The NIS2 directive grants EU member states the power to enforce penalties (both financial and administrative) for non-compliance after 17th October 2024.
An overarching theme of the directive is one of board-level engagement with cyber security as a priority, emphasising the need to strategically implement risk-management measures with active oversight from senior leadership. Penalties have been devised with this in mind.
Managerial Liability for Cyber Security
Where cyber security was once thought of as the responsibility of IT teams and the hands-on operators of an organisation’s cyber tools, NIS2 reframes this, and places accountability for major negligence in the face of a breach or attack with senior management. This positions cyber security as an organisation-wide, strategic priority.
For Essential Entities, this extends to personal liability on the part of the board, and requires training, as necessary, to gain sufficient knowledge of current cyber security best practice to a standard that enables them to meet their new responsibilities.
“Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.”
What Are The Financial Penalties for NIS2 Non-Compliance?
Due to the nature of NIS2’s application, and the power afforded to individual EU member states, each state may decide its own specific financial penalties. However, the directive sets out a framework and a maximum level of financial penalty.
The NIS2 directive differentiates between Essential and Important entities in its application of financial penalties.
Member states may impose financial penalties of up to either €7,000,000 or 1.4% of the annual global revenue, whichever the greater amount.
Under NIS2, financial penalties may be up to either €10,000,000 or 2% of the global yearly revenue, again, whichever is the greater amount.
Further Administrative Enforcement Powers Given by NIS2 for Non-Compliance
Along with imposing financial penalties for non-compliance and security negligence, in order to ensure that management suites demonstrate commitment and accountability in addressing cyber security provision, NIS2 also grants the relevant authorities within its remit a selection of minimum enforcement powers to be applied to entities which do not comply with its requirements.