through sector databases, industry association membership lists, or commercial registers.
The BSI issues a compliance order requiring registration within a set deadline. If you comply, the matter may end there – especially if you can show you were genuinely unaware. If you ignore the order, fines of up to €500,000 can be assessed. The registration gap also creates documentation that you were non-compliant from the start, which weakens your position on any other NIS2 violation.
Failure to report a significant incident
Your company suffers a ransomware attack that disrupts services for 48 hours. You handle the technical response but do not report to the BSI. The incident becomes public through media coverage or customer complaints.
Failure to file the initial early warning within 24 hours is a separate violation from failure to file the 72-hour notification and the final report – each is an independent penalty trigger. The BSI investigates and finds no report was filed. Beyond the fine (up to €500,000 per reporting failure), the non-reporting raises questions about your entire compliance posture, potentially triggering a broader audit.
No risk management process in place
During a BSI audit (for essential entities) or following an incident (for important entities), the BSI finds that your company has no documented risk assessment, no asset inventory, and no cybersecurity measures beyond basic IT operations.
This is the most serious substantive violation – a complete absence of §30 BSIG compliance. Maximum penalties apply (€10M/2% for essential, €7M/1.4% for important). In practice, the BSI would likely issue binding instructions first and impose penalties for non-compliance with those instructions. But the lack of any risk management process leaves no room for the 'we tried in good faith' defense.
Supply chain security gaps
Your company outsources IT operations to a managed service provider. The provider suffers a data breach that exposes your customer data. The BSI investigates and finds no supplier security assessment, no contractual cybersecurity requirements, and no monitoring of the provider's security posture.
You are responsible for your supply chain security under §30(2)(4) BSIG, regardless of where the breach occurred. The absence of supplier due diligence means you failed to implement required measures. This can trigger penalties under the cybersecurity measures framework (up to €10M/€7M depending on entity type), plus the incident itself triggers reporting obligations. If you also fail to report, penalties compound.
§38 BSIG creates a personal liability mechanism for company management that is separate from the administrative fines against the company. The Geschäftsführung must approve the cybersecurity risk management measures, oversee their implementation, and complete cybersecurity training. If these duties are neglected and the company suffers damages as a result, the management can be held personally liable for those damages. This is a civil liability – the damages claim comes from the company (or its insolvency administrator) against the individual managers.
Critically, §38 BSIG states that this liability cannot be waived by shareholder resolution. Even in an owner-managed GmbH where the Geschäftsführer is also the sole shareholder, the liability exists. D&O insurance policies typically exclude regulatory fines and penalties, and coverage for NIS2-specific liability is an evolving area – check your specific policy rather than assuming coverage. The practical implication: NIS2 compliance is now a personal risk management issue for every Geschäftsführer, not just a corporate governance checkbox.
Frequently Asked Questions
What is the maximum fine for my company?
It depends on your entity classification. Essential entities (Annex I sectors): the higher of €10M or 2% of global annual turnover. Important entities (Annex II sectors): the higher of €7M or 1.4% of global annual turnover. For most mid-market companies (under €500M turnover), the fixed amount applies because 2% of turnover is less than €10M. Separate penalties of up to €500,000 apply for registration and reporting violations.
Can I be personally fined as Geschäftsführer?
The administrative fines under §65 BSIG are levied against the company, not the individual. However, §38 BSIG creates personal civil liability for damages resulting from failure to approve and oversee cybersecurity measures. This means you face personal liability for the company's losses – not a government fine, but potentially a damages claim. In an insolvency scenario, the insolvency administrator can pursue this claim against you personally.
Does D&O insurance cover NIS2 penalties?
Most D&O policies exclude regulatory fines and administrative penalties – these are typically uninsurable under German law. The civil liability under §38 BSIG (damages claims) may be covered by D&O insurance, depending on your policy terms. Review your specific policy and discuss NIS2 exposure with your broker. Do not assume coverage exists – ask for written confirmation of what is and is not covered.
What triggers BSI enforcement?
For essential entities: the BSI can conduct proactive audits and inspections without a specific trigger. For important entities: enforcement is typically reactive – triggered by a reported incident, third-party complaint, media coverage of a breach, or failure to register. The BSI also cross-references commercial register and sector databases to identify entities that should be registered but are not.
Are penalties proportional to company size?
Yes, by design. The percentage-of-turnover calculation ensures that penalties scale with company size. For a €15M-turnover company, the maximum essential entity fine is €10M (the fixed cap, since 2% is only €300,000). For a €600M company, the maximum is €12M (2% of turnover exceeds the €10M floor). Additionally, the BSI is required to consider proportionality when assessing penalties – company size, severity of the violation, duration, and good faith efforts all factor into the actual penalty amount.
- BSIG – §38 (Management liability), §65 (Administrative fines and penalty framework)
- NIS2 Directive (EU) 2022/2555 – Article 34 (Supervisory measures for essential entities), Article 35 (Supervisory measures for important entities), Article 36 (Penalties)
- NIS2UmsuCG – Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Stärkung der Cybersicherheit
- BMI – Parliamentary documentation on penalty framework design and proportionality considerations
- GDV (Gesamtverband der Deutschen Versicherungswirtschaft) – D&O insurance coverage analysis for regulatory liability (2025)