Skip to main content
NIS2 Manager LogoNIS2 Manager
Back to blog
Compliance

NIS2 fines: non-compliance costs and management liability

NIS2 introduces significantly stricter penalties than its predecessor. Understanding the fine structure and personal liability for management is essential for Romanian organizations to assess non-compliance risk and justify cybersecurity investments.

Adrian Voicu
Advisory Services at BetterQA
7 min read

Introduction

NIS2 introduces a significantly more severe penalty regime than its predecessor, NIS1. For Romanian organizations, understanding these penalties is essential for assessing non-compliance risk and justifying cybersecurity investments.

NIS2 Fine Structure

Fines for Essential Entities

Essential entities (large organizations in highly critical sectors) face:

  • Maximum fine: EUR 10,000,000
  • OR 2% of total annual worldwide turnover
  • The higher amount applies

Fines for Important Entities

Important entities benefit from a slightly more lenient regime:

  • Maximum fine: EUR 7,000,000
  • OR 1.4% of total annual worldwide turnover
  • The higher amount applies

Romania-Specific Fines (OUG 155/2024)

Romanian legislation also provides for intermediate sanctions:

For failure to register on time:

  • Essential entities: RON 100,000 - 500,000
  • Important entities: RON 50,000 - 300,000

For non-compliance with security measures:

  • Warning (for minor violations)
  • Progressive fines based on severity
  • Mandatory corrective measures

Personal Liability for Management

One of the major changes introduced by NIS2 is the introduction of personal liability for members of management bodies:

What does personal liability mean?

  • Management must approve risk management measures
  • Must supervise implementation of these measures
  • Must participate in training in cybersecurity

Consequences for management:

  1. Temporary ban from exercising management functions
  2. Liability for damages caused by gross negligence
  3. Publication of names in cases of serious violations
  4. Criminal sanctions in extreme cases (under national law)

Gross negligence - practical definition

Gross negligence is considered when management:

  • Ignores repeated warnings about vulnerabilities
  • Does not allocate resources for required security measures
  • Does not establish clear security policies
  • Does not respond to security incidents

Factors Influencing Fine Levels

DNSC and European authorities will consider:

Aggravating factors:

  • Repeated violations
  • Lack of cooperation with authorities
  • Attempting to conceal incidents
  • Significant impact on users
  • Extended duration of non-compliance

Mitigating factors:

  • First violation
  • Active cooperation with authorities
  • Rapid remediation measures
  • Demonstrated investments in security
  • Limited impact

Comparison with GDPR

For context, here's how NIS2 penalties compare with GDPR:

AspectNIS2GDPR
Maximum fineEUR 10M / 2%EUR 20M / 4%
Management liabilityYes, explicitYes, implicit
Publication of violationsMandatoryAt authority's discretion
Management banYesNo

Cost of Non-Compliance vs. Cost of Compliance

Cost of non-compliance (example for entity with EUR 50M turnover):

  • Maximum fine: EUR 1,000,000 (2% of turnover)
  • Emergency remediation costs: EUR 200,000 - 500,000
  • Reputational loss: incalculable
  • Operational disruption: variable
  • Total potential losses: EUR 1.5M - 2M+

Cost of compliance:

  • Management platform (NIS2 Manager): EUR 1,188 - 5,988/year
  • Internal control implementation: EUR 20,000 - 100,000
  • Specialized consulting: EUR 10,000 - 50,000
  • Total investment: EUR 30,000 - 160,000

Conclusion: Investment in compliance is 10-50x smaller than the potential cost of non-compliance.

How Will DNSC Investigate?

Investigation powers:

  1. On-site audits - with or without notice
  2. Information requests - with mandatory response deadline
  3. Security scans - to check for vulnerabilities
  4. Access to documents - policies, procedures, reports

What triggers an investigation:

  • Security incident reporting
  • Third-party complaints
  • Scheduled audit
  • Media reports
  • Random checks

Recommendations for Minimizing Risk

  1. Register on time - avoid automatic fines for non-registration
  2. Document everything - evidence of compliance protects you
  3. Report incidents - within established timeframes (24h/72h)
  4. Train management - eliminate risk of gross negligence
  5. Implement controls - progressively, documented, verifiable

Conclusion

NIS2 penalties are designed to be deterrent. For Romanian organizations, the message is clear: compliance is no longer optional. Investment in cybersecurity and compliance management tools is now a business necessity, not a luxury.

Start your journey to compliance with a free eligibility check.

NIS2 Manager is a product by BetterQA, one of Europe's top software testing companies.

Tags:
finespenaltiesmanagementliabilitysanctions
Share this article:
LinkedIn
Adrian Voicu
Advisory Services at BetterQA

GRC specialist helping organizations build robust cybersecurity governance frameworks aligned with NIS2.

Want to know if your company falls under NIS2?

Use our free calculator to check eligibility in just 3 minutes.

Check eligibility for free

Related Articles

Who needs to comply with NIS2 in Romania? Complete eligibility guide
Compliance

Who needs to comply with NIS2 in Romania? Complete eligibility guide

Discover whether your organization falls under the NIS2 Directive. Classification criteria, affected sectors, size thresholds, and exceptions explained clearly.

Stefan Balan
7 min
What must be submitted to DNSC and how often? Complete NIS2 reporting guide
Compliance

What must be submitted to DNSC and how often? Complete NIS2 reporting guide

All mandatory documents for DNSC: entity registration, annual reports, incident reporting, change notifications. Frequency and deadlines explained.

Ana Tudor
8 min
What is CyFunRO and how to calculate ENIRE@RO risk level
Compliance

What is CyFunRO and how to calculate ENIRE@RO risk level

Complete guide to the official DNSC risk evaluation methodology. Learn how to calculate your CyFunRO score and how many controls you need to implement (38, 90, or 140).

Stefan Balan
10 min
160K+
organizations affected by NIS2 across the EU (ENISA, 2024)
EUR 10M
maximum penalty for NIS2 non-compliance or 2% of global turnover
24h
incident reporting deadline under NIS2 directive
18
critical sectors covered by NIS2 compliance requirements

The NIS2 Directive (EU 2022/2555) entered into force on January 16, 2023, with member states required to transpose it by October 17, 2024. According to ENISA's 2024 Threat Landscape report, ransomware attacks increased 73% year-over-year, while supply chain attacks grew by 85%. The European Commission estimates NIS2 compliance costs average EUR 120,000 per organization, but non-compliance penalties can reach EUR 10 million or 2% of global annual turnover. Only 34% of affected organizations reported full NIS2 readiness by the October 2024 deadline (EY Global Cybersecurity Survey, 2024). Romania's DNSC reported a 156% increase in cybersecurity incidents in 2024, making compliance tools essential for the 8,000+ Romanian organizations affected by the directive.

BetterQA
ISO 27001 & NATO certified security company
50+ Engineers
Cybersecurity & compliance specialists across 24 countries
Since 2018
Independent security testing & compliance expertise
NIS2 Ready
Full compliance lifecycle from assessment to certification