NIS2 Enforcement Is Here: First Penalties, Supervisory Trends, and What Auditors Are Actually Checking
By ArvexLab Team — Compliance Research
2026: The Year Enforcement Gets Real
The NIS2 Directive required EU member states to transpose it into national law by 17 October 2024. While several countries met this deadline, implementation across Europe has been uneven. As of early 2026, 13 of 27 member states still have not fully completed transposition — creating a patchwork of enforcement readiness across the continent.
Despite this fragmentation, 2026 marks a definitive shift. The countries that have transposed NIS2 — including Germany, Belgium, Croatia, and Hungary — are moving from registration to active supervision. Supervisory authorities are hiring staff, building inspection frameworks, and issuing their first enforcement actions.
For organizations in scope, the era of preparation is over. The era of enforcement has begun.
The Transposition Gap
The slow pace of transposition has created significant uncertainty. The EU Commission has publicly criticized delays and in early 2026 proposed a set of reforms to strengthen NIS2 implementation, including:
- Mandatory ransomware reporting as a distinct incident category
- Expanded scope to capture additional digital service providers
- Harmonized enforcement guidelines to reduce divergence between member states
- Streamlined cross-border incident coordination through ENISA
These proposed reforms signal that the EU is doubling down on NIS2, not softening it. Organizations that have been waiting for clarity should treat the current requirements as the floor, not the ceiling.
What Supervisory Authorities Are Checking First
Based on early enforcement activity and published supervisory strategies, here are the areas authorities are prioritizing:
1. Incident Reporting Compliance
The 24h/72h/1-month reporting cadence is the most immediately verifiable requirement. Authorities are checking:
- Whether organizations have registered with their national CSIRT
- Whether incident detection capabilities are in place
- Whether reported incidents follow the prescribed timeline
- Whether early warnings are being submitted (not just detailed reports)
Some countries have deviated from the standard NIS2 timeline. Cyprus, for example, requires an early warning within 6 hours rather than 24 — stricter than the directive mandates.
2. Management Body Training
NIS2 Article 20 requires that management bodies receive cybersecurity training and approve cybersecurity risk-management measures. Auditors are looking for:
- Documented evidence that board members or C-suite executives have completed cybersecurity training
- Board-level approval of the organization's security policies
- Evidence that management bodies are actively overseeing cybersecurity (meeting minutes, risk committee reports)
This is a frequent gap. Many organizations have robust technical security programmes but cannot demonstrate management-level engagement.
3. Supply Chain Documentation
NIS2 Article 21(2)(d) requires organizations to secure their supply chains. Auditors want to see:
- A complete inventory of critical ICT suppliers
- Documented risk assessments for key vendors
- Contractual clauses covering security requirements, incident notification, and audit rights
- Evidence of ongoing vendor monitoring
The depth of documentation expected varies by entity tier. Essential entities face the highest bar.
4. Registration Completeness
In countries where registration portals are live (Germany's BSI portal opened January 2026), authorities are cross-referencing registrations against expected in-scope entities. Organizations that should have registered but have not are being flagged for follow-up.
Supervisory Approaches by Country
Enforcement style varies significantly across the EU. Here is how key supervisory authorities are approaching NIS2:
| Country | Authority | Approach | Key Focus |
|---|---|---|---|
| Germany | BSI | Proactive audits for essential entities; reactive for important | IT-Grundschutz alignment, BSI C5 for cloud, registration compliance |
| France | ANSSI | Risk-based inspections, sector-by-sector rollout | Critical infrastructure operators first, incident reporting capability |
| Italy | ACN | Phased supervision, starting with Annex I entities | National cybersecurity perimeter alignment, incident notification |
| Belgium | CCB | CyFun framework as compliance benchmark | CyberFundamentals certification, maturity-based assessments |
| Netherlands | NCSC / sectoral regulators | Sector-specific supervision | Coordination with existing sector regulators (DNB for finance, ACM for telecom) |
| Spain | CCN-CERT / INCIBE | ENS alignment for public and private sectors | National Security Framework (ENS) mapping to NIS2 |
Notable Divergences
While NIS2 sets minimum standards, member states can impose stricter requirements. Watch for:
- Shorter reporting timelines — Cyprus (6h), and others may follow
- Additional sectors — Some states are adding sectors beyond the NIS2 minimum
- Lower size thresholds — States can designate smaller entities as in scope based on criticality
- Certification requirements — Belgium's CyFun certification is effectively mandatory for NIS2 compliance
The Penalty Landscape
NIS2 establishes maximum penalty thresholds that member states must implement:
| Entity Type | Maximum Fine |
|---|---|
| Essential entities | €10M or 2% of global annual turnover (whichever is higher) |
| Important entities | €7M or 1.4% of global annual turnover |
Beyond Financial Penalties
The penalty regime extends beyond fines:
- Public naming and shaming — Supervisory authorities can publicly identify non-compliant entities
- Personal liability for management — Individuals in management bodies can face personal sanctions, including temporary bans from exercising managerial functions
- Compliance orders — Authorities can issue binding instructions requiring specific security measures within defined timelines
- Operational restrictions — In extreme cases, services can be suspended until compliance is achieved
Early Enforcement Signals
While large-scale fines have not yet materialized in early 2026, supervisory authorities have begun issuing:
- Warning letters to entities that missed registration deadlines
- Information requests to verify compliance readiness
- Compliance orders in cases where critical incidents revealed obvious security gaps
The pattern mirrors early GDPR enforcement — a period of warnings and corrective measures before significant fines emerge.
Preparing for Your First NIS2 Audit
Whether your audit is triggered proactively (essential entities) or reactively (important entities), preparation is the same. Use this checklist:
Audit Readiness Checklist
- Registration verified — Confirm your entity is registered with the relevant national authority and all information is current
- Risk assessment documented — A formal, dated risk assessment covering all NIS2 Art. 21 measures, with clear methodology and management sign-off
- Incident response plan tested — Not just documented, but tested through tabletop exercises or simulations within the last 12 months
- Reporting capability demonstrated — Show that you can detect an incident and submit an early warning to your CSIRT within 24 hours (or your national deadline)
- Management training records — Dated certificates or attendance records showing that management bodies have completed cybersecurity training
- Supply chain inventory complete — List of critical suppliers with risk assessments, contract clauses, and monitoring evidence
- Evidence pack ready — All documentation organized and cross-referenced to NIS2 Art. 21 requirements
Use a platform with evidence pack export capability to generate structured audit documentation on demand.
What Comes Next
NIS2 enforcement will accelerate throughout 2026 and into 2027. Expect:
- First significant fines in late 2026, likely targeting entities that failed to register or report incidents
- Sector-specific audits focused on energy, transport, and healthcare — the sectors with the highest potential impact
- Cross-border coordination through the EU Cyber Crises Liaison Organisation Network (EU-CyCLONe)
- Tighter integration with DORA for financial entities subject to both regimes
Organizations that have invested in structured compliance programmes will find the audit process straightforward. Those that have been waiting will face a scramble — and supervisory authorities have made clear they have little patience for delays.
FAQ
Q: Can supervisory authorities audit important entities proactively, or only after an incident?
This varies by member state. NIS2 allows for proactive audits of essential entities and reactive supervision of important entities. However, several member states (including Germany) have indicated they may conduct random audits of important entities as well. The safest assumption is that any in-scope entity could be audited at any time.
Q: What happens if my country hasn't fully transposed NIS2 yet?
Even in countries with incomplete transposition, the EU directive creates obligations that national courts may enforce through direct effect. Additionally, the EU Commission has initiated infringement proceedings against late-transposing states, which will accelerate implementation. Do not wait for national law to catch up — prepare based on the directive itself.
Q: Are auditors expecting full compliance immediately, or is there a grace period?
Most supervisory authorities have indicated a phased approach — focusing first on registration, incident reporting, and management accountability before conducting deep technical audits. However, there is no formal grace period. If an incident occurs and you cannot demonstrate basic compliance, penalties apply.
Ready to assess your NIS2 readiness?
Use our free self-assessment tool or speak with our compliance team.