Skip to content

NIS2 Implementation Deadline Expires: Penalties Begin

The bottom line: With the expiration of the NIS2 implementation deadline, penalty provisions enter into force that impose multi-million euro fines for non-compliant companies.

The implementation deadline for the European NIS2 Directive has expired. Companies in critical infrastructures and essential services must now expect high fines if they fail to meet regulatory requirements.

The European Union had set an implementation deadline for the NIS2 Directive (Network and Information Security Directive 2) until mid-2024. This deadline has now passed. All EU Member States were obligated to incorporate the Directive into their national legislation. For affected companies in the sectors of energy, transport, water, health, finance and digital infrastructure, binding compliance requirements now apply immediately.

Companies that fail to meet NIS2 standards must expect substantial fines. The penalty provisions provide for penalties that can reach the hundreds of millions of euros range. The specific amount depends on factors such as severity of the violation, company size and repeat offences. For CISOs, this means: compliance is no longer an optional measure, but a mandatory business requirement with direct financial consequences.

Specifically, companies must implement measures for cybersecurity governance, risk management, incident reporting and supply chain security. The requirements apply not only to large corporations, but also to medium-sized and smaller operators of critical services. Authorities supervise implementation and can conduct inspections. CISOs should conduct a current compliance assessment and prioritise implementation of missing measures to minimise sanction risks.


Source: news.google.com · Published 26 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: