All resources
Compliance·6 April 2026·6 min read

NIS2 deadlines and penalties: fines, liability and key dates

NIS2 has teeth. Here are the dates that matter, the fines on the table, and the personal exposure for leadership.

The key dates

  • January 2023: NIS2 enters into force at EU level.
  • 17 October 2024: deadline for Member States to transpose it into national law.
  • 18 October 2024: the date from which national rules apply.
  • Ongoing: registration and reporting obligations begin under each national regime.

The fines

NIS2 sets maximum administrative fines by entity type. Essential entities can be fined up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Important entities face up to €7 million or 1.4%. National implementations set the exact regime, but these ceilings are the benchmark.

Beyond fines: liability and intervention

Money isn't the only lever. Regulators can issue binding instructions, order entities to notify affected customers, and, for essential entities, temporarily suspend management responsibilities or certifications for persistent non-compliance. Article 20 also makes management bodies personally accountable for oversight.

How enforcement differs by entity type

Essential entities face proactive supervision: regulators can audit them without a specific trigger. Important entities face reactive supervision: scrutiny usually follows an incident or evidence of a problem. Either way, the question is the same: can you prove your controls and your incident handling?

How to reduce your exposure

The cheapest insurance is continuous, demonstrable evidence. Alexus keeps a live Article 21 readiness score and a hash-chained audit trail, so if a regulator asks, you answer with a query rather than a scramble. This article is general guidance, not legal advice.

Make NIS2 evidence a query, not a project

Alexus turns the IT operations you already run into continuous Article 21 readiness, ready-to-file Article 23 reports and a hash-chained audit trail.