NIS-2 Fines: Sanctions and Board Liability 2026

The sanction framework of the NIS-2 Directive is sharp. The management board and executive leadership carry personal liability. This article describes the fine range, the supervisory practice of the BSI and the operational steps with which a mid-cap or group board measurably reduces sanction risk within 90 days.

NIS-2 Fines: Sanction Framework from 2026

The EU NIS-2 Directive sets two sanction categories. Essential entities face a fine risk of up to EUR 10 million or 2% of worldwide annual turnover of the preceding financial year. The higher amount applies. Important entities face up to EUR 7 million or 1.4% of worldwide annual turnover, again whichever is higher.

The turnover reference uses group turnover, not the turnover of the individual subsidiary. A German GmbH with EUR 80 million in turnover that belongs to a group with EUR 4 billion in total turnover will be assessed on the group figure. The fine can therefore far exceed the operating result of the affected unit.

The competent supervisory authority in Germany is the BSI, with powers to order, audit and sanction under the NIS-2 implementation act. NIS-2 fines can be cumulated with GDPR sanctions if the same incident affects both personal data and network security. In a ransomware case with data exfiltration, both proceedings run in parallel.

Next step: NIS-2 compliance overview.

Personal Board Liability under NIS-2

Executive leadership is personally liable for failure to implement the risk management measures under Article 21 NIS-2. Approval of the measures by the management bodies is a statutory obligation. Delegation to the CISO does not release the board. The law requires active engagement and a documented resolution.

The training obligation for executive leadership in cybersecurity is likewise non-delegable. Board members must demonstrate that they themselves have been trained, not only their staff. A certificate of attendance belongs in the personnel file and in the audit dossier.

D&O insurance regularly excludes intentional breaches of duty. Anyone who knows the NIS-2 measures and fails to implement them risks losing insurance cover. The supervisory board carries a secondary monitoring duty. If it remains inactive, the supervisory board can share liability, in particular if it received reports on open NIS-2 deficits but did not demand correction.

Next step: board liability in detail.

Which Companies Are Affected

NIS-2 covers 18 sectors. 11 of these are classified as essential (energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service providers, public administration, space). 7 further sectors are classified as important (postal services, waste, chemicals, food, manufacturing, digital providers, research).

The threshold is 50 employees or EUR 10 million in annual turnover within these sectors. KRITIS operators fall automatically under the essential entities regardless of size. The BSI-KritisV defines the thresholds for KRITIS installations on a sector-specific basis.

Suppliers and service providers are captured via the supply chain clause under Article 21(2)(d). Anyone acting as a critical service provider to a NIS-2 obligated entity must take on the requirements by contract. Self-classification is mandatory. There is no notice practice as under the old BSI-KritisV logic. The registration obligation with the BSI applies within the statutory deadline following entry into force of the national implementation act.

Next step: KRITIS requirements in detail.

Operational Duties with Fine Relevance

The notification duty is staggered. For a significant security incident, an early warning must be sent to the BSI within 24 hours. A qualified incident report follows within 72 hours. A final report must be submitted within one month. Breaches of the notification duty are independently sanctioned.

The risk management measures under Article 21 cover ten minimum areas: risk analysis, handling of security incidents, business continuity and crisis management, supply chain security, security in acquisition and development, assessment of effectiveness, basic cyber hygiene and training, cryptography, personnel security and access control, multi-factor authentication, and security of premises and physical access control.

Supply chain risk management requires a documented assessment of critical service providers. A list is not enough. It needs a risk classification, contractual security clauses and an escalation path. Business continuity and backup management must be evidenced through recovery tests. A backup that has never been restored counts as non-existent in an audit. The evidence trail for all measures must be available for BSI inspection, as a rule in a central compliance dossier with version control.

Physical Security as a NIS-2 Requirement

Article 21(2)(e) of the NIS-2 Directive explicitly requires measures for the security of premises and physical access control. This requirement is regularly overlooked in the NIS-2 debate. Anyone who implements the cyber part to model standards but secures the server room with a key from the 1990s does not fulfil the directive.

Perimeter, server room and critical installations must be defined and monitored as protected zones. The definition belongs in the security concept, the monitoring in operational service. Patchy 24/7 patrolling counts as a weakness in an incident audit and is subject to documentation. If a guard post does not complete a documented round between 02:00 and 06:00, the BSI will assess this gap as an organisational failure following an incident.

Autonomous patrol robotics closes the patrol gap and at the same time delivers an audit trail via sensor log. Every round, every anomaly, every thermal contact is recorded with a time stamp. QR-2 for 24/7 outdoor perimeter and QR-3 for KRITIS sites deliver motion, thermal and LiDAR data as auditable evidence. Unlike human posts, there is no shift change break and no break overrun.

BSI Supervision: Audits and Orders

Supervisory practice differs between the two categories. Essential entities are subject to proactive supervision. The BSI can order on-site audits, audits and document inspections without cause. Important entities are audited reactively, triggered by incidents, tips or third-party complaints.

The BSI can issue binding instructions. In an extreme case this includes the temporary prohibition of the activity of management persons. This sanction targets board members and managing directors who, after being ordered to act, still fail to implement measures. Certifications under BSI specifications can be ordered as mandatory, for example ISO 27001 certification with the BSI sector extension.

Publication of breaches is provided for as an additional sanction. The BSI may publicly disclose the name of the company, the nature of the breach and the fine imposed. The reputational damage hits B2B providers in tenders and B2C providers in customer trust.

Avoiding Fines: 90-Day Action Plan

Day 1 to 14: self-classification against the sector and threshold criteria. Registration with the BSI via the reporting portal. Written assignment of NIS-2 responsibility within executive leadership, ideally as a board or managing director resolution with minutes.

Day 15 to 45: gap analysis against the ten risk management areas under Article 21. Assessment of each area on a traffic-light logic. Prioritisation of red fields by fine risk and implementation effort. Supply chain and physical security are, by experience, the weakest areas.

Day 46 to 75: implementation of the physical security measures. Perimeter protection, access control, video surveillance with recording, 24/7 patrolling. This is where robotics enters the picture when staffing costs tip the economics.

Day 76 to 90: test the notification processes with an exercise, for example a tabletop simulation of a ransomware incident. Conduct and document training of the management bodies in cybersecurity. Update supplier contracts with security clauses, starting with the five highest-revenue service providers.

Running alongside all phases: build the audit trail. Every measure, every training, every test is filed in the central compliance dossier. In a BSI audit, the documentation decides, not the verbal statement.

Cost Comparison: Compliance versus Sanction

A 24/7 guard post costs, according to BDSW industry figures, between EUR 15,000 and 25,000 per month, depending on tariff region, qualification and shift bonuses. The guard post covers one position. A site with two posts and a relief guard runs at EUR 50,000 to 75,000 per month.

A QR-2 patrol robot in the RaaS model costs EUR 3,500 per month. A QR-3 for KRITIS outdoor perimeter sits higher, depending on sensor configuration and site profile. Robotics-as-a-Service eliminates CapEx, the operator pays a monthly fee and receives sensor log and maintenance as a package. The audit trail comes as a by-product.

A single NIS-2 fine for a mid-cap group with EUR 500 million in group turnover: up to EUR 10 million. The annual cost for fully NIS-2-compliant physical security typically sits between EUR 60,000 and 120,000, depending on site count and risk classification. The ratio is clear.

The reputational damage from publication of the breach regularly exceeds the monetary value. A published breach stays in the index for years, surfaces in due diligence checks and raises the cost of the next credit negotiation. Details on the cost structure are in the guard service cost comparison and in the Robotics-as-a-Service model.

Anyone taking the sanction framework seriously starts with self-classification and a gap analysis. The entry point for structured NIS-2 implementation is at NIS-2 compliance overview.