NIS2 deadlines and penalties: fines, liability and key dates
NIS2 has teeth. Here are the dates that matter, the fines on the table, and the personal exposure for leadership.
The key dates
- January 2023: NIS2 enters into force at EU level.
- 17 October 2024: deadline for Member States to transpose it into national law.
- 18 October 2024: the date from which national rules apply.
- Ongoing: registration and reporting obligations begin under each national regime.
The fines
NIS2 sets maximum administrative fines by entity type. Essential entities can be fined up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Important entities face up to €7 million or 1.4%. National implementations set the exact regime, but these ceilings are the benchmark.
Beyond fines: liability and intervention
Money isn't the only lever. Regulators can issue binding instructions, order entities to notify affected customers, and, for essential entities, temporarily suspend management responsibilities or certifications for persistent non-compliance. Article 20 also makes management bodies personally accountable for oversight.
How enforcement differs by entity type
Essential entities face proactive supervision: regulators can audit them without a specific trigger. Important entities face reactive supervision: scrutiny usually follows an incident or evidence of a problem. Either way, the question is the same: can you prove your controls and your incident handling?
How to reduce your exposure
The cheapest insurance is continuous, demonstrable evidence. Alexus keeps a live Article 21 readiness score and a hash-chained audit trail, so if a regulator asks, you answer with a query rather than a scramble. This article is general guidance, not legal advice.