NIS2 Enforcement Powers: What Regulators Can Do and How to Prepare
Who should read this: Compliance officers, legal teams, CFOs, board members, risk managers, and anyone responsible for ensuring organizational compliance and managing regulatory risk.
NIS2 gives regulators powerful tools to enforce compliance. Regulators can conduct audits, order remediation, publicly shame non-compliers, suspend operations, and impose fines up to EUR 20 million or 4% of global annual turnover. These are not abstract risks. As NIS2 compliance becomes enforceable, regulators will use these powers.
Articles 32-34 spell out enforcement authority. This guide explains what regulators can do, how they will likely use these powers, what penalties apply, and how organisations should prepare.
Who Enforces NIS2?
Each EU Member State designates a "competent authority" responsible for enforcing NIS2 within their territory. This is often:
The national cybersecurity authority (e.g., German Federal Office for Information Security, French National Cybersecurity Agency).
A sectoral regulator (e.g., the energy regulator for energy companies, the health regulator for health entities).
In some Member States, a dedicated NIS2 authority separate from sectoral regulators.
Your first compliance step is to identify your national competent authority. This is the regulator that will supervise you, request information, conduct audits, and enforce compliance.
Supervisory Powers: What Regulators Can Do to Essential Entities
Article 32 outlines the supervisory powers regulators have over essential entities. These powers are extensive.
On-Site Inspections and Off-Site Supervision
Regulators can conduct unannounced or planned on-site inspections at your facilities. They can also conduct off-site supervision (reviewing documents, requesting information). They can conduct random checks at any time to verify compliance.
These inspections are not polite visits. Regulators will have the power to access systems, review security controls, interview personnel, and request any information they need.
To prepare: ensure your security controls are actually implemented (not just documented), your documentation is accurate and up-to-date, and your personnel understand cybersecurity requirements. Conduct internal audits regularly so you discover gaps before regulators do.
Regular and Targeted Security Audits
Regulators can require your entity to undergo security audits conducted by independent auditors or by the regulator's own staff. These audits are targeted (focused on specific risks) and based on risk assessments.
Importantly, you pay for audits conducted by independent auditors, except in unusual cases where the regulator decides otherwise. This is a cost, and it is enforceable.
To prepare: engage qualified independent auditors (certified against ISO 27001, CREST certification, or equivalent) to conduct regular audits. Use audit findings to identify and remediate gaps before regulators conduct their own audits.
Ad Hoc Audits
If a significant incident occurs or if the regulator has evidence of non-compliance, they can conduct surprise audits at any time. These are not planned or announced.
To prepare: maintain a continuous state of readiness. Do not implement cybersecurity measures only when you expect an audit.
Security Scans and Assessments
Regulators can conduct security scans (vulnerability scans, penetration tests) to identify weaknesses. These must be based on objective, non-discriminatory, fair criteria.
To prepare: conduct regular vulnerability scanning and penetration testing of your systems. Remediate vulnerabilities promptly so regulators do not find vulnerabilities you already knew about (which looks bad).
Requests for Information
Regulators can request any information necessary to assess your compliance: documented cybersecurity policies, risk assessments, audit results, incident response procedures, training records, access control policies, etc.
The regulator must state the purpose of the request and specify what information is wanted. But the scope is broad.
To prepare: maintain comprehensive documentation of your cybersecurity programme. Ensure documents are current and accurately reflect what you actually do. Have a process to respond to information requests within reasonable timeframes (typically 2-4 weeks).
Enforcement Powers: What Regulators Can Do to Essential Entities
If a regulator finds non-compliance, they have enforcement powers. These are escalating--they can start with warnings and escalate to fines and operational restrictions.
Warnings and Binding Instructions
The mildest enforcement action is a written warning about non-compliance. More serious is a binding instruction requiring you to take specific action (e.g., "implement multi-factor authentication on all administrative access within 90 days").
To prepare: take warnings seriously. If a regulator issues a binding instruction, prioritize compliance. Missing a binding instruction deadline leads to escalated enforcement.
Orders to Cease Infringement
Regulators can order you to stop conduct that violates NIS2 and prohibit you from repeating that conduct.
Orders to Comply with Article 21 and Article 23
Regulators can issue orders specifying exactly how you must comply with cybersecurity measures (Article 21) or incident reporting (Article 23), and set deadlines for compliance.
For example: "By 90 days from the date of this order, you must implement a business continuity and disaster recovery programme with a recovery time objective of 4 hours, as required by Article 21(2)(c). You must provide evidence of implementation within 120 days."
To prepare: ensure you have plans to address any gaps. Do not promise compliance you cannot deliver. If a deadline is unrealistic for your circumstances, request modification before the order is final.
Orders to Notify Service Recipients
If a significant cyber threat affects your customers, regulators can order you to inform customers about the threat and what they can do to protect themselves.
Designation of Monitoring Officer
For serious non-compliance, a regulator can designate a monitoring officer to oversee your compliance with Articles 21 and 23. This officer will have access to your systems, documentation, and personnel.
This is intrusive and costly (you may have to pay the officer's fees). It is effectively an external compliance monitor living in your organisation.
To prepare: avoid reaching this point by implementing robust compliance from the start.
Public Disclosure
Regulators can order you to publicly disclose aspects of your infringements in a specified manner. If you have hidden a serious breach or covered up non-compliance, regulators can order you to disclose this publicly.
This is reputationally damaging and a serious enforcement action.
Escalated Enforcement: Suspension and Prohibition
If a regulator issues a binding instruction and you fail to comply within the deadline, the regulator can escalate. They can:
Suspend temporarily any certification or authorisation concerning your services (effectively taking you out of service).
Request that courts or tribunals prohibit managers (CEO level) from exercising managerial functions in your entity.
These are extreme measures, but they are available. They are used when ordinary enforcement does not work.
To prepare: never reach this point. Comply with binding instructions on time.
Important Entities: Lighter Touch
Article 33 describes supervisory and enforcement powers for important entities (smaller organisations in scope).
The key difference: supervision of important entities is "ex post"--it happens after a problem is identified, not proactively. Regulators do not randomly inspect important entities the way they do essential entities.
However, once evidence of non-compliance surfaces, regulators can conduct the same supervisory and enforcement actions as with essential entities.
The enforcement tools are similar but somewhat lighter: regulators cannot designate monitoring officers or suspend operations for important entities (though they can still impose fines and binding instructions).
To prepare: important entities should assume they will not face regular proactive audits, but should maintain compliance anyway. One incident or report of non-compliance can trigger full regulatory investigation.
Administrative Fines: The Financial Penalty
Articles 34-35 establish the fine regime.
Penalty Tiers
Essential entities that infringe Article 21 (cybersecurity measures) or Article 23 (incident reporting):
Maximum fine: at least EUR 10 million or 2% of total worldwide annual turnover, whichever is higher.
Important entities that infringe Article 21 or Article 23:
Maximum fine: at least EUR 7 million or 1.4% of total worldwide annual turnover, whichever is higher.
For large multinationals, the turnover-based fine dominates. A company with EUR 1 billion annual revenue pays up to EUR 20 million (2% of turnover) or EUR 14 million (1.4%) respectively.
For smaller entities, the fixed fine (EUR 10 million or EUR 7 million) applies.
Note the word "maximum." The actual fine in any case can be lower, but regulators typically impose substantial fines for serious infringements.
Systematic Infringements
The Directive specifies that for systematic infringements of Article 21 or Article 23, fines can reach:
For essential entities: EUR 20 million or 4% of worldwide annual turnover, whichever is higher.
This is double the standard fine. "Systematic" means repeated failures across multiple areas or extended time periods.
What Determines the Fine Amount?
When deciding the fine amount, regulators must consider:
Seriousness of the infringement: Is it minor (documentation gap) or major (no incident response capability)?
Duration: How long has the infringement existed?
Previous infringements: Is this a first-time violation or a repeat offence?
Damage caused: Did the infringement lead to a material incident? How many users were affected?
Intent or negligence: Did the organisation deliberately ignore requirements or was it negligent?
Measures taken to prevent/mitigate damage: Did the organisation take action to limit harm?
Adherence to codes of conduct or certifications: Does the organisation follow recognised standards?
Cooperation with regulators: Did the organisation cooperate in the investigation or obstruct it?
Serious infringements that trigger elevated fines include:
Repeated violations.
Failure to notify or remedy significant incidents.
Failure to comply with binding instructions.
Obstruction of audits.
Providing false or grossly inaccurate information.
To prepare: take every enforcement action seriously. Do not ignore or obstruct investigations. Be transparent and cooperate with regulators. This reduces your fine risk.
Personal Liability for Decision-Makers
Article 32(6) makes clear that the liability is not just on the organisation, but on individuals responsible for management:
"Member States shall ensure that any natural person responsible for or acting as a legal representative of an essential entity on the basis of the power to represent it, the authority to take decisions on its behalf or the authority to exercise control of it has the power to ensure its compliance with this Directive. Member States shall ensure that it is possible to hold such natural persons liable for breach of their duties to ensure compliance with this Directive."
This applies to CEOs, board members, general counsels, CISOs, and anyone with authority to make decisions about cybersecurity.
Personal liability means you can be sued individually. You can be held personally responsible for fines, damages, or criminal penalties depending on national law.
To prepare: maintain professional liability insurance and cyber liability insurance that covers personal liability for decision-makers. Document your governance and decision-making so you can demonstrate you acted in good faith. If the organisation has been negligent in cybersecurity despite your direction, document that you directed remediation.
Data Protection and Competition Coordination
Article 35 requires coordination with data protection regulators (those enforcing GDPR). If an NIS2 violation involves a personal data breach, the data protection supervisor (usually the national data protection authority) may fine the organisation under GDPR. NIS2 regulators and data protection regulators must coordinate to avoid double-fining the organisation for the same conduct.
This is important for your compliance strategy: an incident that violates both NIS2 and GDPR will face enforcement from both regulators, but they are required to coordinate penalties.
Procedural Protections
Before imposing enforcement measures, Article 32(8) requires regulators to:
Set out detailed reasoning for the enforcement action.
Notify the entity of preliminary findings.
Allow a reasonable time for the entity to submit observations and defend itself.
These are important procedural rights. You have the right to be heard before penalties are imposed. Use this. If you believe a regulator has misunderstood facts or circumstances, submit detailed written responses explaining your position.
What Regulators Will Likely Prioritize
Based on the text of NIS2 and enforcement experience with GDPR, expect regulators to focus on:
Board-level governance (Article 20): Do management bodies actually approve and oversee cybersecurity? Or has governance been delegated with no board involvement?
Incident reporting (Article 23): Are entities notifying regulators of significant incidents within timelines? Or are they hiding incidents?
Supply chain security (Article 21(2)(d)): Do organisations have vendor assessment and monitoring processes? Or do they blindly trust vendors?
Multi-factor authentication (Article 21(2)(j)): Is MFA implemented on critical systems? This is a high-impact, measurable control.
Business continuity (Article 21(2)(c)): Can the organisation actually restore services after a major incident? Or is disaster recovery untested?
These are the areas regulators will audit first and enforce most aggressively.
Enforcement Strategy: How to Minimize Risk
To minimize enforcement risk:
Implement compliance seriously from the start. Do not adopt a "wait and see" approach.
Conduct regular internal audits (quarterly minimum) and address findings promptly.
Maintain detailed documentation of your cybersecurity programme, policies, risk assessments, and decisions.
Engage board-level governance. Document board approvals and oversight.
Establish incident response capability and test it regularly.
Assess and monitor critical vendors.
Respond to all information requests from regulators promptly and completely. Do not delay or provide incomplete responses.
If a regulator issues a binding instruction, comply on time. If you cannot meet the deadline, request modification before the deadline passes.
If a significant incident occurs, notify regulators immediately and cooperate fully in their investigation.
Maintain cyber liability insurance with adequate limits.
Engage experienced counsel if a regulator opens an investigation.
Do not obstruct audits or investigations. Cooperation is looked upon favorably in penalty determination.
Cross-Border Coordination
Article 37 requires regulators in different Member States to cooperate on enforcement. If you operate across multiple Member States, expect coordinated enforcement.
Regulators may conduct joint supervisory actions (e.g., simultaneous audits in multiple countries) or may request mutual assistance (one regulator requesting another to conduct audits or provide information).
This means you face coordinated regulatory attention across multiple countries. Your compliance programme must meet the highest standards across all jurisdictions.
Key Takeaways
- NIS2 regulators (Member State competent authorities) have extensive supervisory powers including on-site inspections, security audits, penetration testing, and requests for information; supervision of essential entities is proactive; supervision of important entities is reactive (after evidence of non-compliance).
- Enforcement escalates from warnings and binding instructions to orders to cease infringement, public disclosure, and (for essential entities) suspension of certifications and prohibition of managers; repeated violations or failure to comply with binding instructions leads to escalated enforcement.
- Administrative fines for Article 21/23 infringements are at least EUR 10 million (essential) or EUR 7 million (important) or 2%/1.4% of worldwide annual turnover, whichever is higher; for systematic infringements, essential entity fines can reach EUR 20 million or 4% of turnover.
- Serious infringements triggering elevated fines include repeated violations, failure to notify or remedy incidents, failure to comply with binding instructions, obstruction of audits, and providing false information; intent, cooperation with regulators, and remedial measures taken reduce fine amounts.
- Personal liability exists for managers, board members, and decision-makers; they can be held individually liable for organisational non-compliance; liability insurance is critical.
- To minimize enforcement risk: implement compliance seriously from the start, conduct regular internal audits, maintain detailed documentation, ensure board-level governance, comply with regulator requests promptly, comply with binding instructions on time, and engage legal counsel if investigated.
- Cross-border coordination means regulators in different Member States cooperate on enforcement; organisations operating across multiple countries face coordinated supervisory and enforcement attention.
