NIS2 Fines: How Much Your Company (and Your Executives) Really Risk
9 min read · AstraLoop Studio
The question on your mind is simple: if your company isn't compliant with NIS2, what do you pay? The short answer is you risk up to €10 million or 2% of worldwide annual turnover (whichever is higher). But the part that unsettles the owners and boards we talk to isn't the number. It's the fact that, for the first time explicitly, liability falls on the people running the company — not just on the company as an abstract entity.
That's the real paradigm shift in the NIS2 directive (EU Directive 2022/2555, transposed into Italian law via Legislative Decree 138/2024). Management can no longer say "IT handles it." The law says the opposite: administrative and management bodies must approve risk management measures, oversee their implementation, and answer for violations. In this article we'll go through the real figures, what "personal liability" actually means in practice, and how these fines compare to the already-familiar GDPR and the incoming AI Act. If you want the full picture of the controls to put in place before diving into the figures, start with this guide to IT security audits for SMEs.

NIS2 fine amounts: how much does your company really risk
NIS2 splits entities into two categories, with different ceilings. The distinction matters, because it determines your financial exposure.
| Category | Who's included (examples) | Maximum fine |
|---|---|---|
| Essential entities | Energy, healthcare, banking, digital infrastructure, transport, water | Up to €10 million or 2% of worldwide turnover (whichever is higher) |
| Important entities | Manufacturing, food, chemicals, digital services, waste management, postal services | Up to €7 million or 1.4% of worldwide turnover (whichever is higher) |
Watch for a detail many people underrate: the "whichever is higher" rule changes everything. For an SME with limited turnover, it's the fixed ceiling (€10M or €7M) that hits hardest. For a group with hundreds of millions in revenue, the percentage of worldwide turnover can far exceed the fixed cap. This isn't meant to be symbolic.
Before you panic over the figures, though, check one thing first: whether NIS2 actually applies to your company. Not every business is in scope, and the size and sector criteria are precise. We've covered how to tell if your company is subject to NIS2 in a separate deep dive — worth reading before you worry about the numbers.
It's not just the fine: the other measures authorities can impose
Reducing NIS2 to a monetary penalty alone is a mistake. The competent national authority (in Italy, the ACN — the National Cybersecurity Agency) can also order measures that, for an operating business, hurt more than the fine itself:
- Binding orders and instructions to comply within a set deadline;
- Mandatory security audits at the company's expense;
- Temporary suspension of certifications or authorizations needed to operate;
- Temporary ban, for individuals at executive level, from holding management functions in cases of repeated violations.
That last point is the bridge to the topic that makes NIS2 different from everything that came before it.
Management's personal liability: what actually changes
Legislative Decree 138/2024 states that the administrative and management bodies of essential and important entities are required to approve cybersecurity risk management measures and to oversee their implementation. In practical terms: the CEO and the board have an active, documentable obligation they cannot fully offload onto an IT manager or an outside vendor.
This creates three concrete consequences every owner should have clear in their mind.
1. Delegation doesn't protect you the way you think
You can (and should) hand technical execution to people with the right skills. But oversight responsibility stays with the management bodies. If the company suffers a serious incident and it emerges that management never approved adequate measures, never funded them, or ignored warning signs, liability becomes personal. "I have an IT manager" isn't enough.
2. The training requirement covers leadership too
The directive requires members of management bodies to undergo specific training on cybersecurity risk, so they can assess and understand the measures and their impact. This isn't a course for technicians — it's training for decision-makers, because a board approving a security plan needs to understand what it's approving. A good starting point here is understanding how to structure staff training on digital risk, including new AI-driven threats.
3. Your suppliers fall inside your perimeter too
NIS2 requires assessing the security of the supply chain. The data is clear: roughly 30% of breaches involve a third party, and supply-chain compromises have quadrupled over five years. If a software vendor of yours gets breached and the attack spreads from there, the authority will ask one question: did you assess that vendor? Management needs to be able to answer yes.

NIS2, GDPR, and the AI Act: how the fines compare
Many business owners already know GDPR and associate "EU fine" with that regime. It's worth putting the three frameworks side by side, because they don't cancel each other out — they can stack on the same event. A data breach caused by inadequate security measures can violate NIS2 (security measures) and GDPR (personal data protection) at the same time.
| Regulation | What it protects | Maximum fine | Personal liability? |
|---|---|---|---|
| NIS2 (EU Dir. 2022/2555 / Legislative Decree 138/2024) | Network and information system security | €10M or 2% of worldwide turnover | Yes, explicit for management bodies |
| GDPR (EU Reg. 2016/679) | Personal data | €20M or 4% of worldwide turnover | Indirect (in Italy, via related civil or criminal liability) |
| AI Act (EU Reg. 2024/1689) | Artificial intelligence systems | €35M or 7% of worldwide turnover | On the company, with internal governance obligations |
Three practical takeaways from this table.
GDPR has the highest percentage cap of the two "legacy" regimes. The 4% of worldwide turnover remains the most feared ceiling for personal data violations, enforced in Italy by the Data Protection Authority (Garante). If you want to see how the two regulations intersect in detail, our piece on what counts as a data breach under GDPR explains when the 72-hour notification obligation to the Garante kicks in.
The AI Act has the highest absolute ceiling. EU Regulation 2024/1689 sets fines of up to €35 million or 7% of worldwide turnover for the most serious violations (prohibited practices). Its operational phase ramps up in 2026, with the ACN among the supervisory authorities in Italy. For a full picture of the obligations coming, see our guide to AI Act obligations for SMEs in 2026.
NIS2 is the only one that names executives. In terms of the abstract ceiling, it's "the lowest" of the three, but it's the only one that shifts risk from the legal entity to the individual, directly. For a company director, that's the difference that actually matters.
The deadlines that determine when the risk kicks in
A fine presupposes an obligation already in force. Italy's NIS2 timeline is staggered, and knowing it tells you exactly when you become exposed. Incident notification obligations and entity registration are already active in the early phases, while the deadline for baseline security measures falls during 2026. We've mapped out the relevant dates in our article on NIS2 deadlines for 2026, so you don't discover an expired deadline once it's too late.
The key point: notifying significant incidents comes with tight timing (an early warning within 24 hours, a full notification within 72 hours). Failing to notify, or notifying late, is itself a sanctionable violation. You don't even need to be "at fault" for the incident — failure to notify is a standalone offense.
Want to know if your company is exposed, and which measures actually cover you against NIS2 liability? Request a compliance assessment with us — we start from your specific situation, not a generic template.
How to actually reduce the risk of a fine
The good news is that authorities take effort into account. When deciding whether and how much to fine, they weigh severity, duration, prior history, and above all the measures taken to prevent and mitigate the damage. A company that can prove it did things properly starts from a radically different position than one that did nothing. Here are the steps that, in our hands-on experience, actually move the needle.
- A board resolution approving the measures. You need a formal, dated document proving the management bodies took ownership of the responsibility. It's the first thing an authority asks for.
- Documented risk analysis. Not a generic file, but an assessment of the specific risks facing your business, updated periodically.
- Baseline measures in place: access management, tested backups, encryption, vulnerability management, an incident response plan.
- Assessment of critical vendors, with contractual clauses on security and incident notification.
- Training for leadership and staff, tracked and repeated.
- Regular testing (vulnerability assessments and penetration tests) to verify the measures actually work, not just on paper. If you're unclear on the difference between the two, our article on vulnerability assessments vs. penetration tests explains it in plain terms.
There's a topic almost nobody connects to NIS2, but it's becoming decisive: insurability. Cyber insurance providers increasingly require a security audit as a precondition for coverage, and in the event of a claim they check whether the stated measures were actually in place. Running the audit isn't just about avoiding the fine — it's about being able to transfer residual risk to an insurer. That's where the investment in security pays off twice.
The picture goes beyond compliance: the threats have changed
Fines are the regulatory consequence. But the real risk is the attack that triggers them. Italy's context is heavy: the 2026 Clusit Report places Italy at around 10% of global incidents, with SMEs making up roughly 72% of targets. And attacks have also grown more sophisticated thanks to AI: hyper-realistic phishing and cloned-voice scams. In Lombardy, one SME transferred €28,000 to a fake CFO "cloned" via audio deepfake. Understanding how these scams work is part of managing risk: read how to defend against the deepfake CEO scam.
There's also a silent risk touching NIS2, GDPR, and the AI Act all at once: Shadow AI — employees pasting company data into ChatGPT or similar tools with zero oversight. It's a potential data leak no firewall will ever see. It falls squarely within the risks management must govern, and it's exactly the kind of exposure a well-run audit brings to light.
In summary
NIS2 fines for companies reach €10 million or 2% of worldwide turnover, but the real leap from the past is the personal liability — explicit and non-delegable — of the CEO and board. Compared to GDPR (up to 4% of turnover) and the AI Act (up to 7% or €35 million), NIS2 has the lowest abstract ceiling, but it's the only one that puts the executive's name on the document. There's a concrete, documentable way to reduce the risk: resolutions, risk analysis, baseline measures, vendor assessment, leadership training, and regular testing. Companies that do this don't just avoid the fine — they become insurable too.
Frequently asked questions
How much are the NIS2 fines for companies?
Up to €10 million or 2% of worldwide annual turnover for essential entities, and up to €7 million or 1.4% of turnover for important entities. Whichever amount is higher always applies.
Are executives personally liable for NIS2 violations?
Yes. Legislative Decree 138/2024 states that administrative bodies must approve security measures and oversee their implementation. Oversight responsibility cannot be delegated to IT, and in cases of repeated violations, a temporary ban from holding management functions can apply.
Are NIS2 fines higher than GDPR fines?
No. At maximum value, GDPR reaches €20 million or 4% of worldwide turnover — higher than NIS2. The difference is that NIS2 introduces explicit personal liability for management, which GDPR doesn't provide for directly.
Can NIS2 and GDPR both apply to the same event?
Yes. A data breach caused by inadequate security measures can violate NIS2 (risk management measures) and GDPR (personal data protection) at the same time, with separate proceedings and authorities — the ACN and the Data Protection Authority (Garante).
What do I need to prove to reduce the risk of a fine?
You need a documented path: a board resolution approving the measures, an updated risk analysis, baseline measures in place (backups, encryption, access management), vendor assessment, leadership training, and regular testing such as vulnerability assessments and penetration tests.
Does the AI Act have higher fines than NIS2?
Yes. EU Regulation 2024/1689 (AI Act) sets fines of up to €35 million or 7% of worldwide turnover for the most serious violations — the highest ceiling of the three regimes. Its operational phase ramps up in 2026, with the ACN among the supervisory authorities in Italy.
Before you risk a fine or personal liability, talk to us: we'll help you put in writing the measures that demonstrate your due diligence toward NIS2, GDPR, and the AI Act.