NIS2 Sanctions: What Directors Really Risk

NIS2 establishes explicit and severe penalties. For essential entities: up to EUR 10 million or 2% of global turnover (Article 34, Directive 2022/2555). For important entities: up to EUR 7 million or 1.4% of global turnover.

Personal Liability of Directors

Article 20 (Directive 2022/2555) requires management bodies to approve and supervise cybersecurity measures. Directors can be sanctioned individually, including temporary bans from exercising management functions.

Enforcement Powers

National competent authorities (NCSC, BSI, ANSSI, etc.) can conduct audits, on-site inspections, issue compliance orders and publicly disclose breaches. For essential entities, supervision is proactive.

*This article is for informational purposes only and does not constitute legal advice.*