NIS2 Penalties, Fines & Executive Liability

NIS2 Penalties at a Glance

The NIS2 Directive significantly tightens sanctions for inadequate cybersecurity. Compared to the original NIS Directive, maximum fines increase manifold. Particularly notable: NIS2 introduces personal liability for executives regarding cybersecurity deficiencies for the first time. This definitively moves cybersecurity from the IT department to the boardroom.

The purpose of the sanctions is clear: They are designed to ensure that organisations take NIS2 requirements seriously and implement appropriate security measures. The level of fines follows the GDPR model and is intended to have a tangible impact even on large corporations.

Legal Basis for Sanctions

The sanctions framework is based on two levels: the European NIS2 Directive (EU) 2022/2555 and the German NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), which has been in force since 06.12.2025.

Art. 34 and Art. 35 of the NIS2 Directive

Art. 34 governs supervisory measures and enforcement powers against essential entities. Member States must ensure that supervisory authorities can take effective, proportionate, and dissuasive measures. Art. 35 extends these powers in an adapted form to important entities, where the supervisory approach is reactive (ex post) rather than proactive (ex ante).

Art. 34(2) expressly empowers authorities to hold natural persons in management positions accountable. This means personal liability is not merely a national invention but is anchored in European law. Both articles also require Member States to consider the severity of the infringement, its duration, previous infringements, the damage caused, and the degree of cooperation with the authorities when determining fines.

Sections 60 to 65 NIS2UmsuCG: The German Implementation

The NIS2UmsuCG concretises the European requirements for Germany. Sections 60 to 65 contain the fine catalogue, provisions on executive liability, and the powers of the BSI in enforcement proceedings. Section 60 defines the offences subject to fines. These include violations of risk management obligations (Section 30), reporting obligations (Section 32), and registration obligations (Section 33).

Section 61 regulates the fine levels and differentiates by entity type. Section 62 contains provisions on personal liability of executives. Sections 63 to 65 define the BSI's enforcement powers, including the authority to issue directives, set deadlines, and order coercive measures in case of non-compliance. Important: A waiver of damages claims against executives is ineffective under Section 38(3) NIS2UmsuCG. Settlements between the company and its executives regarding such claims are also void.

Fines by Entity Type

NIS2 differentiates fines between essential and important entities. In both cases, the higher value applies: either the absolute amount or the percentage of worldwide annual turnover.

An example: An organisation with EUR 800 million annual turnover classified as an essential entity risks a fine of up to EUR 16 million (2% of EUR 800 million), since this amount exceeds the absolute maximum of EUR 10 million.

In addition to fines, the supervisory authority can order further measures that may be even more economically severe: the temporary prohibition of business activities, the withdrawal of licences, or the public disclosure of infringements (naming and shaming).

Executive Liability Under Art. 20

Art. 20 of the NIS2 Directive establishes personal responsibility of senior management for the organisation's cybersecurity. This provision is unprecedented in its scope and has far-reaching consequences for managing directors, board members, and supervisory board members.

Obligation to Approve Security Measures

Senior management must actively approve the risk management measures under Art. 21 and oversee their implementation. This means: security measures may not simply be delegated to the IT department. Senior management must be demonstrably involved in decision-making and formally sign off on the measures taken.

Obligation to Participate in Training

Members of management bodies are obliged to participate in cybersecurity training. The training must provide them with sufficient knowledge and skills to identify risks, assess risk management practices, and evaluate their impact on the services provided by the entity.

Personal Liability for Damages

In the event of a breach of duty, executives are personally liable for resulting damages. This encompasses both damages incurred by the organisation from cyberattacks and fines imposed due to inadequate compliance. Particularly critical: personal liability cannot be contractually excluded or limited. A D&O insurance policy may not cover NIS2 violations.

For executives, this means: Cybersecurity is a boardroom matter. Anyone who ignores or inadequately implements NIS2 obligations risks their personal assets. The full NIS2 requirements under Art. 21 can be found on our detail page.

Scope of Liability: What Exactly Is Covered?

Personal liability extends to all damages incurred by the organisation through a breach of NIS2 obligations. These include direct damages from cyberattacks enabled by inadequate security measures, fines imposed by the supervisory authority, costs for incident response and recovery, contractual penalties owed to customers and partners, and reputational damages reflected in revenue losses. Liability applies even in cases of negligence. You do not need to have intentionally breached obligations. It is sufficient that you did not approve or oversee risk management measures with the requisite diligence.

D&O Insurance: Does It Cover NIS2 Violations?

Many executives rely on their D&O insurance (Directors and Officers Liability Insurance). For NIS2 violations, however, this protection is problematic. First, numerous D&O policies explicitly exclude fines and regulatory sanctions. Second, no insurance cover applies to intentional breaches of duty. Third, it is unclear whether insurers will treat the new NIS2 liability risks as covered under existing policies or as a new risk category requiring policy amendments.

The recommendation is clear: Review your D&O policy for explicit exclusions of cybersecurity compliance violations. Speak with your insurance broker about extending coverage. And do not rely on insurance as a substitute for compliance. The safest strategy remains the consistent implementation of NIS2 requirements.

Comparison with GDPR Liability

The GDPR does not provide comparable personal liability for executives. GDPR fines are directed at the company as a legal entity. While managing directors can be liable under general corporate law (e.g. Section 43 GmbHG) for organisational fault, the GDPR itself does not regulate this. NIS2 goes a clear step further: personal liability is explicitly enshrined in law, contractual exclusion is void, and senior management must actively demonstrate that they have fulfilled their obligations. This effectively shifts the burden of proof in favour of the company and against the executives.

BSI Powers and Supervisory Measures

Since the NIS2UmsuCG came into force, the BSI has an extensive toolkit at its disposal that goes far beyond merely imposing fines. The following measures are available to the BSI:

Ordering Security Audits

The BSI can order or conduct security audits at any time. For essential entities, this occurs proactively and regularly, without a specific trigger. The BSI can commission qualified third parties to perform the audits. The audited organisation bears the costs. The results must be fully disclosed to the BSI, and the BSI can order binding measures based on the findings.

Binding Instructions and Deadlines

If the BSI identifies deficiencies, it can issue binding instructions and set a deadline for remediation. These instructions are not recommendations but legally binding administrative acts. If the organisation fails to comply within the deadline, coercive penalties and further escalation steps follow. The BSI can also order the organisation to inform its customers or the public about certain risks or incidents.

Temporary Activity Ban for Executives

In severe cases, the BSI can request that an executive of an essential entity be temporarily prohibited from exercising their management duties. This is the sharpest individual sanction and is unprecedented in the German regulatory landscape. It applies when an executive fails to take adequate measures despite binding instructions and a significant threat to network and information security exists.

Appointment of a Compliance Monitor

The BSI can appoint an independent compliance monitor who oversees the implementation of ordered measures on-site. The monitor has access rights to all relevant systems and documents. The affected organisation bears the costs. This measure is particularly severe because it effectively establishes external control over the organisation's IT security.

BSI as Supervisory Authority

The Federal Office for Information Security (BSI) is significantly strengthened by NIS2. As the national supervisory authority, the BSI receives far-reaching powers to monitor and enforce NIS2 requirements.

BSI Powers

• •On-site inspections and security audits: conduct or order them
• •Targeted security reviews based on risk analyses or available information
• •Request information and evidence to assess security measures
• •Issue binding instructions to remediate identified deficiencies
• •Impose fines for violations of security requirements or reporting obligations
• •Order public disclosure of violations

Proactive vs. Reactive Supervision

The intensity of supervision differs significantly by entity type:

Escalation Process

The BSI generally follows a graduated approach: First, recommendations are issued, then binding instructions with deadlines. If these are disregarded, fines follow. In severe cases, the BSI can order the temporary prohibition of business activities or temporarily bar executives from performing their duties.

For essential entities, an additional instrument is available: The BSI can appoint a compliance monitor who oversees the implementation of ordered measures on-site. The affected organisation bears the costs.

Comparison: NIS2 vs. GDPR Penalties

NIS2 sanctions are deliberately modelled on the GDPR approach. A comparison reveals the parallels and differences:

Notably, NIS2 goes beyond the GDPR in one respect: personal liability of executives. While the GDPR primarily holds the company accountable, NIS2 expressly addresses the natural persons in senior management. Additionally, NIS2 can order the temporary prohibition of business activities in extreme cases, an instrument the GDPR does not have.

For organisations that fall under both NIS2 and the GDPR (which is the case for most), this means: two parallel compliance requirements, each with its own sanctions framework. An integrated implementation saves effort and reduces compliance risks.

Practical Examples: What Sanctions Can Look Like

The following scenarios are fictitious but are based on the actual fine frameworks and enforcement powers of the NIS2UmsuCG. They illustrate how breaches of duty can play out in practice.

Scenario 1: Missed Reporting Obligation During a Ransomware Attack

A mid-sized energy supplier (essential entity, EUR 450 million annual turnover) falls victim to a ransomware attack. The IT department detects the attack on Monday morning but initially only informs senior management. The BSI notification is submitted after 96 hours instead of the required 24-hour early warning. The BSI imposes a fine of EUR 500,000 for violation of the reporting obligation. Additionally, it orders a security review costing EUR 120,000, borne by the company. The CEO is personally liable because no incident response process with clear escalation paths had been established.

Scenario 2: Missing Risk Management Measures

An IT service provider (important entity, EUR 80 million annual turnover) operates cloud infrastructure for several hospitals. During an inspection, the BSI finds that no documented risk analysis exists, supply chain security has not been assessed, and no business continuity plan is in place. The BSI issues binding instructions with a 3-month deadline. The organisation fails to implement the measures on time. A fine of EUR 1.12 million (1.4% of annual turnover) follows, along with the appointment of a compliance monitor at the company's expense.

Scenario 3: Executives Without Cybersecurity Training

A logistics company (essential entity, EUR 1.2 billion group turnover) has implemented an ISMS, but the three managing directors have not completed NIS2-compliant cybersecurity training. The risk management measures were not formally approved by the executive board but handled exclusively by the CISO. After a security incident, the BSI identifies these governance deficiencies. The fine amounts to EUR 2 million. Additionally, the CEO is personally liable for the resulting damage, as they demonstrably breached their oversight duty. The D&O insurance denies coverage because the violation is classified as a knowing breach of duty.

Scenario 4: Inadequate Supply Chain Security

A software manufacturer (important entity, EUR 200 million annual turnover) uses open-source components in its core platform without conducting a systematic software supply chain security assessment. A vulnerability in an unpatched library is exploited by attackers, affecting 50 customers, including several critical infrastructure operators. The BSI imposes a fine of EUR 2.8 million (1.4% of annual turnover) for inadequate supply chain assessment under Art. 21(2)(d). Additionally, the BSI orders public disclosure of the violation, leading to significant reputational damage and customer loss.

These scenarios demonstrate: NIS2 sanctions are not abstract. They affect real organisations and real individuals. The most effective protection is the early and systematic implementation of the NIS2 requirements. A structured implementation plan helps you meet all obligations on time.