How national regulators will calculate your NIS2 fine

"Up to €10 million or 2% of worldwide turnover" is the headline. It is short, dramatic, and almost always misquoted in board decks. The actual rule sits in Article 34 of Directive (EU) 2022/2555 and reads, in full operational form, as a function of three things: a category, a formula, and a list of factors.

This is what your finance team needs to model.

The formula: not "or", but "whichever is higher"

Article 34(4) sets the essential entity ceiling: administrative fines of "a maximum of at least 10 000 000 EUR or of a maximum of at least 2% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher".

Article 34(5) sets the important entity ceiling: "a maximum of at least 7 000 000 EUR or of a maximum of at least 1.4% of the total worldwide annual turnover (...), whichever is higher".

The phrase "whichever is higher" is the part that gets dropped in shorthand. For an essential-entity group with €1 billion in worldwide turnover, the maximum is not €10 million — it is 2% × €1 billion = €20 million. For €10 billion, it is €200 million. The fixed-euro number only applies to entities small enough that 2% of their turnover would be lower than €10 million — roughly, groups under €500 million in revenue.

Equally important: the percentage is calculated on the undertaking (the group), not the legal entity that committed the breach. An essential-entity subsidiary of a multinational gets fined as a percentage of the parent's worldwide consolidated turnover. The text on this is unambiguous.

The factors: nine modifiers between zero and the ceiling

Article 34(3) lists what national competent authorities shall take into account when setting the actual fine inside that ceiling. The list is exhaustive in the directive but expansively interpreted in national transposition. The nine factors:

1. The gravity and duration of the infringement.
2. The damage caused or losses incurred by the entity, including economic, social, or environmental damage to third parties.
3. The intentional or negligent character of the infringement.
4. Action taken to prevent or mitigate damage.
5. The degree of responsibility or any relevant previous infringements.
6. The degree of cooperation with the competent authority.
7. The manner in which the infringement became known, in particular whether the entity itself notified, and if so, with what timeliness.
8. Adherence to approved codes of conduct or certified mechanisms.
9. Any financial benefit gained or losses avoided as a result of the infringement.

The arithmetic implication: a clean factor (i.e. self-notification within 72 hours, full cooperation, ISO 27001 in force, prompt mitigation) reduces the fine. A bad factor (concealment, prior breach, intentional non-compliance, no certifications) drives it toward the ceiling. National competent authorities have started publishing approximate weighting tables — see the BSI's published methodology in Germany and the ACN's linee guida sanzionatorie in Italy — and the modifiers commonly span an order of magnitude.

A worst-case fine on a €1 billion turnover essential entity is €20 million. Best-case for the same entity, on the same infringement, is closer to €1 to €2 million. The work is not avoiding the fine — it is moving along the modifier scale.

Aggravators that meaningfully push toward the ceiling

Three factors consistently produce uplift in the published guidance:

• Failure to notify an incident within the 72-hour window of Article 23. This is the single most common aggravator because it is the most provable.
• Repeat infringement — a previous Article 21 finding within the past three years (national rules vary on the look-back).
• Intentional non-compliance documented in board minutes or internal emails. Discoverable evidence that the management body was warned of a measure being absent and elected not to address it is the worst-case modifier.

Mitigators that meaningfully reduce the fine

Equally consistently:

• Self-notification of the infringement to the competent authority before the regulator acts.
• A current ISO/IEC 27001 certification or equivalent national certification (BSI Grundschutz, INCIBE-CERT Esquema Nacional, ACN scheme, NCSC-IE certification path).
• Documented Article 20 board oversight — the same documents covered in our analysis of Article 20 (board minutes, training records, dated risk register) directly map to this factor.
• Prompt remediation with measurable closure dates communicated to the regulator.

Interaction with GDPR and DORA fines

Article 32(2) of NIS2 contains a coordination clause: where the same conduct triggers both NIS2 and GDPR or DORA enforcement, the competent authorities must coordinate to avoid double-jeopardy on the same facts. In practice, this rarely cancels a fine — it shifts which regulator is lead and which is informed. The aggregate exposure on a personal-data-breach incident that also constitutes an NIS2 significant incident is the higher of the two ceilings, not the sum.

For financial-sector entities also in scope of DORA, the combined ceiling is even more layered. A board-level decision to invest in compliance with the more stringent of the two (typically DORA for the financial-sector services concerned) is the defensible posture.

National variation

The directive sets minimum ceilings ("of at least"). Member States may set higher ceilings, and several have used the option:

• Germany: NIS2UmsuCG retains the directive minimums but adds explicit director-level civil liability under §32.
• France: ANSSI's enforcement framework follows the directive minimums; the Conseil d'État has supervisory jurisdiction over disputes.
• Spain, Italy, Ireland: directive minimums confirmed, with national procedural specifics on objection and appeal rights.
• Belgium: transposition went further, with explicit civil liability of natural persons exercising managerial functions.

The arithmetic is the directive's. The procedure and the appeal path are national. Boards modelling fine exposure should run the formula with the directive numbers and add a procedural-cost overlay specific to each Member State of operation.

What this means for the budget

The rational budgetary posture is not "set aside the maximum fine in case". It is:

• Model the ceiling based on group turnover.
• Plot the expected actual based on the entity's current factor profile (certifications, board governance, notification readiness, prior history).
• Treat the gap between the two as a control-investment business case. Every euro spent on a control that moves a factor from aggravator to mitigator is, in expected-value terms, paid back several times over against the fine ceiling.

That is the conversation Article 34 actually invites. The headline number is the start, not the answer.

Sources

1. Directive (EU) 2022/2555, Article 34 ("General conditions for imposing administrative fines").
2. Directive (EU) 2022/2555, Article 34(4) and 34(5) (essential and important entity ceilings).
3. Directive (EU) 2022/2555, Article 34(3) (factors to be taken into account when imposing fines).
4. Directive (EU) 2022/2555, Article 32(2) (coordination with GDPR and other Union law penalties).
5. Directive (EU) 2022/2555, Article 23 (incident reporting obligations — referenced as a fine factor).
6. Directive (EU) 2022/2555, recitals 130 to 135 (sanctions and enforcement).
7. National competent authority enforcement guidance: BSI (DE), ANSSI (FR), INCIBE (ES), ACN (IT), NCSC-IE (IE), and ENISA cross-Member-State analysis.