NIS2 Fines: What Penalties Apply for Non-Compliance?

NIS2 violations can cost companies up to EUR 10 million or 2% of global annual turnover. Learn about fines for different violations, personal management liability, and what two practical scenarios reveal.
NIS2 violations can cost companies up to EUR 10 million or 2% of global annual turnover. Since December 2025, the NIS2UmsuCG has been in force, and the BSI has full authority to audit and impose sanctions. An NIS2Compass analysis of BSI registration data shows that of the roughly 29,500 affected companies in Germany, only 38.5% have registered so far (as of March 2026). The free Pre-Check from NIS2Compass shows you in just a few minutes where your company stands.
This article breaks down the specific penalty frameworks under the NIS2UmsuCG, categorizes them by entity type and violation, and identifies which obligations carry the highest financial risk. The goal is not alarmism, but a factual basis for your prioritization.
What Fines Does the NIS2UmsuCG Impose?
The NIS2UmsuCG sets out a tiered penalty structure based on entity type and violation in § 65 BSIG. Essential entities face fines of up to EUR 10 million or 2% of global annual turnover, while important entities face up to EUR 7 million or 1.4%. Against the backdrop of EUR 202.4 billion in cyber damage in Germany (Bitkom Wirtschaftsschutz 2025), these amounts should be understood as a regulatory floor.
What Are the Maximum Penalties by Entity Type?
- Entity type: Essential (§ 28 Abs. 1 BSIG) · Fixed cap: EUR 10 million · Turnover-based (for annual turnover above EUR 500 million): 2% of global annual turnover
- Entity type: Important (§ 28 Abs. 2 BSIG) · Fixed cap: EUR 7 million · Turnover-based (for annual turnover above EUR 500 million): 1.4% of global annual turnover
How Are Penalties Tiered by Type of Violation?
Not every violation carries equal weight. § 65 BSIG differentiates by the nature of the breach:
- Reporting and registration violations: up to EUR 5 million
- Non-compliance with BSI enforcement orders: up to EUR 2 million
- Failure to provide evidence: up to EUR 1 million
- Other violations: up to EUR 500,000
- Obstruction of supervision: up to EUR 100,000
The tiered structure makes clear that even failing to register with the BSI can have severe consequences, and this is precisely where the biggest gaps currently exist.
What Does This Mean for Mid-Sized Companies?
A concrete example: a manufacturing company with 160 employees and EUR 25 million in annual turnover qualifies as an "important entity" under the EUR 7 million cap. Since the turnover is below EUR 500 million, the fixed cap applies, not the percentage. The potential fine therefore amounts to more than a quarter of annual turnover.
The NIS2Compass Guide walks you through the specific implementation measures for each of these obligations, step by step.
Who Is Personally Liable? Executive Liability Under § 38 BSIG
Under § 38 BSIG, executive management is personally liable with their personal assets for implementing cybersecurity obligations. This responsibility cannot be delegated: neither to a CISO nor to external service providers. According to the BSI Annual Report 2025, 48% of KRITIS operators still lack adequate attack detection capabilities. The statutory liability targets exactly this gap.
"The personal liability of executive management is the most powerful lever in the NIS2UmsuCG. Anyone who continues to treat cybersecurity as a purely IT matter risks not just fines, but their own professional livelihood." — Dr. Markus Hartmann, Senior Compliance Consultant at NIS2Compass
Executive management must actively approve the risk management framework under § 30 BSIG and supervise its implementation. In practice, this means security strategies belong on the boardroom agenda. A CISO can be responsible for operational execution, but the overall strategic accountability remains with executive management, without exception.
Liability applies as internal liability with personal assets. The company itself can hold executive management liable for damages caused by breaches of duty. Critically, a waiver of liability is prohibited by law.
§ 38 Abs. 2 BSIG explicitly prohibits shareholder agreements from releasing executive management from this responsibility. Even a D&O insurance policy does not protect against all consequences.
There is also a training obligation. Executive management must participate in cybersecurity training on a regular basis, at least every three years. The BSI offers a dedicated executive training program that takes approximately four hours.
This obligation applies equally to essential and important entities. Ignorance does not shield you from liability. The legislator expects demonstrable competence at the executive level.
The conclusion is clear: cybersecurity is a boardroom responsibility, not an IT task. Managing directors must understand the requirements of § 30 BSIG and actively oversee their implementation. The NIS2Compass Guide walks you through the specific risk management measures required by § 30 BSIG across 8 chapters.
Which Violations Trigger Fines?
Fines can be imposed for five core offenses, ranging from missing security measures to late reporting of an incident. The BSI registration deadline (March 6, 2026) has already passed. According to BSI statistics, only 38.5% of affected entities registered on time. If you have not yet registered, you are already committing an administrative offense under § 65 BSIG.
Which Offenses Occur Most Frequently?
- Missing risk management measures (§ 30 BSIG): the central obligation. Companies must demonstrate technical and organizational measures.
- Reporting obligation violation (§ 32 BSIG): the deadlines of 24 hours, 72 hours, and one month are not met. For details, see the article NIS2 Reporting Obligations: When, What, and to Whom?.
- Failure to register with the BSI (§ 33/34 BSIG): the deadline of March 6, 2026 has already expired.
- Missing documentation and evidence (§ 39, § 61 BSIG): documents must be provided upon BSI request.
- Obstruction of a BSI audit: anyone who impedes or refuses inspections faces additional sanctions.
Which Ten Areas Does § 30 BSIG Define?
The first offense listed above carries particular weight. § 30 Abs. 2 BSIG defines ten specific areas in which entities must implement appropriate measures:
- Risk analysis and security concepts
- Incident handling
- Business continuity and crisis management
- Supply chain security
- Security in the acquisition, development, and maintenance of IT systems
- Assessment of the effectiveness of measures
- Cyber hygiene and training
- Cryptography and encryption
- Personnel security, access controls, and asset management
- Multi-factor authentication and secure communications
If even one area is missing, a violation exists. The BSI can specifically inquire about each individual point during audits.
The reality shows a clear need for action: according to a study by G DATA, only 12.1% of affected companies have fully implemented NIS2. Whether your company is affected is covered in the article Am I Affected by NIS2?. Ready-made templates for risk analyses, security concepts, and incident response plans are available in the NIS2Compass Template Library. An overview of all NIS2 compliance templates is available on the dedicated templates page.
How Does Supervision Differ by Entity Type?
The crucial difference between entity types lies not in the obligations themselves, but in the intensity of supervision. Essential entities are subject to proactive BSI oversight, even without a specific triggering event. Important entities, by contrast, are only audited on a reactive basis. According to the BSI, as of December 31, 2025, 1,179 KRITIS operators with 2,136 facilities were already registered.
The following table shows the differences in detail:
- Aspect: Supervision type · Essential entities: Proactive (ex ante) · Important entities: Incident-triggered
- Aspect: BSI audits without cause · Essential entities: Yes (earliest from Dec. 2028 for non-KRITIS) · Important entities: No
- Aspect: On-site inspections · Essential entities: Yes · Important entities: Only with specific cause
- Aspect: Management suspension · Essential entities: Yes, temporary (§ 61 BSIG) · Important entities: No
- Aspect: Maximum fine · Essential entities: EUR 10 million / 2% annual turnover · Important entities: EUR 7 million / 1.4% annual turnover
- Aspect: Reporting obligations · Essential entities: Identical (24h / 72h / 1 month) · Important entities: Identical
- Aspect: Risk management (§ 30) · Essential entities: Identical (all 10 areas) · Important entities: Identical
- Aspect: Executive liability (§ 38) · Essential entities: Identical · Important entities: Identical
The obligations are substantively identical for both entity types. What differs is the intensity of supervision, the penalty ceiling, and the possibility of management suspension under § 61 BSIG.
For mid-sized companies, this means: a manufacturing company with 160 employees typically qualifies as an "important entity." It is therefore subject to incident-triggered supervision but must meet the same substantive requirements for risk management and reporting obligations.
What Happens If You Violate the Reporting Obligation?
If you fail to report a significant security incident within 24 hours, you commit an administrative offense with fines of up to EUR 5 million. The BSI emphasizes the principle: "Speed before completeness" — the statutory deadlines are upper limits, not targets. According to the BSI Annual Report 2025, 80 percent of ransomware victims are SMEs.
The BKA Bundeslagebild Cybercrime 2024 confirms: two to three serious ransomware attacks are reported to police daily.
How Does the Three-Stage Reporting Process Work?
- Stage: Early initial report · Deadline: 24 hours · Content: First assessment of the incident — speed is what counts
- Stage: Follow-up report · Deadline: 72 hours · Content: Updated assessment including severity details
- Stage: Final report · Deadline: 1 month · Content: Root cause analysis, measures taken, concrete impact
Reports are submitted through the BSI reporting platform. The key point: each stage builds on the previous one. You do not need to have all the answers at once.
What Is the Most Common Mistake When Reporting?
Many companies want to sort everything out internally first and then report. This is exactly what leads to missed deadlines. The 24-hour initial report does not require a complete analysis. A preliminary assessment is sufficient, for example which systems are affected and whether the incident is ongoing. Do not wait for a finished forensics report. Report first, investigate in parallel.
Are There Consequences Beyond Fines for NIS2 Violations?
Yes. Beyond fines, companies face personal liability of executive management with personal assets (§ 38 BSIG), temporary suspension of management functions by the BSI (§ 61 BSIG), binding enforcement orders with deadlines, and significant reputational damage. In practice, these consequences compound each other. According to Bitkom (2025), 34 percent of companies were affected by ransomware. Two anonymized scenarios illustrate how fines, liability, and supervisory measures interact.
Scenario A: Ransomware at a Manufacturing Company
A mid-sized manufacturer with 160 employees and EUR 25 million in annual turnover falls victim to a ransomware attack. Production comes to a standstill. As an important entity, the company is subject to NIS2 obligations.
The managing director decides: "Let's figure out what happened internally first, then report." As a result, the 24-hour deadline for the initial report passes. This alone constitutes a violation of § 32 NIS2UmsuCG. The potential fine: up to EUR 5 million.
The subsequent investigation uncovers further deficiencies. There is no documented incident response process. The last backup test was 18 months ago. Both violate the risk management obligations under § 30.
Particularly serious: the managing director had never formally approved the security measures and never supervised their implementation. This triggers personal liability under § 38. The company can hold him personally liable for damages. A waiver of liability by the shareholders is prohibited by law.
Scenario B: BSI Audit at an IT Service Provider
A managed service provider with 80 employees qualifies as an essential entity subject to stricter supervision. The BSI conducts a proactive audit under § 61 without any specific triggering event.
The auditors find: no documented risk management, no regular risk analysis, no asset inventory. These are fundamental violations of § 30. The penalty framework here is up to EUR 10 million.
The BSI orders a remediation plan with a concrete deadline. The company fails to respond in time. The BSI then uses its most powerful instrument: the temporary prohibition of management activities under § 61 Abs. 5. The suspension is only lifted once all orders have been fully implemented.
Why Are These Scenarios Not Exceptions?
The manufacturing sector accounts for 14.9 percent of all ransomware victims in the EU according to the ENISA Threat Landscape 2025, a threefold increase since 2022. How to act correctly in the critical first hours after an attack is covered in the article Cyberattack: The First 24 Hours Under NIS2. In-depth articles on risk management and reporting obligations are available in the NIS2Compass Knowledge Hub. With the Pre-Check from NIS2Compass, you can assess upfront whether your company is prepared.
Both scenarios are anonymized and serve as illustrations. They do not constitute legal advice.
Frequently Asked Questions About NIS2 Fines
How High Are the NIS2 Fines?
The penalty amount depends on your company's classification. Essential entities face fines of up to EUR 10 million or 2% of global annual turnover, whichever amount is higher. Important entities must reckon with up to EUR 7 million or 1.4% of annual turnover. The exact amount depends on the type and severity of the violation under § 65 BSIG.
Is Executive Management Personally Liable — Including With Personal Assets?
Yes. Under § 38 BSIG, managing directors and board members are personally liable toward their own company (known as internal liability). A waiver of these claims through shareholder agreements is prohibited by law. Even delegating operational tasks to a CISO does not release executive management from its supervisory duty — they remain ultimately responsible.
Is There a Transition Period?
No. The NIS2 transposition law has been in force since December 6, 2025. There is no general transition period. The BSI registration deadline of March 6, 2026 has already passed. Companies must meet the requirements now.
What Happens If I Fail to Report a Security Incident?
Failure to report or late reporting of a security incident is an administrative offense under § 65 BSIG and can result in fines of up to EUR 5 million. The initial report to the BSI must be submitted within 24 hours of becoming aware of the incident. The guiding principle is: speed before completeness — a preliminary assessment is sufficient initially.
Am I Affected as a Manufacturing Company With 160 Employees?
Very likely, yes. The manufacturing sector falls under Annex II of the NIS2 Directive. Companies with 50 or more employees or EUR 10 million or more in annual turnover qualify as important entities and are subject to the full range of NIS2 obligations. With the free Pre-Check from NIS2Compass, you can determine in just a few minutes whether your company is affected.
Further answers on fine amounts, supervision and reporting obligations are available in the official BSI FAQ on NIS-2 (German only).
Implement NIS2 step by step
NIS2Compass guides you step by step through implementation – with guide, templates and knowledge hub.
Get startedÄhnliche Artikel
The KRITIS Umbrella Act and NIS2: What Applies to Whom?
Since July 2026, around 2,000 KRITIS operators must register in addition to NIS2. Who needs to comply with NIS2, the KRITIS Umbrella Act, or both — sectors, deadlines, and fines explained.
7 Min. Lesezeit
NIS2 ISO 27001 Mapping: Excel Checklist Download
ISO 27001 covers approximately 70% of NIS2 requirements. The mapping Excel shows at a glance what is already covered — and where the regulatory gap remains.
6 Min. Lesezeit
NIS2 BSI Registration: Missed the Deadline — What Now?
The statutory NIS2 registration deadline has expired, but the BSI is granting an extended deadline until 31 July 2026. How to complete your registration in the BSI portal step by step.
9 Min. Lesezeit