NIS2 Art.33–36: Reactive Supervision, Fine Conditions, and Administrative Fines for Essential and Important Entities — Developer Guide (2026)
Articles 29–32 established two distinct tracks: a voluntary cooperation framework (information sharing, voluntary notification) and a proactive supervisory regime for essential entities (on-site inspections, TLPT, CEO liability). Articles 33–36 complete the picture by defining how NCAs enforce compliance against important entities and specifying the administrative fine framework that applies to all covered entities.
Art.33–36 answers the questions compliance teams ask most often:
- What can an NCA actually do to our organisation if we fail an inspection?
- How are fines calculated — and what factors reduce or increase them?
- If we're simultaneously covered by GDPR and NIS2, can we be fined twice for the same incident?
- What is the maximum penalty exposure for an essential vs. important entity?
The answers shape risk-based investment decisions in cybersecurity governance far more directly than any technical standard.
Art.33: Supervisory and Enforcement Measures for Important Entities
The Ex-Post Principle
Art.33 defines the supervisory regime for important entities — and the defining characteristic is that it is reactive (ex-post). This contrasts with the essential entity regime under Art.32, which is proactive (ex-ante).
| Feature | Essential Entity (Art.32) | Important Entity (Art.33) |
|---|---|---|
| Supervision timing | Ex-ante — NCA may audit at any time | Ex-post — triggered by evidence or complaint |
| Trigger required | No | Yes — incident, complaint, or evidence of non-compliance |
| TLPT obligation | Yes (NCA-directed) | No (NCA may request, not mandate) |
| Inspection frequency | Regular cycle possible | On-demand only |
| Proactive risk-based monitoring | Yes | No |
The ex-post principle matters significantly for compliance strategy. An important entity that has no known incidents and receives no complaints operates largely outside active NCA scrutiny — but only until an incident occurs. At that point, the full supervisory toolkit of Art.33 becomes available to the NCA.
Art.33 Supervisory Toolkit
When triggered, NCAs may deploy the following measures against important entities:
Reactive audits and inspections:
- On-site and off-site inspections (but not routine — triggered by incident/evidence)
- Targeted security audits by an independent body at the entity's expense
- Ad-hoc security scans
- Requests for access to data, documents, and information relevant to the audit scope
Information orders:
- Mandatory provision of documentation demonstrating compliance (Art.21 risk management measures)
- Information about cybersecurity policies, risk assessments, technical measures
- Evidence of training completion, incident response exercises, BCDR test results
Corrective measures:
- Compliance orders specifying required technical or organisational changes
- Binding instructions to adopt specific security measures within a defined timeframe
- Orders to inform affected individuals of cybersecurity threats where the entity failed to do so
- Orders to make public specific aspects of non-compliance where disclosure would protect other entities
Escalation:
- Referral to law enforcement authorities for potential criminal sanctions (Art.37)
- Referral to other competent authorities (DPA for GDPR overlap, financial regulator for DORA overlap)
- Temporary suspension of relevant activities (reserved for persistent, severe non-compliance)
Triggering Conditions for Art.33 Activation
NCAs activate Art.33 supervisory powers based on:
- Notified incidents — an Art.23 incident notification that suggests systemic security failure
- Third-party complaints — complaints from customers, suppliers, or affected parties
- NCA own-initiative evidence — intelligence from CSIRT operations, ENISA advisories, or cross-border cooperation revealing risk at a specific entity
- Voluntary notification under Art.30 — non-covered entities that report incidents may implicate a covered entity's supply chain
- Cross-border NCA cooperation — an NCA in another Member State requests supervisory action based on incidents affecting their jurisdiction
from enum import Enum
from dataclasses import dataclass, field
from datetime import datetime
from typing import Optional
class Art33Trigger(Enum):
NOTIFIED_INCIDENT = "notified_incident"
THIRD_PARTY_COMPLAINT = "third_party_complaint"
OWN_INITIATIVE = "nca_own_initiative"
VOLUNTARY_NOTIFICATION = "art30_voluntary"
CROSS_BORDER_REQUEST = "cross_border_cooperation"
class SupervisoryTool(Enum):
ON_SITE_INSPECTION = "on_site_inspection"
OFF_SITE_AUDIT = "off_site_audit"
TARGETED_SECURITY_AUDIT = "targeted_security_audit" # at entity's expense
SECURITY_SCAN = "ad_hoc_scan"
INFORMATION_ORDER = "information_order"
COMPLIANCE_ORDER = "compliance_order"
BINDING_INSTRUCTION = "binding_instruction"
PUBLIC_DISCLOSURE_ORDER = "public_disclosure"
ESCALATION_LAW_ENFORCEMENT = "escalation_le"
ESCALATION_FINANCIAL_REGULATOR = "escalation_fin_reg"
ESCALATION_DPA = "escalation_dpa"
@dataclass
class Art33SupervisoryAction:
trigger: Art33Trigger
entity_type: str # "important" — Art.33 applies to important entities
triggered_at: datetime
tools_deployed: list[SupervisoryTool] = field(default_factory=list)
cross_regulation_referral: bool = False
escalation_path: Optional[str] = None
def is_lawful(self) -> bool:
"""Art.33 requires a trigger — pure proactive audits not permitted."""
if self.entity_type != "important":
return False # Art.33 only for important entities; Art.32 for essential
return self.trigger is not None
def requires_entity_expense(self) -> bool:
"""Targeted security audits under Art.33 are conducted at the entity's expense."""
return SupervisoryTool.TARGETED_SECURITY_AUDIT in self.tools_deployed
def assess_escalation_need(self) -> list[str]:
escalation_targets = []
if self.cross_regulation_referral:
if SupervisoryTool.ESCALATION_DPA in self.tools_deployed:
escalation_targets.append("Data Protection Authority (GDPR Art.83)")
if SupervisoryTool.ESCALATION_FINANCIAL_REGULATOR in self.tools_deployed:
escalation_targets.append("Financial Supervisor (DORA Art.65)")
return escalation_targets
Art.33 and the Supervision Gap: What Ex-Post Means Practically
The ex-post principle creates an asymmetric risk profile for important entities:
Period without incident: Minimal active NCA scrutiny. Compliance efforts are self-managed. Risk of undetected non-compliance accumulates without correction.
Post-incident period: Full Art.33 toolkit activated simultaneously with incident response. NCAs may request documentation, conduct audits, and issue corrective orders while the entity is still in active incident response mode. This dual burden — managing the incident AND satisfying NCA information orders — is one of the most operationally difficult aspects of NIS2 enforcement.
Practical implication: Important entities should maintain continuous-readiness documentation (Art.21 risk management evidence, training records, BCDR test results) not because of proactive inspection risk but because of the incident-triggered audit risk. The NCA's first question after receiving an Art.23 notification is invariably: "Show us your risk management measures documentation."
Art.34: General Conditions for Imposing Administrative Fines
Art.34 establishes the legal framework under which NCAs may impose administrative fines. It does not specify the fine amounts (that is Art.35-36) but defines the conditions, factors, and procedural requirements that govern every fine decision.
The Proportionality Requirement
Art.34(1) requires that administrative fines be effective, proportionate, and dissuasive. This is not aspirational language — it creates a legal obligation that NCAs must document in any fine decision. An NCA that imposes a maximum fine on a micro-enterprise for a first-time, low-severity violation would likely be successfully challenged on proportionality grounds.
Proportionality requires NCAs to assess:
- The nature, gravity, and duration of the violation
- Whether the violation was intentional or negligent
- Actions taken to mitigate damage
- Degree of responsibility of the entity
- Relevant previous violations
- Degree of cooperation with the NCA
- Categories of personal data affected (GDPR overlap dimension)
- Any relevant financial benefit gained or loss avoided
Art.34 Aggravating Factors
| Factor | Weight in Practice |
|---|---|
| Intentional violation (not merely negligent) | Significant — moves fine toward upper range |
| Previous violations of NIS2 or predecessor NIS1 | Significant — demonstrated pattern of non-compliance |
| Failure to notify Art.23 incident | High — notification obligation is core to NIS2 |
| Active obstruction of NCA supervisory measures | High — undermines the regulatory framework |
| Multiple violations in a single audit | Cumulative — each violation independently assessed |
| Violation affecting critical services (hospitals, energy) | High — downstream impact on other essential services |
| Widespread geographic impact | Moderate to high |
Art.34 Mitigating Factors
| Factor | Weight in Practice |
|---|---|
| Immediate self-disclosure of violation to NCA | Significant — demonstrates good faith |
| Full cooperation with investigation | Significant |
| First violation with no prior NIS2/NIS1 findings | Significant — clean compliance history |
| Voluntary adoption of remediation measures before NCA order | Moderate |
| Financial hardship (documented impact on smaller entities) | Moderate — particularly relevant for SMEs |
| Certification under an approved NIS2 cybersecurity scheme | Moderate — demonstrates investment in compliance |
| Rapid containment of incident impact | Moderate |
GDPR Overlap: Single Act, Multiple Penalties
Art.34(3) contains a critical provision: when the same conduct constitutes a violation of both NIS2 and GDPR, only the higher of the two penalties applies — not both cumulatively. This is the NIS2 answer to double-jeopardy concerns.
However, the provision has important limitations:
- It applies only where the same conduct triggers both violations (e.g., a data breach that is simultaneously an Art.23 notifiable incident and an Art.33 GDPR notifiable breach)
- Procedural violations are independent: failing to implement Art.21 risk management measures (NIS2) is a separate violation from having inadequate data protection by design (GDPR Art.25) even if related
- The higher-fine rule requires coordination between the NCA and the relevant DPA — in practice this coordination is still maturing in most Member States
from dataclasses import dataclass
from typing import Optional
from enum import Enum
class ViolationType(Enum):
FAILURE_TO_IMPLEMENT_ART21 = "art21_failure"
FAILURE_TO_NOTIFY_ART23 = "art23_notification_failure"
OBSTRUCTION_OF_SUPERVISION = "obstruction"
FAILURE_TO_REGISTER_ART24 = "art24_registration"
SECTOR_SPECIFIC_VIOLATION = "sector_specific"
@dataclass
class FineFactor:
factor: str
direction: str # "aggravating" or "mitigating"
weight: float # 0.0-1.0 relative weight
applies: bool
@dataclass
class Art34FineConditions:
entity_type: str # "essential" or "important"
violation_type: ViolationType
intentional: bool
prior_violations: int
full_cooperation: bool
self_disclosed: bool
gdpr_overlap: bool
gdpr_fine_exposure: Optional[float] = None # EUR amount
nis2_fine_exposure: Optional[float] = None # EUR amount
def aggravating_factors(self) -> list[FineFactor]:
factors = []
if self.intentional:
factors.append(FineFactor("Intentional violation", "aggravating", 0.9, True))
if self.prior_violations > 0:
factors.append(FineFactor(f"{self.prior_violations} prior NIS2 violation(s)", "aggravating", min(0.8, self.prior_violations * 0.3), True))
if self.violation_type == ViolationType.FAILURE_TO_NOTIFY_ART23:
factors.append(FineFactor("Notification failure — core NIS2 obligation", "aggravating", 0.85, True))
if self.violation_type == ViolationType.OBSTRUCTION_OF_SUPERVISION:
factors.append(FineFactor("Active obstruction of NCA measures", "aggravating", 0.95, True))
return factors
def mitigating_factors(self) -> list[FineFactor]:
factors = []
if self.self_disclosed:
factors.append(FineFactor("Voluntary self-disclosure to NCA", "mitigating", 0.7, True))
if self.full_cooperation:
factors.append(FineFactor("Full cooperation with investigation", "mitigating", 0.65, True))
if self.prior_violations == 0:
factors.append(FineFactor("First violation — clean compliance history", "mitigating", 0.6, True))
return factors
def applicable_fine_cap(self) -> float:
"""Returns the fine cap based on entity type (before turnover comparison)."""
if self.entity_type == "essential":
return 10_000_000 # Art.35: EUR 10M or 2% global turnover
elif self.entity_type == "important":
return 7_000_000 # Art.36: EUR 7M or 1.4% global turnover
raise ValueError(f"Unknown entity type: {self.entity_type}")
def effective_fine_cap(self, global_annual_turnover: float) -> float:
"""Returns the higher of absolute cap or percentage of turnover."""
absolute_cap = self.applicable_fine_cap()
if self.entity_type == "essential":
turnover_cap = global_annual_turnover * 0.02
else:
turnover_cap = global_annual_turnover * 0.014
return max(absolute_cap, turnover_cap)
def gdpr_overlap_resolution(self) -> dict:
"""Art.34(3): where GDPR and NIS2 overlap, only the higher penalty applies."""
if not self.gdpr_overlap:
return {"overlap": False}
higher_fine = max(self.gdpr_fine_exposure or 0, self.nis2_fine_exposure or 0)
controlling_regulation = "GDPR" if (self.gdpr_fine_exposure or 0) > (self.nis2_fine_exposure or 0) else "NIS2"
return {
"overlap": True,
"gdpr_exposure": self.gdpr_fine_exposure,
"nis2_exposure": self.nis2_fine_exposure,
"applicable_fine": higher_fine,
"controlling_regulation": controlling_regulation,
"note": "Art.34(3): single violation cannot attract cumulative NIS2+GDPR penalties"
}
Art.35: Administrative Fines for Essential Entities
The EUR 10M / 2% Penalty Framework
Art.35 establishes the administrative fine ceiling for essential entities. Two caps apply — the NCA imposes the higher of the two:
- Absolute cap: EUR 10,000,000
- Turnover cap: 2% of total worldwide annual turnover in the preceding financial year (if this exceeds EUR 10M)
The "higher of" structure means large multinational essential entities face significantly higher fine exposure than the EUR 10M headline suggests. A telecommunications provider with EUR 5 billion in global turnover faces a EUR 100 million maximum fine — 10× the absolute cap.
Which Violations Attract Art.35 Fines
Art.35 fines apply to essential entities that:
| Violation | NIS2 Article |
|---|---|
| Fail to implement risk management measures | Art.21 |
| Fail to report a significant incident within required timelines | Art.23 |
| Fail to register with the NCA as required | Art.24 |
| Fail to comply with sector-specific obligations (DNS/TLD/Cloud/DC) | Art.25–28 |
| Fail to comply with an NCA compliance order or binding instruction | Art.32 |
| Fail to cooperate with NCA supervisory measures | Art.32 |
Art.35 and Management Personal Liability
Art.35 is linked to Art.20's management responsibility provisions. Where an NCA determines that an Art.21 failure was attributable to a specific management decision or deliberate neglect by senior management:
- The NCA may impose a fine on the entity under Art.35
- The NCA may also pursue Art.32(6) temporary management ban proceedings
- Member States may additionally impose personal liability on management bodies (several have transposed this — Germany §36 BSIG, Netherlands Art.3.2 Cyberbeveiligingswet)
The compounding effect — entity fine + management ban + potential personal civil liability — creates strong incentives for executive-level cybersecurity engagement.
@dataclass
class Art35EssentialEntityFine:
entity_name: str
global_annual_turnover: float # EUR
violation: ViolationType
intentional: bool = False
prior_nis2_violations: int = 0
fully_cooperative: bool = True
def maximum_fine(self) -> float:
"""Art.35: higher of EUR 10M or 2% of global annual turnover."""
return max(10_000_000, self.global_annual_turnover * 0.02)
def estimated_fine_range(self) -> tuple[float, float]:
"""
Returns (floor, ceiling) based on proportionality analysis.
Not legally determinative — illustrative of factor-weighted range.
"""
max_fine = self.maximum_fine()
base_rate = 0.15 # starting at 15% of maximum for first violation
# Apply aggravating factors
if self.intentional:
base_rate += 0.40
if self.prior_nis2_violations > 0:
base_rate += min(0.30, self.prior_nis2_violations * 0.10)
if self.violation == ViolationType.FAILURE_TO_NOTIFY_ART23:
base_rate += 0.20
if self.violation == ViolationType.OBSTRUCTION_OF_SUPERVISION:
base_rate += 0.35
# Apply mitigating factors
if self.fully_cooperative:
base_rate -= 0.10
floor_rate = max(0.05, base_rate - 0.10)
ceiling_rate = min(1.00, base_rate + 0.10)
return (max_fine * floor_rate, max_fine * ceiling_rate)
def management_ban_risk(self) -> str:
"""Art.32(6) management ban risk assessment."""
if self.intentional and self.prior_nis2_violations >= 1:
return "HIGH — deliberate repeat violation: NCA may initiate Art.32(6) proceedings"
if self.violation == ViolationType.OBSTRUCTION_OF_SUPERVISION:
return "HIGH — obstruction triggers Art.32(6) independently"
if self.intentional:
return "MEDIUM — intentional violation: NCA may assess management accountability"
return "LOW — negligent first violation: unlikely without persistent non-compliance"
def summary(self) -> dict:
floor, ceiling = self.estimated_fine_range()
return {
"entity": self.entity_name,
"entity_type": "essential",
"article": "Art.35",
"maximum_fine_eur": self.maximum_fine(),
"estimated_floor_eur": floor,
"estimated_ceiling_eur": ceiling,
"management_ban_risk": self.management_ban_risk(),
}
Art.36: Administrative Fines for Important Entities
The EUR 7M / 1.4% Penalty Framework
Art.36 mirrors Art.35 but with lower ceilings for important entities:
- Absolute cap: EUR 7,000,000
- Turnover cap: 1.4% of total worldwide annual turnover
The same "higher of" logic applies. A mid-sized cloud service provider with EUR 1 billion in global turnover faces a EUR 14 million maximum fine — double the absolute cap.
Key Differences from Art.35
| Dimension | Essential (Art.35) | Important (Art.36) |
|---|---|---|
| Maximum absolute fine | EUR 10,000,000 | EUR 7,000,000 |
| Turnover percentage | 2% | 1.4% |
| Supervisory regime | Proactive (Art.32) | Reactive (Art.33) |
| TLPT obligation | Yes | No |
| Management ban exposure | Art.32(6) | Art.33 + member state discretion |
Art.36 and the SME Problem
The EUR 7M absolute cap is structurally challenging for important entities in the SME range. A medium-scale SaaS provider with EUR 20 million in revenue faces:
- Absolute cap: EUR 7M
- Turnover cap: EUR 280,000 (1.4% of EUR 20M)
- Applicable cap: EUR 7M — the absolute cap dominates by a factor of 25×
This creates a proportionality tension that many Member State NCAs are navigating during transposition: a EUR 7M fine on a EUR 20M-revenue company is effectively existential. Recital 143 NIS2 and Art.34(1)'s proportionality requirement provide the legal basis for NCAs to calibrate actual fines well below the ceiling in such cases.
@dataclass
class Art36ImportantEntityFine:
entity_name: str
global_annual_turnover: float # EUR
violation: ViolationType
intentional: bool = False
prior_nis2_violations: int = 0
fully_cooperative: bool = True
def maximum_fine(self) -> float:
"""Art.36: higher of EUR 7M or 1.4% of global annual turnover."""
return max(7_000_000, self.global_annual_turnover * 0.014)
def sme_proportionality_concern(self) -> bool:
"""Flag when absolute cap dominates turnover cap by >10x — proportionality risk."""
return (7_000_000 / (self.global_annual_turnover * 0.014)) > 10
def estimated_fine_range(self) -> tuple[float, float]:
max_fine = self.maximum_fine()
base_rate = 0.10 # lower starting point for important entities vs essential
if self.intentional:
base_rate += 0.35
if self.prior_nis2_violations > 0:
base_rate += min(0.25, self.prior_nis2_violations * 0.08)
if self.violation == ViolationType.FAILURE_TO_NOTIFY_ART23:
base_rate += 0.18
if self.fully_cooperative:
base_rate -= 0.08
# SME proportionality adjustment
if self.sme_proportionality_concern():
base_rate -= 0.15 # NCAs typically apply further reduction
floor_rate = max(0.02, base_rate - 0.08)
ceiling_rate = min(1.00, base_rate + 0.10)
return (max_fine * floor_rate, max_fine * ceiling_rate)
def summary(self) -> dict:
floor, ceiling = self.estimated_fine_range()
return {
"entity": self.entity_name,
"entity_type": "important",
"article": "Art.36",
"maximum_fine_eur": self.maximum_fine(),
"estimated_floor_eur": floor,
"estimated_ceiling_eur": ceiling,
"sme_proportionality_concern": self.sme_proportionality_concern(),
}
Multi-Regulation Overlap: NIS2, GDPR, DORA, and CER
GDPR Art.83 and NIS2 Art.35/36
The most common multi-regulation overlap is between NIS2 and GDPR. A security breach affecting personal data simultaneously triggers:
- NIS2 Art.23: incident notification to CSIRT
- GDPR Art.33: personal data breach notification to DPA within 72 hours
- GDPR Art.34: communication to affected data subjects (where high risk)
If the same breach also constitutes a failure to implement appropriate security measures:
- NIS2 Art.21: failure to implement risk management measures → Art.35 or Art.36 fine
- GDPR Art.32: failure to implement appropriate technical measures → Art.83(4) fine (EUR 10M / 2%)
Art.34(3) coordination mechanism:
Where the same conduct triggers both violations, Art.34(3) NIS2 requires that only the higher applicable penalty is imposed. In practice, this requires active coordination between the NCA (supervising NIS2) and the DPA (supervising GDPR). Most Member States have established coordination protocols, but their effectiveness varies.
@dataclass
class MultiRegulationExposure:
"""Calculates penalty exposure where NIS2, GDPR, DORA, or CER overlap."""
entity_name: str
global_annual_turnover: float
entity_nis2_type: str # "essential" or "important"
# Violation flags
nis2_art21_failure: bool = False
nis2_art23_failure: bool = False
gdpr_art32_failure: bool = False # same technical measure failure
gdpr_art33_failure: bool = False # notification failure
dora_art13_failure: bool = False # DORA ICT risk management (financial sector)
cer_art17_failure: bool = False # CER Directive (critical entity resilience)
def nis2_maximum(self) -> float:
if self.entity_nis2_type == "essential":
return max(10_000_000, self.global_annual_turnover * 0.02)
return max(7_000_000, self.global_annual_turnover * 0.014)
def gdpr_art83_maximum(self) -> float:
"""GDPR Art.83(4): EUR 10M / 2% for Art.32 violations."""
return max(10_000_000, self.global_annual_turnover * 0.02)
def gdpr_art83_tier2_maximum(self) -> float:
"""GDPR Art.83(5): EUR 20M / 4% for core GDPR principle violations."""
return max(20_000_000, self.global_annual_turnover * 0.04)
def dora_art65_maximum(self) -> float:
"""DORA Art.65: Member State discretion — typically EUR 5M or % of turnover."""
return max(5_000_000, self.global_annual_turnover * 0.01)
def overlap_analysis(self) -> dict:
exposures = {}
# Check NIS2 exposure
if self.nis2_art21_failure or self.nis2_art23_failure:
exposures["nis2"] = self.nis2_maximum()
# Check GDPR overlap — Art.34(3) may apply
if self.gdpr_art32_failure and self.nis2_art21_failure:
# Same technical measure failure = Art.34(3) overlap
exposures["gdpr_art83_4"] = self.gdpr_art83_maximum()
higher = max(exposures.get("nis2", 0), exposures["gdpr_art83_4"])
exposures["art34_3_resolution"] = {
"applies": True,
"single_fine_cap": higher,
"note": "Same conduct — Art.34(3) limits to single penalty (higher of NIS2/GDPR)"
}
# Notification failures are separate conduct — both may apply
if self.gdpr_art33_failure and self.nis2_art23_failure:
exposures["notification_fine_nis2"] = self.nis2_maximum()
exposures["notification_fine_gdpr"] = self.gdpr_art83_maximum()
exposures["notification_overlap_note"] = (
"Notification violations are independently assessed — "
"NIS2 CSIRT vs GDPR DPA are separate obligations. "
"Art.34(3) coordination still required for final determination."
)
# DORA is separate regulation — no Art.34(3) applies
if self.dora_art13_failure:
exposures["dora"] = self.dora_art65_maximum()
exposures["dora_note"] = (
"DORA Art.65 penalties are independent — Art.34(3) only covers "
"NIS2/GDPR overlap. DORA financial sector penalties may accumulate."
)
return exposures
DORA Art.65 and NIS2 Art.35/36: The Financial Sector Problem
Financial entities covered by DORA (banks, investment firms, payment institutions, insurance) face a multi-regulation challenge that Art.34(3) does not resolve. DORA and NIS2 are separate regulations. Art.34(3) explicitly covers only the GDPR overlap — DORA penalties can accumulate with NIS2 penalties for the same incident.
In practice, financial sector NCAs (ECB/EBA/ESMA/national financial regulators) and cybersecurity NCAs coordinate proceedings, but there is no statutory single-penalty rule equivalent to Art.34(3) for DORA/NIS2 overlap.
DORA's ICT risk management failure: Under DORA Art.13 (response and recovery) and Art.17 (major incident reporting), a financial entity that suffers an ICT incident may face:
- DORA Art.65 fine from the financial regulator
- NIS2 Art.35/36 fine from the cybersecurity NCA (where the entity is also NIS2-covered)
The entity is NIS2-covered if it qualifies as essential or important under Annex I/II — which most significant financial entities do (credit institutions, trading venues, CCPs).
CER Directive Overlap
The CER Directive (EU 2022/2557) on critical entity resilience applies to entities in sectors designated as critical at Member State level (energy, transport, banking, financial market, health, drinking water, wastewater, digital infrastructure, public administration, space). Critical entities under CER must implement resilience measures (Art.13) and face incident notification obligations (Art.15).
Where an entity is simultaneously:
- A NIS2 essential entity (cybersecurity obligations under Art.21-32)
- A CER critical entity (resilience obligations under Art.13-17)
Both regulatory frameworks apply. CER Art.15 notifications go to the designated authority (typically national authority under Interior/Home Affairs), while NIS2 Art.23 notifications go to the CSIRT. These are separate channels with separate timeframes.
No CER equivalent to Art.34(3) exists — CER and NIS2 penalties are theoretically independent, though in practice coordinated through the interoperability provisions in NIS2 Recital 75 and CER Art.9.
Enforcement Timeline: From Incident to Fine Decision
Understanding the enforcement timeline helps compliance teams plan documentation retention and internal response protocols.
T+0: Incident occurs / NCA receives notification or complaint
T+0 to T+24h: Initial assessment — NCA decides whether to activate
Art.32 (essential) or Art.33 (important) supervisory powers
T+1d to T+14d: Information order issued — entity must provide
risk management documentation, incident timeline, technical measures
T+14d to T+90d: On-site or off-site audit conducted (if ordered)
Targeted security audit commissioned (at entity's expense)
T+90d to T+180d: Compliance order issued (if violations found)
Entity given opportunity to remedy (period varies by severity)
T+180d to T+365d: Fine proceedings initiated if:
- Compliance order not fulfilled
- Violations are not remedied
- Violations were intentional or show persistent pattern
T+365d+: Fine decision issued — entity may appeal to national court/tribunal
Art.34(3) coordination with DPA finalised
Compliance Checklist: Art.33–36 Readiness
For Essential Entities (Art.35 Exposure)
- Fine exposure modelling: Calculate 2% of global annual turnover — document for board-level risk register
- Art.21 documentation: Risk management measure documentation maintained and accessible within 48h of NCA request
- Art.23 timeline: Incident response procedure has explicit T+24h early warning / T+72h report / T+1M final report milestones documented
- Management accountability map: Art.20 governance documentation identifies responsible management body and competencies — liability shield against Art.32(6)
- TLPT preparation: Contact details for TLPT-provider on retainer; purple teaming exercise completed in last 12 months
- Remediation evidence: Compliance order response procedures documented — who decides, who coordinates with NCA, what documentation is assembled
For Important Entities (Art.36 Exposure)
- Fine exposure modelling: Calculate 1.4% of global annual turnover vs EUR 7M — note if SME proportionality concern applies
- Incident trigger readiness: Art.23 incident triggers Art.33 NCA activation — ensure Art.23 notification team also briefs legal/compliance on NCA supervisory implications
- Documentation audit: Evidence of Art.21 measures available immediately — NCAs issue information orders within days of incident notification
- Cooperation posture: Internal guidance that full cooperation with NCA is the default posture — cooperation is a documented mitigating factor
- First violation defence: Compliance history documented — clean record is a meaningful mitigating factor
For All Covered Entities (GDPR/DORA/CER Overlap)
- Multi-regulation exposure map: Identify all applicable regulations (NIS2, GDPR, DORA, CER) and the fine exposure under each
- Art.34(3) protocol: Establish coordination procedure — when NCA contacts DPA, ensure legal team is in both communications loops
- Notification calendar: Map Art.23 NIS2 (CSIRT), Art.33 GDPR (DPA), DORA Art.17 (financial regulator), CER Art.15 (designated authority) timelines into a single incident notification matrix
- Conduct vs. process violations: Distinguish same-conduct violations (Art.34(3) applies) from independent notification failures (separate penalties possible)
Cross-Article Architecture: Art.33–36 in Context
NIS2 Enforcement Framework
│
├── Art.31: General supervision provisions
│ ├── Applies to: essential entities (proactive) + important entities (reactive)
│ └── NCA coordination + cross-border cooperation
│
├── Art.32: Essential entity supervisory toolkit (proactive)
│ ├── Ex-ante regime — NCA audits without prior incident
│ ├── TLPT, on-site inspections, Art.32(6) management ban
│ └── → Art.35 fine if violations found
│
├── Art.33: Important entity supervisory toolkit (reactive) ← this post
│ ├── Ex-post regime — triggered by incident/complaint/evidence
│ ├── Information orders, targeted audits (at entity expense)
│ └── → Art.36 fine if violations found
│
├── Art.34: Fine conditions + proportionality
│ ├── Aggravating factors (intentional, prior violations, obstruction)
│ ├── Mitigating factors (cooperation, first violation, self-disclosure)
│ └── Art.34(3): GDPR overlap = single higher penalty
│
├── Art.35: Essential entity fine framework
│ └── EUR 10M or 2% global turnover (higher of)
│
└── Art.36: Important entity fine framework
└── EUR 7M or 1.4% global turnover (higher of)
Looking Ahead: Art.37 Criminal Sanctions
Art.37 permits Member States to lay down rules on criminal sanctions for NIS2 violations. Unlike Art.35-36 administrative fines (which are harmonised — same ceiling across all Member States), criminal sanctions are left to national discretion. Several Member States have transposed Art.37 with significant teeth:
- Germany (§ 38 BSIG-neu): Criminal liability for management where negligent security failures contribute to infrastructure outages affecting public order
- Netherlands: Criminal prosecution possible for operators of critical infrastructure who knowingly fail to implement required measures
- France (ANSSI transposition): Coordination between ANSSI (NIS2 NCA) and the parquet national cyber (national cyber prosecution unit)
For companies operating across multiple EU jurisdictions, the heterogeneity of Art.37 transposition means that the same incident can simultaneously trigger administrative proceedings (Art.33/35/36) in one jurisdiction and criminal investigation in another.
The next article in this series covers Art.37 (criminal sanctions) and Art.38 (NCA confidentiality obligations and data protection) — the procedural guarantees that balance NCA enforcement powers against entity rights.