NIS 2: Enforcement powers for non-compliance

June 24th, 2024 Posted in Information Security, NIS 2 Directive

In our last blog on the NIS 2 directive, we covered the supervisory regime applicable to Essential and Important entities. In this blog, we’ll be addressing the enforcement powers available to regulators (called ‘competent authorities’) if any entity fails to comply with its NIS 2 obligations.  

As with supervisory powers, the enforcement powers available for non-compliance are more granular and extensive compared to the first NIS directive (NIS 1). There are several eye-catching powers available to competent authorities, including holding executives personally liable. 

There are some differences in the enforcement powers available for Essential and Important entities, so we’ll start with a recap on the meaning of those. 

This is the fifth blog in a series of six blogs on NIS 2. Together they provide an in-depth overview of NIS 2 together with our comments and recommendations for being ready. You can read the other blogs in this series by following the links below:

Essential & Important Entities

Organisations in scope of NIS 2 will be categorised as an Essential or an Important Entity. The criteria for determining this is as summarised in the following image: 

NIS 2 G2

As you’ll note, Essential entities include large organisations that fall within Annex 1 of NIS 2, certain digital infrastructure entities, public administration bodies, entities classed as Operators of Essential Services (OES) under NIS 1 and other entities as determined by member state law. Other types of organisations will be considered an Essential entity. 

Essential and Important organisations are subject to different supervisory regimes, as covered previously. The enforcement powers available to competent authorities also differ between Essential and Important entities.  

NIS 2 enforcement powers

Warnings & orders 

Whilst NIS 1 simply stated that member states were to lay down rules on penalties applicable to infringements and to take all necessary measures necessary to ensure they were implemented, NIS 2 goes much further. It provides extensive and granular and enforcement powers, including the power to: 

  • Issue a warning about infringements*. 
  • Issue binding instructions*. 
  • Order an entity to cease conduct that infringes NIS 2*. 
  • Order an entity to ensure their risk management measures comply*. 
  • Order an entity to implement recommendations made as a result of an audit*. 
  • Order an entity to inform recipients of their services about significant cyber threats and potential remedial measures. 
  • Order an entity to publicly disclose aspects of an infringement. 

These all apply to Essential and Important entities, but the powers against Essential entities go further. These include be able to designate a monitoring officer for a period of time to oversee an entity’s compliance with Article 21 (risk management measures) and 23 (incident reporting).  

In addition, if the first five enforcement powers listed above (marked with an asterisk), are ineffective against an Essential entity (with the exception of public administration entities), a competent authority will be empowered to set a deadline for resolving the deficiencies.  If the Essential entity fails to meet the deadline, the competent authority will then be able to: 

  • Temporarily suspend a certification or authorisation applicable to the services.
  • Request relevant national bodies temporarily prohibit the CEO or equivalent senior manager from exercising managerial functions at the business. 

Both are focused on having direct operational and reputational impact in a manner that a fine might not. Many entities in scope will operate under licence or similar authorisation, meaning they could be legally prevented from providing their services. Likewise, the prohibition against executives from performing their duties would not be well received by shareholders or the markets.  

Quite how these powers would operate in practice is a moot point and it feels unlikely that any entity would want its level of noncompliance to reach this point. It’ll be interesting to see how these powers are transposed into member state laws.  

Administrative fines 

In addition to the above listed enforcement powers, competent authorities will also have the power to impose substantial administrative fines. The directive states that fines must be “effective, proportionate and dissuasive“. 

NIS 2 sets out a GDPR style maximum fine level for entities as follows: 

  • Essential entities: up to €10m or 2% of worldwide annual turnover for the entity’s group (whichever is higher). 
  • Important entities: up to €7m or 1.4% of worldwide annual turnover for the entity’s group (whichever is higher). 

As with GDPR, it feels unlikely that we’ll see fines imposed at this level (or even near this level) but the headlines numbers will focus minds about the importance and compliance, especially at publicly traded businesses. 

Measures against executives

The headline grabbing power available to competent authorities relates to executive liability. Article 32(6) of the directive applies to Essential and Important entities and states that member state laws must ensure that executives have the power to ensure compliance with NIS 2 and to hold such persons liable for breach of their duties to ensure compliance. 

This is a significant shift from NIS 1 and perhaps an early indicator of what we might expect to see in global cybersecurity laws and regulations as they arise globally. Board and executive engagement and accountability is a key theme in best practice cybersecurity guidance and standards.  

NIS2 addresses executive accountability twice. Firstly, at Article 20, by making senior management responsible for approving and overseeing the implementation of risk management measures; and secondly at Article 32(6) by giving competent authorities the power to hold executive liable.  

NIS 2 cross border compliance

Many organisations in scope of NIS 2 will be established in more than one EU member state. Given that NIS 2 is a directive and must be transposed into local laws in each country, this means there may be a different approach applied in different countries. Likewise, an incident or compliance breach may affect the same entity across different member states.  

Where this applies, the competent authorities in each member state are required to provide mutual assistance to each other and to cooperate when applying supervisory or enforcement measures. This differs from the GDPR which introduced lead supervisory authorities as part of the ‘one stop shop’ mechanism. 

The cooperation required between cross border competent authorities will include informing and consulting, being able to request that a competent authority in another country takes supervisory or enforcement action; and providing mutual assistance such as through on-site inspections, or security audits, for example.  

Clearly, it will make the most sense to apply a consistent approach to compliance across all member states in which your organisation is in scope, whilst taking account or local variances which may apply from country to country. 

Next steps for complying with NIS 2

An organisation potentially in scope of NIS 2 should start with a scope assessment. You should take account of your services against those set out at Annex 1 and 2 of the directive, the size of your organisation and identify the countries in which you provide services and operate. From this, you will know whether NIS 2 applies, if your organisation is an Important or Essential entity,  and in which countries you should prepare to be compliant.  

Once you have identified your scope, we recommend that you conduct a gap analysis against the NIS 2 security requirements. Include all systems relevant to the services you provide which are in scope of NIS 2. This may include Operational Technology (OT) as well as IT systems.  

Based on your gap analysis, you can then prepare a compliance improvement plan. This should address the compliance gaps identified from the gap analysis. You should prioritise activities based on the potential likelihood and impact of cybersecurity risks to your services.   

We also strongly recommend communicating details of the directive to your executives and educating them on the scope, the detailed expectations and the potential costs of non-compliance. Senior management support and engagement is going to be crucial to meet regulatory expectations.  

Need help with NIS 2?

If you need help with NIS 2, please get in touch. We can support with all aspects of your compliance readiness programme. Our experienced consultants can lead a gap analysis, develop your improvement plan, prepare policies, lead risk assessments, help establish governance processes, improve your incident response plans, business continuity plans and manage supplier security risk assessments. 

We can also support compliance assurance through compliance auditing, internal auditing, business continuity exercising, cyber incident response exercising, penetration testing and controls assessments. 

Visit our NIS 2 Consultancy Service page or fill out the form below.

Evalian is committed to protecting and respecting your privacy. By proceeding with your inquiry, you agree to the terms of our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Sean Huggett Evalian

Written by Sean Huggett

Sean specialises in data protection, information risk and cyber security. He is a qualified barrister, having been called to the Bar in 1998, and started his career as an in-house lawyer working in intellectual property, data protection and commercial contracts. He later progressed into commercial leadership roles, working in a number of sectors before specialising in privacy and security strategy, management and compliance. Sean is also Managing Director at Evalian®. His qualifications include CISM, CISA, CRISC, ISO 27001 Lead Implementer, ISO 27001 Lead Auditor, CISMP, CIPP-E, CIPT & GDPR Practitioner Certificate.