Contact sales

Leave your details and we'll get back to you shortly.

Stay informed about Hy5 features, compliance insights, and regulatory updates.

We'll use your details solely to respond to your enquiry.

What does non-compliance with NIS2 actually cost?

A question that comes up often in our customer dialogues is not "what happens if we miss a requirement?" but rather "what actually triggers a supervisory review?" It is a more useful question, and it reveals something important: most organisations that come to Hybridity have already established that they are in scope for NIS2. What they want to understand is how to avoid drawing regulatory attention, and what happens if they do anyway.

Penalty levels explained

NIS2 divides organisations into two categories: essential entities and important entities. The category determines not only which requirements apply, but also the intensity of supervision and the maximum penalties.

For essential entities, the ceiling is €10 million or 2 percent of global annual turnover, whichever is higher. For important entities, the ceiling is lower: €7 million or 1.4 percent of turnover.

These are maximum figures. In practice, the size of a sanction depends on the severity of the breach, whether it is repeated, and whether the organisation has actively worked to address it. But the numbers are large enough to get into a boardroom conversation, which is precisely the point.

One thing that directly affects how a compliance system needs to be configured: the classification as essential or important entity is not always straightforward. Guidance from national authorities varies across member states and sectors. This is a system question that needs to be managed on an ongoing basis, not just resolved at registration.

The supervisory model

NIS2 does not create a single pan-European supervisory body. Supervision is handled at national level, and in many member states, responsibility is further distributed across sector-specific authorities.

This matters for a practical reason: there is no uniform supervisory practice yet. Different authorities are at different stages of building their oversight capacity. The pressure varies by sector and country, but that does not mean the risk is low. It means the timeline is uncertain.

Personal liability: what actually changes boardroom behaviour

The fines are significant, but personal liability is usually what shifts the dynamic in a boardroom.

NIS2 requires that senior management actively participates in and approves the organisation's security work. Delegating entirely to the IT department is not sufficient. If an incident occurs and it can be shown that management lacked adequate oversight or had not approved relevant measures, individual members of management can be held personally liable.

This is a question that comes up regularly when organisations start configuring their compliance systems. How do you document management approval in a way that holds up under scrutiny? How do you ensure the right person has signed off on the right decision at the right time? That is not a legal question. It is a system design question.

Hy5 handles this by linking security measures and risk decisions directly to accountable roles within the organisation, with timestamped approvals that are traceable and audit-ready.

What supervisory authorities actually look at

Based on how similar supervisory regimes have operated in other EU contexts, and on how NIS2's requirements are framed, supervision is likely to focus on:

  • Documentation: Are there written procedures and policies covering the ten security areas?
  • Incident handling: Has the organisation reported incidents within the required timeframes?
  • Management engagement: Is there evidence that senior management has actively participated in security governance?
  • Supply chain assessment: Has the organisation evaluated risks across its supplier and service chain?

This is not a random audit of technical systems. It is a review of whether the organisation can demonstrate a structured and documented approach to security. That distinction matters enormously for how a compliance system needs to be built.

Proactive compliance is cheaper than reactive compliance

It sounds like a cliché, but it is a straightforward calculation. A penalty of 2 percent of global turnover is, in most cases, a multiple of the cost of building a functioning compliance system from the outset.

What we see in our customer dialogues is that organisations that delay structuring their compliance work often end up doing everything at once, under time pressure, with manual processes that do not hold up under scrutiny.

Want to understand how Hy5 supports documentation, traceability and management accountability under NIS2?

Hy5 automates compliance monitoring and creates audit-ready records across all NIS2 security areas. Used by organisations to operationalise NIS2 requirements without manual administration.

Book a demo

Curious about automating compliance? 

Read more about our solutions for NIS2.

Related content

How to build a structured NIS2 compliance programme

NIS2 implementation is not about reading the regulation. It's about system design. How Swedish organisations build sustainable compliance under the Cybersecurity Act.

NIS2 incident reporting: timelines and responsibilities

Cyber incidents must be reported within strict timeframes: 24 hours, 72 hours, and 30 days. We explain what's required at each stage.

What the Cybersecurity Act requires of your organisation

Nine security areas define the requirements of the Cybersecurity Act. We cover what must be documented and which three areas organizations often underestimate.

Does your organisation fall under the Cybersecurity Act?

The Cybersecurity Act applies to 18 sectors and companies with 50+ employees or over 10 million euros in annual turnover. Find out if your organization is affected.