NIS2 non-compliance penalties and fines are no longer only a security issue. It is a financial, operational, and board-level risk. Under Article 34 of the NIS2 Directive, Essential entities can face fines of at least EUR 10 million or 2% of global annual turnover. Important entities can face fines of at least EUR 7 million or 1.4% of global annual turnover. In both cases, the higher amount applies. For Dutch organisations, NIS2 is implemented through the Cyberbeveiligingswet (Cbw). The Cbw introduces duties around cybersecurity risk management, incident reporting, registration, board responsibility, and supervision. The NCSC describes the Cbw as the Dutch implementation of NIS2 and states that it replaces the current Wbni.
This article explains what NIS2 fines can cost, when enforcement can be triggered, what Article 20 means for management, and what Dutch organisations should prepare first.
TL;DR
NIS2 fines depend on whether your organisation is classified as an Essential entity or an Important entity. Essential entities face a higher fine ceiling and more proactive supervision. Important entities face a lower ceiling, but still carry board-level accountability under Article 20.
| Essential entity | Important entity | |
|---|---|---|
| Maximum fine | EUR 10,000,000 or 2% of global annual turnover, whichever is higher | EUR 7,000,000 or 1.4% of global annual turnover, whichever is higher |
| Examples | Energy, water, digital infrastructure, banking, health, transport, public administration | Postal services, waste management, manufacturing, food production, digital providers not listed as Essential |
| Supervisory model | Proactive supervision: audits, inspections, and assessments can happen before an incident | Reactive supervision: action is usually triggered by an incident, complaint, or evidence of non-compliance |
| Management liability | Yes. Article 20 applies to management bodies | Yes. Article 20 applies to management bodies |
Not sure whether NIS2 applies to your organisation? Start with the scope question first: check if nis2 applies to your organisation.
Essential vs Important: the classification that determines your fine ceiling
The most important fine question is not “How large is our company?” It is “Are we classified as Essential or Important under NIS2?”
The classification determines three things: your maximum fine, your supervisory model, and the level of regulatory attention you can expect.
Essential entities usually operate in sectors where disruption would have a large effect on society or the economy. These include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, and space.
Important entities cover a wider set of sectors. These include postal and courier services, waste management, chemicals, food production and distribution, manufacturing, digital providers, and research organisations.
For Dutch companies, this classification should not be treated as a legal label to check once and forget. It affects your fine ceiling and your evidence burden. A medium-sized software company may assume NIS2 does not apply because it is not a hospital, bank, energy provider, or telecom operator. That assumption can fail if the company provides managed services, cloud services, security services, or operational technology support to entities already in scope.
The practical test is simple: if your service is important to the continuity, security, or digital operations of a regulated sector, check the scope before assuming you are outside NIS2.
The NIS2 fines penalties structure: what Article 34 actually says
Article 34 sets the administrative fine structure for violations of Article 21 and Article 23.
Article 21 covers cybersecurity risk-management measures. Article 23 covers incident reporting. These are the two areas where NIS2 enforcement becomes financially serious.
The fine ceilings apply per violation and are designed to be effective, proportionate, and dissuasive. Article 34 also allows Member States to provide periodic penalty payments to force an entity to stop an ongoing infringement, but the Directive itself does not set fixed daily EUR amounts for those payments.
Essential entities: up to EUR 10 million or 2% of global annual turnover
For Essential entities, Article 34(4) sets the fine ceiling at EUR 10 million or 2% of total worldwide annual turnover in the preceding financial year, whichever is higher.
That last phrase matters. EUR 10 million is not always the cap. For larger companies, the percentage-based amount can exceed EUR 10 million.
| Global annual turnover | 2% of turnover | Fine ceiling logic |
|---|---|---|
| EUR 100 million | EUR 2 million | EUR 10 million applies because it is higher |
| EUR 300 million | EUR 6 million | EUR 10 million applies because it is higher |
| EUR 600 million | EUR 12 million | EUR 12 million applies because 2% is higher |
For an Essential entity with EUR 600 million in global annual turnover, the fine ceiling is not EUR 10 million. It is EUR 12 million. That is why boards should not read the EUR amount in isolation. The turnover percentage is the real exposure for larger groups.
Important entities: up to EUR 7 million or 1.4% of global annual turnover
For Important entities, Article 34(5) sets the fine ceiling at EUR 7 million or 1.4% of total worldwide annual turnover in the preceding financial year, whichever is higher.
| Global annual turnover | 1.4% of turnover | Fine ceiling logic |
|---|---|---|
| EUR 100 million | EUR 1.4 million | EUR 7 million applies because it is higher |
| EUR 300 million | EUR 4.2 million | EUR 7 million applies because it is higher |
| EUR 600 million | EUR 8.4 million | EUR 8.4 million applies because 1.4% is higher |
For many EU SMEs and mid-market companies, the fixed EUR 7 million ceiling will be higher than the turnover percentage. That does not mean the authority will always impose the maximum. It means the legal power exists.
The Dutch Cbw explanatory memorandum follows the same NIS2 fine structure for care duty and reporting duty violations: EUR 10 million or 2% for Essential entities, and EUR 7 million or 1.4% for Important entities, with the higher amount applying.
Management personal liability: what Article 20 means for Dutch boards
NIS2 does not treat cybersecurity as a technical task that management can fully delegate. Article 20 requires Member States to ensure that management bodies approve cybersecurity risk-management measures, oversee their implementation, and can be held liable for infringements of Article 21. It also requires members of management bodies to follow training so they can identify risks and assess cybersecurity risk-management practices.
For Dutch organisations, the Cbw carries this board responsibility into national law. NCTV guidance states that board members must have enough knowledge and skills to identify network and information system risks and assess cybersecurity risk-management measures. It also refers to training and certification requirements for board members.
This creates five practical implications for Dutch boards.
- First, “we delegated this to IT” is not enough. The board must approve the security measures and oversee implementation.
- Second, board meeting minutes matter. If management approved the NIS2 programme, the evidence should show when, what was reviewed, what was decided, and what follow-up was required.
- Third, NIS2 training is not a soft recommendation. Management needs enough knowledge to challenge the risk assessment, not just receive a slide deck.
- Fourth, personal liability does not mean every board member automatically receives a personal fine. It means management accountability can become part of the enforcement discussion when the organisation failed to approve, oversee, or evidence its cybersecurity programme.
- Fifth, cyber governance becomes an insurance issue. Directors and officers’ insurance may not protect management if the claim relates to a breach of statutory duties. That risk should be checked with legal counsel and the insurer before an incident happens.
For the full governance angle, see the related article on nis2 management personal accountability.
The 5 things that actually trigger NIS2 enforcement
NIS2 enforcement usually starts with evidence. The authority does not need a perfect security programme. It needs to see whether your organisation had proportionate measures, documented decisions, and a clear response process.
These five triggers are the most important to prepare for.
Enforcement trigger 1: Failing to report a significant incident
Article 23 requires a staged incident reporting process: an early warning within 24 hours, an incident notification within 72 hours, and a final report no later than one month after the incident notification.
Failure to report on time can become a violation separate from the incident itself.
The control to prepare is not only an incident response policy. You need a tested reporting process: who classifies the incident, who contacts the CSIRT or authority, who approves the message, and what evidence is retained.
Enforcement trigger 2: Not implementing Article 21 risk-management measures
Article 21 is the operational core of NIS2. It requires covered entities to implement cybersecurity risk-management measures.
In practice, enforcement risk appears when an audit or incident investigation finds gaps such as no incident response plan, no access control evidence, no supply chain security review, no MFA rollout plan, or no business continuity testing.
A work-in-progress gap is not the same as an undocumented gap. If a measure is still being implemented, document the current state, owner, deadline, and risk acceptance decision.
Enforcement trigger 3: Not registering with the competent authority
Under the Dutch Cbw, organisations in scope must register in the entity register. NCSC states that organisations covered by the Cbw are legally required to register, and RDI explains that registration becomes mandatory when the Cbw enters into force.
Registration is not an admin detail. It is how the supervisory structure knows which entities fall under the regime.
A Dutch company that waits until a customer, authority, or incident forces the issue has already lost control of the timeline.
Enforcement trigger 4: Providing false or misleading information
During an audit, inspection, or incident notification, inaccurate information can create a second problem.
This applies especially to incident reporting. If the organisation understates the severity, impact, affected systems, or personal data exposure, the authority may treat the reporting failure separately from the incident.
The control is evidence discipline. Incident logs, forensic notes, escalation records, and decision trails should support what was reported and when.
Enforcement trigger 5: Not cooperating with supervision
Essential entities face proactive supervision. Important entities are more often supervised after an incident, complaint, or indication of non-compliance.
In both cases, cooperation matters. If an authority requests documents, access, interviews, or evidence of controls, the organisation must respond within the legal process.
The practical preparation is an evidence pack. It should show the current risk assessment, approved security measures, incident response process, access control review, supplier security process, and remediation roadmap.
The five triggers above are the situations where supervisory authorities can investigate, request evidence, and impose sanctions. A NIS2 gap analysis shows which Article 21 measures are missing, which risks are undocumented, and what your actual exposure looks like before an authority asks the same questions. Start with nis2 compliance readiness support.
The Dutch NIS2 enforcement landscape: who investigates and fines
For EU companies, the competent authority depends on the Member State and sector. For Dutch organisations, the Cbw introduces a national structure with sector-specific supervision.
The table below keeps the structure from the brief, but the final CMS version should be checked against the latest Dutch government sector mapping before publication.
| Dutch authority | NIS2 / Cbw role | Relevant sectors |
|---|---|---|
| RDI, Rijksdienst voor Digitale Infrastructuur | Competent authority for digital infrastructure and related sectors | DNS providers, TLD registries, cloud services, data centres, CDN, managed services |
| Agentschap Telecom / telecom supervision function | Telecom and digital communications supervision under the Dutch framework | Telecom providers and electronic communications networks |
| Autoriteit Persoonsgegevens (AP) | GDPR authority where a NIS2 incident also involves a personal data breach | All sectors where the incident affects personal data |
| Sector-specific authorities | Sector supervision under the Cbw structure | DNB for banking, ACM for energy, IGJ/CIBG for healthcare, plus other sector bodies depending on classification |
The AP is not the general NIS2 authority for every incident. Its relevance appears when a cybersecurity incident also involves personal data. That overlap matters. A ransomware incident, exposed database, compromised identity system, or supplier breach can trigger both NIS2 reporting and GDPR reporting. The organisation then needs one incident record that can answer both regulatory tracks.
The Autoriteit Persoonsgegevens (AP) also has a public enforcement record under GDPR. In 2024, the AP fined Netflix EUR 4.75 million for not properly informing customers about personal data processing. Earlier examples include the EUR 750,000 fine against TikTok in 2021 and the EUR 600,000 fine against Uber in 2018 for late data breach notification.
These GDPR cases do not predict NIS2 fine amounts directly. They show that Dutch regulators have used administrative fines in data-related enforcement, which matters when a NIS2 incident also involves personal data.
Beyond the headline fine: the full cost of NIS2 non-compliance
The fine is the easiest number to quote. It may not be the largest cost. For a board or CFO, the real exposure sits across five cost categories.
| Cost category | What it means in practice |
|---|---|
| Regulatory fine | The Article 34 fine for Article 21 or Article 23 violations. This is the visible sanction. |
| Operational disruption | Management, legal, IT, security, and vendor teams are pulled into investigation response. The cost is measured in time, delay, and urgent remediation. |
| Reputational damage | Public enforcement, customer concern, procurement review, and investor questions can follow a serious failure. |
| Contract loss | Enterprise customers increasingly ask suppliers to prove NIS2 readiness. Weak evidence can block renewals, onboarding, or new contracts. |
| Insurance impact | Cyber and D&O insurers may ask whether statutory duties were met. A weak governance record can create coverage disputes. |
This is why “we will fix it if the authority asks” is an expensive strategy.
After enforcement starts, the organisation is no longer choosing its own timeline. It is responding to regulatory pressure, customer pressure, and internal escalation at the same time.
A lower-cost path is to identify the gaps before the trigger happens.
How Sunbytes approaches NIS2 compliance readiness for EU and Dutch organisations
The exposure outlined above is why NIS2 readiness should start with evidence, not assumptions. Sunbytes helps EU and Dutch organisations map their current security posture against NIS2 Article 21, identify missing controls, and turn those gaps into a practical remediation plan. The output is clear: what is already in place, what needs to be fixed first, and what evidence your team needs for board review, buyer due diligence, or supervisory questions.
At Sunbytes, we help teams move from baseline assessment to remediation planning and evidence preparation, so NIS2 readiness becomes something your organisation can demonstrate, not just claim.
Why Sunbytes?
Sunbytes is a Dutch technology company with 15 years of experience helping international clients turn strategy into reliable delivery with security built in. For NIS2, that matters because compliance is not only a legal checklist. It depends on secure systems, accountable delivery, and the right people maintaining controls over time.
- CyberSecurity Solutions: We help organisations reduce risk without slowing delivery through security assessments, vulnerability management, and compliance readiness. For NIS2, this means mapping Article 21 requirements into evidence, remediation priorities, and audit-ready documentation.
- Digital Transformation Solutions: We build and modernise digital products with senior engineering teams across custom development, QA/testing, maintenance, and support. For NIS2, this means security controls can be implemented inside real systems, pipelines, and product workflows, not left as policy documents.
- Accelerate Workforce Solutions: We help companies scale delivery capacity through recruitment and workforce support when growth creates capability gaps. For NIS2, this matters because controls fail when ownership is unclear; the right roles, access discipline, and security-aware execution keep the programme moving after the first assessment.
Start with a NIS2 gap analysis through Sunbytes nis2 compliance readiness support.
FAQs
Dutch NIS2 enforcement follows the Cyberbeveiligingswet. For organisations in scope, duties apply from the moment the Cbw enters into force. The NCSC states that covered organisations must meet Cbw obligations from the effective date, including security, reporting, and registration duties.
It is a real legal ceiling. Article 34 sets the maximum for Essential entities at EUR 10 million or 2% of worldwide annual turnover, whichever is higher. The actual fine should be proportionate to the circumstances, but the authority has the legal power to impose a fine up to that ceiling.
Article 20 requires management bodies to approve and oversee cybersecurity risk-management measures and allows them to be held liable for infringements. The Dutch Cbw also includes board responsibility and training expectations. Whether a specific board member faces a personal sanction depends on Dutch law, the facts, and the enforcement decision.
ISO 27001 helps, but it is not immunity. Certification can show that many governance, access control, risk management, incident response, and supplier controls are in place. NIS2 still requires the organisation to show that the relevant Article 21 measures are implemented, proportionate, current, and evidenced.
They apply if your organisation is in scope as an Essential or Important entity. Many smaller companies assume they are out of scope because they are not a bank, hospital, or energy provider. That assumption can be wrong if the company operates in a listed sector or provides digital services to regulated entities.
Prepare evidence before buying more tooling. Start with a scope check, then map Article 21 controls, incident reporting readiness, supplier risk, access control, and board oversight. The output should be a gap analysis and remediation roadmap.
Yes, but the wording needs care. Article 34 allows Member States to provide periodic penalty payments to compel an entity to stop an infringement. The Directive does not set fixed daily EUR amounts, so any daily penalty figure should be checked against the national implementation and the authority’s decision.
Let’s start with Sunbytes
Let us know your requirements for the team and we will contact you right away.
