I still remember sitting in a boardroom last year, surrounded by senior executives nervously flipping through an early draft of the NIS2 Directive. The atmosphere was tense—not because we didn’t understand the cybersecurity requirements, but because no one could say with certainty what the price of failure would be. Fast forward to 2025, and that uncertainty is beginning to clear—but the picture isn’t exactly comforting.
The NIS2 Directive, a sweeping overhaul of the EU’s approach to digital operational resilience, sets a bold standard. And with it come serious financial—and personal—risks for companies that fall short. Let’s walk through what those consequences look like across the EU, how they’re being implemented, and what they could mean for your organization.
Understanding the baseline: harmonised ceilings and local variations
At its core, NIS2 sets minimum harmonised ceilings for administrative fines. Member states are free to go beyond these thresholds, but they cannot dip below them. That means the maximum NIS2 fines are consistent across jurisdictions—at least in theory.
For essential entities, the ceiling is €10 million or 2% of global annual turnover, whichever is higher. For important entities, it drops slightly to €7 million or 1.4% of turnover. These categories depend on the type and scale of services provided, with critical infrastructure and major digital service providers typically falling into the “essential” bucket.
But the practical application? That’s where things get interesting.
Here’s a breakdown of how different EU countries are implementing—or struggling to implement—these penalties as of May 2025:
| Country | Law status (May 2025) | Max fine – Essential | Max fine – Important |
| Germany | No law yet; draft failed Feb 2025 | 2% turnover | 1.4% turnover |
| France | “Resilience” bill in Sénat; mid-2025 vote expected | €10m / 2% | €7m / 1.4% |
| Netherlands | Draft in review; consultation closed Apr 2025 | €10m / 2% | €7m / 1.4% |
| Spain | Approved Jan 2025 | €10m / 2% | €7m / 1.4% (likely) |
| Italy | In force since Oct 2024 | €10m / 2% | €7m / 1.4% |
| Sweden | Draft under review; expected start Aug 2025 | €10m / 2% | €7m / 1.4% |
| Denmark | Law in force since Mar 2025 | €10m / 2% | €7m / 1.4% |
| Czech Republic | Draft pending July 2025 | ~€10m / 2% | ~€7m / 1.4% |
| Poland | In Sejm; vote due 2H 2025 | €10m / 2% | €7m / 1.4% |
| Ireland | Drafting underway | €10m / 2% | €7m / 1.4% |
This level of variation creates a compliance minefield—especially for multinationals operating across several jurisdictions. While the ceilings are harmonised, the timing and enforcement powers are not.
PRO TIP
Establish a centralized NIS2 risk register that tracks your entity status, turnover, and in-scope services per jurisdiction. This creates a clear audit trail to demonstrate how your organization aligns with fine thresholds and classification rules.
Timing is everything: when enforcement begins (and when it doesn’t)
Perhaps the most frustrating piece of the NIS2 puzzle is how uneven the rollout has been. Despite the Directive coming into force at the EU level in January 2023, many national laws are still stuck in limbo, awaiting parliamentary approval or public consultation outcomes.
Some countries, like Italy and Denmark, have already codified the NIS2 penalties into enforceable law. Others, such as Germany, have failed to even pass their first draft, delaying enforcement and raising the risk of EU infringement proceedings.
This time lag means that while your organization may be technically subject to NIS2, the financial consequences depend heavily on your location and timing.
| Country | Law In force | Expected enforcement date | Notes |
| Italy | Yes | October 2024 | Decreto Legislativo 138/2024 sets clear rules |
| Denmark | Yes | March 2025 | Applies EU fines despite no previous admin fine culture |
| France | No | Mid-2025 | “Resilience” bill in legislative process |
| Germany | No | TBD | Draft failed; new timeline unknown |
| Sweden | No | August 2025 | Cybersäkerhetslag under final review |
| Spain | Yes | January 2025 | Cybersecurity bill includes fine ceilings and liability |
| Netherlands | No | Likely Q3/Q4 2025 | Consultation ended April 2025 |
| Ireland | No | Late 2025 | Bill drafting still underway |
| Poland | No | 2H 2025 | Sejm vote pending |
| Czech Republic | No | July 2025 | Caps defined, law not yet adopted |
The implication here is simple: if you’re operating in a country where the law isn’t yet in force, your risk profile is temporarily lower—but don’t mistake that for safety. The EU is watching, and infringement procedures are very real. Just ask Germany.
PRO TIP
Use the current “transposition gap” to get ahead. Begin aligning with Article 21 technical measures now—especially monitoring, reporting, and detection—so that you’re not scrambling once your national law is enacted.
Going beyond the fines: personal liability and strategic consequences
If the threat of a €10 million fine doesn’t make your board sit up straight, perhaps this will: some national laws add personal liability for executives, including the ability to suspend individual managers or exclude companies from public tenders.
This added bite can be found in Spain, France, and Poland, among others. And while these measures go beyond what the Directive requires, they reflect a growing willingness among member states to treat cybersecurity failures not just as technical missteps but as leadership failures.
For CEOs and CISOs, this changes the conversation. It’s no longer just about compliance checklists—it’s about job security and reputational risk.
In practice, this means:
- Executive decision-makers must stay closely involved in NIS2 compliance, not delegate it entirely to IT.
- Legal teams need to review local laws carefully to understand what’s at stake personally.
- Boards must be educated on timelines and enforcement scope to plan appropriate risk responses.
This growing emphasis on accountability mirrors a broader trend across EU regulation, from GDPR to the Digital Operational Resilience Act (DORA). It’s not enough to build defenses; you have to be able to prove you were responsible, aware, and proactive.
PRO TIP
Review D&O (Directors and Officers) insurance policies to ensure they cover cybersecurity-related liability under NIS2. Some policies exclude cyber events or regulatory fines, so ensure your coverage aligns with emerging personal accountability risks.
Building accountability into your compliance strategy
So where does this leave organizations preparing for NIS2 compliance? While some deadlines remain months away, the risk landscape is already shifting. Whether your organization is based in Milan, Malmö, or Madrid, the pressure to act decisively is real—and rising.
The smart approach is not to wait for your country’s final vote. Instead, treat the NIS2 directive penalties as active now, especially if you fall into the essential entity category. Start with:
- Conducting a jurisdictional risk review based on your operating countries.
- Mapping entity classification (essential vs. important) across business units.
- Engaging legal counsel to track legislative developments in each member state.
- Establishing executive oversight and documentation protocols to prepare for personal liability risks.
You can track transposition progress using public sources like OpenKRITIS, which regularly updates country-specific NIS2 timelines and enforcement notes.
Mitigate NIS2 compliance risks and penalties
Concerned about navigating the complexities and significant penalties of NIS2 compliance? CyberUpgrade ensures you’re well-prepared to handle evolving EU regulations confidently. Our advanced platform offers automated, real-time risk monitoring, integrated evidence collection, and clear compliance documentation via Slack or Teams—simplifying the pathway to regulatory readiness and significantly reducing your risk of non-compliance.
With our fractional CISO services, executive leaders gain proactive guidance on compliance oversight, minimizing personal liability and safeguarding organizational reputation. CyberUpgrade cuts compliance workloads by up to 80%, empowering you to stay ahead of enforcement timelines and national variations in NIS2 regulations.
Ready to ensure compliance, avoid costly fines, and protect your leadership from personal liability? Let CyberUpgrade secure your organization’s compliance future.
Streamline NIS2 compliance across jurisdictions with CyberUpgrade
Navigating the uneven landscape of NIS2 implementation is challenging, but solutions like CyberUpgrade simplify this uncertainty. Our compliance platform automates evidence gathering, ensures real-time risk monitoring, and offers clear visibility into your compliance status, making it significantly easier to track varying national requirements and timelines.
By embedding compliance checks seamlessly into daily workflows via familiar tools like Slack or Teams, we drastically reduce manual tasks, freeing your team to focus on strategic priorities. Whether you’re grappling with jurisdictional nuances or concerned about executive accountability, CyberUpgrade provides the clarity, control, and proactive oversight you need to confidently manage NIS2 compliance and mitigate the risks of penalties and reputational damage.
Are you prepared to absorb a multimillion-euro fine?
In the end, NIS2 isn’t just another compliance hurdle—it’s a wake-up call. With harmonised ceilings, mounting legislative momentum, and an emerging pattern of individual liability, the cost of non-compliance could be catastrophic.
The EU has made its expectations clear. Now, it’s up to each organization to decide how early—and how thoroughly—it wants to respond. Those who treat NIS2 seriously today are far more likely to avoid the headlines tomorrow. And in this regulatory climate, that’s a win no spreadsheet can capture.
