The NIS2 directive grants EU member states the power to enforce penalties (both financial and administrative) for non-compliance after 17th October 2024.
An overarching theme of the directive is one of board-level engagement with cyber security as a priority, emphasising the need to strategically implement risk-management measures with active oversight from senior leadership. Penalties have been devised with this in mind.
Managerial Liability for Cyber Security
Where cyber security was once thought of as the responsibility of IT teams and the hands-on operators of an organisation’s cyber tools, NIS2 reframes this, and places accountability for major negligence in the face of a breach or attack with senior management. This positions cyber security as an organisation-wide, strategic priority.
For Essential Entities, this extends to personal liability on the part of the board, and requires training, as necessary, to gain sufficient knowledge of current cyber security best practice to a standard that enables them to meet their new responsibilities.
“Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.”
Article 20
NIS2 Directive
What Are The Financial Penalties for NIS2 Non-Compliance?
Due to the nature of NIS2’s application, and the power afforded to individual EU member states, each state may decide its own specific financial penalties. However, the directive sets out a framework and a maximum level of financial penalty.
The NIS2 directive differentiates between Essential and Important entities in its application of financial penalties.
Important Entities
Member states may impose financial penalties of up to either €7,000,000 or 1.4% of the annual global revenue, whichever the greater amount.
Essential Entities
Under NIS2, financial penalties may be up to either €10,000,000 or 2% of the global yearly revenue, again, whichever is the greater amount.
Further Administrative Enforcement Powers Given by NIS2 for Non-Compliance
Along with imposing financial penalties for non-compliance and security negligence, in order to ensure that management suites demonstrate commitment and accountability in addressing cyber security provision, NIS2 also grants the relevant authorities within its remit a selection of minimum enforcement powers to be applied to entities which do not comply with its requirements.
The enforcement powers are as follows:
- To issue warnings to entities for non-compliance.
- To issue binding instructions on cyber security as relevant to NIS2 requirements, which must be followed.
- To deliver orders to cease any conduct that is non-compliant with the directive.
- To deliver orders to implement required risk management measures, or reporting obligations, within a specific stipulated time period, and in a specific manner.
- To deliver orders to make aspects of an entity’s non-compliance public as necessary.
- To deliver orders to inform the users, customers, and/or legal person(s) to whom an entity provides its services where they may be impacted by a cyber threat or breach.
- To deliver orders for an entity to implement cyber security or administrative recommendations following a security audit, to an established, reasonable timeline.
- To designate a monitoring officer responsible for overseeing compliance for a pre-determined period of time and with an established selection of tasks.
- To impose administrative fines.
- In the case of Essential entities, the NIS2 directive empowers EU member states to suspend relevant certifications or authorisations concerning their particular service, should the deadline for taking preventative or remedial action not be met.
- Further, within Essential entities, senior management may be temporarily prohibited from exercising a managerial function until the threat or area of non-compliance in question is suitably resolved.
For clarification, or further specific detail into the penalties for NIS2 non-compliance, the full directive can be found here.
