2026-04-20·14 min read·

NIS2 Art.36 Important Entity Sanctions: €7M Penalty Ceiling, Enforcement Expectations, and How It Differs From Art.35 — Developer Guide 2026

NIS2 Article 36 is the administrative sanction framework for Important Entities — the second tier of regulated organisations under the Directive. While less severe than the Art.35 Essential Entity regime, Art.36 penalties are still significant: up to €7 million or 1.4% of global annual turnover, whichever is higher.

The critical distinction is not just the ceiling. Art.36 operates through a fundamentally different supervisory relationship. Important Entities are subject to reactive supervision under Art.33 — NCAs investigate only after an incident or complaint, rather than conducting proactive audits. This changes when and how Art.36 sanctions are triggered, and what developers need to have in place before enforcement begins.

With the first wave of NIS2 supervisory actions expected in H2 2026, this guide translates Art.36's enforcement machinery into concrete developer requirements.

1. Who Art.36 Applies To: Important Entities

Art.36 applies to organisations classified as Important Entities under NIS2 Art.3(2). This is a broader category than Essential Entities and covers:

Annex I sectors (medium-size operators) — Energy, transport, banking, health, water, digital infrastructure, and ICT service management providers that do not meet Essential Entity thresholds
Annex II sectors — Postal and courier services, waste management, chemicals manufacturing, food production and distribution, manufacturing of critical products (medical devices, machinery, vehicles), digital providers (online marketplaces, online search engines, social networking platforms)
Entities specifically designated by Member States as Important regardless of size

For SaaS developers, the Annex II digital providers category is the primary relevance path:

Digital Provider Type	Art.36 Scope
Online marketplace (≥€10M turnover or ≥50 employees)	In scope
Online search engine	In scope
Social networking platform	In scope
SaaS platform processing Annex II sector data	Likely in scope
B2B cloud service provider (not qualifying as Essential)	In scope
Managed security service provider (MSSP) below Essential threshold	In scope

1.1 The Size Threshold Split

The key distinction between Essential and Important classification often comes down to size and sector:

Criterion	Essential Entity	Important Entity
Annex I sector	Large enterprise (>250 staff / >€50M turnover)	Medium enterprise (≥50 staff / ≥€10M turnover)
Annex II sector	Not applicable	Medium or large
Digital infrastructure	Large cloud/DNS/CDN operators	Smaller digital providers
MS-specific designation	National critical infrastructure	Significant service providers

A SaaS company with 80 employees processing data for hospitals (health sector, Annex I) would likely be an Important Entity rather than Essential, placing it under Art.36 rather than Art.35.

2. The Art.36 Penalty Framework: €7M / 1.4% Ceiling

Article 36 establishes maximum administrative fines at:

€7,000,000 or 1.4% of total worldwide annual turnover (whichever is higher)

Like Art.35, this uses "whichever is higher" — ensuring that the ceiling scales with organisational size. For a SaaS company with €50M global revenue, the maximum Art.36 fine is €700,000. For a digital marketplace with €500M turnover, it reaches €7M.

2.1 Art.36 vs. Art.35 Penalty Comparison

Dimension	Art.35 (Essential)	Art.36 (Important)
Primary ceiling	€10M or 2% global turnover	€7M or 1.4% global turnover
Lower tier	€7M or 1.4% (procedural)	€1.4M or 0.28% (procedural)
Management liability	Art.32(6): Personal liability, temporary ban	None equivalent
Temporary suspension	Art.35(4): Available	Not available
Supervisory model	Art.32 proactive (ex-ante audits)	Art.33 reactive (ex-post investigation)
Inspection frequency	Regular NCA-initiated audits	Only after incident or complaint

The absence of management liability is Art.36's most significant structural difference from Art.35. Under Art.36, NCAs cannot impose personal fines on CEOs or board members, and cannot prohibit individuals from holding management positions — powers that Art.35 explicitly grants for Essential Entities.

2.2 What Triggers Art.36 Sanctions

NCAs trigger Art.36 sanctions when an Important Entity:

Fails Art.21 risk management obligations — same substantive requirements as Essential Entities but enforced reactively
Breaches Art.23 incident notification requirements — missing the 24-hour early warning or 72-hour notification window
Fails to cooperate with NCA investigation — post-incident, NCAs have inspection powers; obstruction triggers sanctions
Does not implement post-incident remediation — NCAs can issue binding instructions under Art.34; failure to comply is sanctionable
Demonstrates systemic non-compliance — patterns of inadequate governance discovered during reactive supervision

The reactive trigger model means Art.36 sanctions are more likely to follow actual incidents than Art.35. An Important Entity with good documentation and incident response processes has substantially lower Art.36 exposure than one that experiences an incident and then fails the subsequent investigation.

3. Reactive Supervision Under Art.33: The Enforcement Gateway

Art.36 sanctions are typically accessed through the Art.33 supervisory pathway. Understanding how Art.33 works is essential to understanding when Art.36 fines materialise.

3.1 The Art.33 Investigation Trigger

Under Art.33, NCAs open investigations when they:

Receive an Art.23 incident notification from the entity itself
Receive a complaint from a third party (a customer, partner, or other entity reporting a breach affecting them)
Identify evidence of non-compliance through cross-border coordination or CSIRT intelligence
Are alerted by ENISA or other EU-level bodies about systemic risks in a sector

There is no scheduled audit cycle for Important Entities — unlike Essential Entities under Art.32. NCAs do not proactively review Important Entity compliance without a trigger.

3.2 Investigation → Binding Instruction → Sanction

The Art.33 → Art.34 → Art.36 pipeline:

Stage 1: Trigger (incident notification / complaint / intelligence)
         ↓
Stage 2: NCA preliminary review (documentation request, 30-60 days)
         ↓
Stage 3: On-site inspection or remote audit (if preliminary review raises concerns)
         ↓
Stage 4: Art.34 Binding Instruction issued (remediation with deadline)
         ↓
Stage 5: Deadline missed or non-compliance confirmed
         ↓
Stage 6: Art.36 Administrative Fine

For developers, this pipeline reveals the intervention point: Stage 4 is your last opportunity to remediate without sanction. A binding instruction that you comply with within the deadline does not automatically result in a fine, even if the original investigation revealed compliance gaps.

4. Art.36 Enforcement Expectations 2026

NIS2 transposition was due in October 2024. As of early 2026, NCAs across the EU are building enforcement capacity. The expected timeline:

Period	Enforcement Phase
Q1-Q2 2026	NCAs completing internal investigation frameworks; first incident notifications under NIS2 being processed
Q3 2026	First Art.33 investigations reaching conclusion; first Art.36 fines in proactive Member States (Germany BSI, France ANSSI, Netherlands NCSC-NL likely first movers)
Q4 2026	Cross-border enforcement coordination through ENISA; first cross-border Art.36 cases with Lead NCA designation
2027	Normalised enforcement; Art.36 fines become standard outcome for unresolved post-incident investigations

4.1 Which Member States Move First

NCAs are not equally resourced. The first Art.36 fines will come from:

Germany (BSI) — largest dedicated cybersecurity authority in the EU, highest investigation capacity, explicit NIS2-transposition regulation (NIS2UmsuCG) in force
France (ANSSI) — strong track record on cybersecurity enforcement; first movers on Digital Act transpositions
Netherlands (NCSC-NL + sector-specific NCAs) — advanced digital economy regulation; multiple sector NCAs share NIS2 mandate
Ireland (NCSC) — critical due to concentration of US tech company EU subsidiaries; high Art.36 exposure for digital providers

For EU-based SaaS companies: your primary NCA exposure depends on where your legal entity is registered. For US SaaS companies with EU subsidiaries: where your EU data processing entity is incorporated.

4.2 The Reactive Enforcement Advantage

Important Entities have a structural enforcement advantage over Essential Entities: you are only investigated after a trigger. The practical implication:

If you never have a reportable incident under Art.23, you are unlikely to face an Art.36 investigation
If you have an incident but report it correctly and remediate effectively, your Art.36 exposure is limited
NCAs are resource-constrained; they prioritise Essential Entities and the highest-impact incidents

This is not an argument for complacency — it is an argument for investing in incident response and notification capabilities as your primary Art.36 risk mitigation, rather than exhaustive pre-emptive compliance audits.

5. The Art.21 Requirements That Drive Art.36 Exposure

Art.36 sanctions are triggered by Art.21 failures. Art.21 mandates a risk-based approach covering ten specific areas:

from dataclasses import dataclass, field
from typing import List
from enum import Enum

class ComplianceStatus(Enum):
    IMPLEMENTED = "implemented"
    PARTIAL = "partial"
    MISSING = "missing"

@dataclass
class Art21Measure:
    area: str
    requirement: str
    status: ComplianceStatus
    evidence_location: str = ""
    last_tested: str = ""

@dataclass
class ImportantEntityComplianceTracker:
    """Art.21 compliance tracker for NIS2 Important Entity obligations."""
    
    entity_name: str
    nca_registration_date: str
    
    measures: List[Art21Measure] = field(default_factory=lambda: [
        Art21Measure(
            area="Risk Analysis",
            requirement="Documented risk analysis methodology, updated annually or after significant change",
            status=ComplianceStatus.MISSING,
        ),
        Art21Measure(
            area="Incident Handling",
            requirement="Incident response procedure, 24h early warning capability, 72h notification procedure",
            status=ComplianceStatus.MISSING,
        ),
        Art21Measure(
            area="Business Continuity",
            requirement="BCP/DRP covering Art.21(2)(c): backup management, disaster recovery, crisis management",
            status=ComplianceStatus.MISSING,
        ),
        Art21Measure(
            area="Supply Chain Security",
            requirement="Documented supplier assessment, security requirements in contracts, ongoing monitoring",
            status=ComplianceStatus.MISSING,
        ),
        Art21Measure(
            area="Security in Acquisition",
            requirement="Security requirements in software/system procurement, secure development lifecycle",
            status=ComplianceStatus.MISSING,
        ),
        Art21Measure(
            area="Vulnerability Management",
            requirement="Vulnerability disclosure policy, patch management process, CVE monitoring",
            status=ComplianceStatus.MISSING,
        ),
        Art21Measure(
            area="Cybersecurity Training",
            requirement="Annual security training for staff, management-level cyber risk awareness",
            status=ComplianceStatus.MISSING,
        ),
        Art21Measure(
            area="Cryptography",
            requirement="Cryptography policy covering data at rest and in transit, key management",
            status=ComplianceStatus.MISSING,
        ),
        Art21Measure(
            area="Access Control",
            requirement="MFA for privileged access, IAM policy, separation of duties documentation",
            status=ComplianceStatus.MISSING,
        ),
        Art21Measure(
            area="Asset Management",
            requirement="Asset inventory, classification, and security baseline documentation",
            status=ComplianceStatus.MISSING,
        ),
    ])
    
    def compliance_score(self) -> dict:
        total = len(self.measures)
        implemented = sum(1 for m in self.measures if m.status == ComplianceStatus.IMPLEMENTED)
        partial = sum(1 for m in self.measures if m.status == ComplianceStatus.PARTIAL)
        return {
            "implemented": implemented,
            "partial": partial,
            "missing": total - implemented - partial,
            "score_pct": round((implemented + partial * 0.5) / total * 100, 1),
            "art36_exposure": "HIGH" if implemented < 5 else "MEDIUM" if implemented < 8 else "LOW",
        }
    
    def missing_measures(self) -> List[Art21Measure]:
        return [m for m in self.measures if m.status == ComplianceStatus.MISSING]

6. Art.23 Notification Compliance: The Primary Enforcement Gateway

Most Art.36 cases begin with an Art.23 notification. Getting the notification right limits your downstream sanction exposure.

6.1 The Three-Stage Notification Timeline

Incident Detected
       │
       ▼ T+0 hours
[Art.23(4)(a)] EARLY WARNING → CSIRT/NCA
  - Incident occurred
  - Suspected cause (if known)
  - Cross-border impact (if applicable)
  → Deadline: 24 hours after detection
       │
       ▼ T+24 → T+72 hours
[Art.23(4)(b)] NOTIFICATION → CSIRT/NCA
  - Incident assessment
  - Severity and impact indicators
  - Indicators of Compromise (IoCs) if available
  - Initial response actions taken
  → Deadline: 72 hours after detection
       │
       ▼ T+1 month
[Art.23(4)(e)] FINAL REPORT → CSIRT/NCA
  - Full incident description
  - Type and root cause
  - Mitigation measures implemented
  - Cross-border impact assessment
  → Deadline: 1 month after initial notification

A missed 24-hour early warning is the most common Art.36 trigger. Many organisations discover incidents during forensic analysis 3-5 days after the event, by which point the early warning window has already closed. The solution is not a faster forensic process — it is a lower detection threshold that triggers the early warning obligation as soon as reasonable suspicion exists, even before full investigation.

6.2 The "Significant Impact" Threshold

Art.23 notification is not triggered by every security event — only by incidents with a significant impact on service delivery. NIS2 defines "significant incident" as:

Caused or capable of causing severe operational disruption or financial losses for the entity
Affects or capable of affecting other natural or legal persons by causing considerable material or non-material damage

For SaaS developers, the practical test: Would this incident, if public, represent a material failure of the service's security or availability guarantees? If yes, notify. The cost of an unnecessary early warning is zero. The cost of missing a mandatory one is Art.36.

7. Art.36 vs. Art.35 Developer Decision Matrix

When building compliance programs, the Art.35/Art.36 distinction drives resource allocation:

Compliance Area	Art.35 Priority (Essential)	Art.36 Priority (Important)
Management training	CRITICAL (Art.32(6) liability)	Recommended (no personal liability)
Pre-audit documentation	CRITICAL (proactive inspections)	HIGH (reactive but must be ready)
Incident response speed	CRITICAL (Art.32 audits review it)	CRITICAL (primary trigger for investigation)
Supply chain contracts	HIGH	HIGH
Vulnerability programme	HIGH	HIGH
Board-level governance	CRITICAL (CEO liability)	MEDIUM (no personal sanctions)
Proactive NCA engagement	HIGH (relationship before audit)	MEDIUM (reactive model)

The key takeaway: Art.36 compliance is more incident-response-centric and less governance-theatre than Art.35. Investing in detection, logging, and notification capabilities delivers more Art.36 risk reduction than elaborate board governance documentation.

8. Important Entity Compliance Checklist

Tier 1: Art.23 Notification Readiness (prevents primary enforcement gateway)

Art.23 early warning procedure documented (sub-24h capability)
Incident detection thresholds defined and trigger notification workflow
NCA contact information documented and verified for each Member State of operation
Test: tabletop exercise of notification workflow completed within last 12 months
CSIRT registration completed for each Member State of establishment

Tier 2: Art.21 Core Measures (prevents substantive Art.36 exposure)

Risk assessment methodology documented and dated
Incident response playbook covers Art.21(2)(b) obligations
Business continuity plan includes Art.21(2)(c) backup and recovery requirements
Supplier security assessment process documented with Art.21(2)(d) traceability
Vulnerability disclosure policy published and operational
MFA deployed for all privileged access
Cryptography policy covers data at rest and in transit

Tier 3: Investigation Readiness (limits NCA escalation to sanction)

All Art.21 measures have documentary evidence (not just implementation)
Incident log retained for minimum 3 years
Art.34 binding instruction response process exists (who approves, who implements)
Legal/DPO designated for NCA communication
Cross-border incident impact assessment procedure exists for multi-MS operations

9. The EU Infrastructure Advantage Under Art.36

Art.36 enforcement creates a structural advantage for organisations using EU-sovereign infrastructure. The compliance documentation challenge is harder for organisations with US cloud dependencies:

Documentation Challenge	EU-Sovereign Infrastructure	US CLOUD Act Provider
Data residency evidence	Simple (EU-only zone)	Complex (prove no US access)
Access control audit trail	Full NCA access	CLOUD Act conflict
Supply chain security	EU-contract law applies	US transfer mechanism required
Incident notification speed	No cross-Atlantic legal review	US legal review may delay
Art.21 cryptography compliance	Straightforward	Data sovereignty questions

For Important Entities in NCA-active Member States (Germany, France, Netherlands), the ability to demonstrate clean EU data sovereignty materially reduces the scope of NCA post-incident investigation. An organisation that can show: "all data remained in EU-sovereign infrastructure, no US government access possible" answers the CLOUD Act conflict question before the NCA asks it.

10. Key Dates and Enforcement Roadmap

Date	Milestone
October 2024	NIS2 transposition deadline (Member State law should be in force)
H1 2026	First Art.33 investigations completing; Art.36 fines imminent in leading NCAs
H2 2026	First Art.36 fines expected — Germany BSI, France ANSSI most likely first movers
2026-ongoing	ENISA cross-border coordination normalising; multi-NCA Art.36 cases possible

Important Entities have a smaller window than many assume. The October 2024 transposition deadline has already passed. NCAs that have been processing incident notifications since late 2024 are now reaching the point where investigations have concluded and fine decisions are being prepared.