The NIS2 directive is no longer an abstract European obligation. With the Dutch Cybersecurity Act transposing this directive into national legislation, the consequences of non-compliance become painfully concrete. Organisations that fail to get their cybersecurity in order risk fines of up to €10 million or 2% of global annual turnover — whichever amount is higher.
But the financial impact goes beyond fines alone. In this article, we break down what NIS2 non-compliance truly costs and why board members can be held personally liable.
The concrete fine amounts under NIS2
NIS2 distinguishes between two categories of organisations, each with their own sanction levels:
Essential entities — think energy, transport, healthcare, drinking water and digital infrastructure — risk fines of up to €10 million or 2% of global annual turnover. These are organisations whose disruption has direct societal consequences.
Important entities — such as food production, postal services, waste management and digital providers — can be fined up to €7 million or 1.4% of annual turnover. The difference in fine levels reflects the difference in societal risk.
For a mid-sized company with €50 million in turnover, this means potential fines of €700,000 to €1 million. For multinationals, amounts can run into the tens of millions.
Comparison with GDPR fines: the same order of magnitude
The fine structure of NIS2 is deliberately modelled after the GDPR. This is no coincidence. The European legislator learned from the GDPR experience: only when fines are serious enough do organisations take compliance seriously.
For comparison: the highest GDPR fine in the Netherlands was €3.7 million (Booking.com, 2021). At the European level, fines exceeding €50 million have been imposed on tech giants. NIS2 operates in the same order of magnitude but focuses specifically on cybersecurity rather than data protection.
The difference? NIS2 enforcement comes on top of existing GDPR obligations. A data breach caused by insufficient cybersecurity can therefore result in both a GDPR and a NIS2 fine. Double liability is real.
Board liability: it becomes personal
Perhaps the most far-reaching aspect of NIS2 is the personal liability of board members. Article 20 of the directive states that management of essential and important entities must approve cybersecurity measures, oversee their implementation and can be held liable for negligence.
In concrete terms, this means:
- Board members must demonstrably have completed cybersecurity training
- Management must formally approve risk management measures
- In cases of serious negligence, board members can be held personally liable
- In extreme cases, a temporary management ban can be imposed
The message is clear: cybersecurity is no longer an IT problem — it is a board-level responsibility. Board members who delegate cybersecurity without adequate involvement run personal risk.
Timeline: the Cybersecurity Act in the Netherlands
The European NIS2 directive should have been transposed into national legislation by 17 October 2024 at the latest. The Netherlands is behind schedule, but the Cybersecurity Act (Cbw) is in preparation and is expected to be adopted in 2025.
Organisations that think they still have time are mistaken. The directive is already in force at the European level and regulators are preparing. Waiting until the Dutch law formally takes effect means you are behind the curve.
The sensible approach is to start now. Not because you have to, but because implementing adequate cybersecurity measures takes months.
The hidden costs of non-compliance
Fines are merely the tip of the iceberg. The true costs of non-compliance include:
- Reputational damage — Public enforcement actions erode customer and partner trust
- Operational disruptions — Regulators can impose corrective measures that impact business operations
- Loss of tenders — Increasingly, contracting authorities require NIS2 compliance as a condition
- Higher insurance premiums — Cyber insurers assess NIS2 compliance in their risk evaluations
- Incident costs — Without adequate measures, the costs of an actual incident are many times higher
IBM research puts the average cost of a data breach in 2025 at over €4.5 million. Non-compliance not only increases the likelihood of such an incident but also amplifies its consequences.
What can you do now?
Compliance starts with insight. Do you know which NIS2 obligations apply to your organisation? Has your board formally addressed the risks? Is your incident response plan up to date?
The first step is a gap analysis: where does your organisation stand now and what is needed to meet the requirements? This need not be a months-long process. With the right approach, you can have a clear picture of your compliance status within weeks.
Nexus-7 helps organisations map their NIS2 obligations and implement proportionate measures — no more than necessary, but sufficient to be compliant and genuinely protect your organisation.
