2026-04-20·10 min read·

NIS2 Art.37 Criminal Sanctions: Member State Discretion, Personal Liability, and When NCAs Refer to Prosecutors — Developer Guide 2026

NIS2 Article 37 is the shortest article in the sanctions chapter — and the one most developers overlook. While Art.35 and Art.36 establish the administrative penalty regime, Art.37 gives Member States the option to add criminal liability on top.

The key word is "may." Art.37 is permissive, not mandatory. The EU does not require criminal penalties. But several Member States have already implemented them, and the practical consequence is real: a CTO or CISO whose organisation suffers a significant incident — and failed to implement the Art.21 security measures — can face personal criminal prosecution under national law.

This guide maps when criminal liability activates, how it differs across key EU jurisdictions, and what developers need to know before the first wave of NIS2 enforcement in H2 2026.

1. What Art.37 Says

The full text of NIS2 Art.37(1) is brief:

"Member States may take the necessary measures to ensure that the natural persons responsible for an essential or important entity, or acting as their legal representative, can be held liable for that entity's non-compliance with this Directive."

Three elements define the scope:

Natural persons — not just the legal entity (company) but individual executives, managers, or representatives
Essential or important entities — both tiers, unlike Art.35's management liability which is Essential Entity-only for some provisions
Responsible for or representing — C-level executives, designated security officers, and legal representatives are the primary targets

Art.37(2) adds an additional pathway:

"Member States shall ensure that, where criminal penalties are provided for infringements referred to in Art.35 and 36, they are effective, proportionate and dissuasive."

This means where a Member State has opted into criminal penalties, those penalties must satisfy the EU proportionality and effectiveness standard — the same framing used across GDPR Art.84 and DORA Art.53.

2. The Structure: Art.37 vs Art.35/36

Art.37 does not replace Art.35 or Art.36. It operates as a parallel track:

Dimension	Art.35/36 (Administrative)	Art.37 (Criminal)
Who is fined	The legal entity	The natural person (executive)
Decision maker	National Competent Authority (NCA)	Prosecutor + Court
Standard of proof	Regulatory breach (balance of probabilities)	Criminal standard (beyond reasonable doubt)
Penalty type	Administrative fine	Criminal fine, probation, imprisonment
Publication	NCA public register	Court records (varies by MS)
Proportionality	Turnover-based ceiling	Judicial discretion
Ne bis in idem	Generally not applicable across tracks	Double jeopardy protections apply within same jurisdiction

The critical practical point: an organisation can face both simultaneously — an Art.35/36 fine against the company and Art.37 criminal prosecution against individual executives. These are distinct legal proceedings.

3. Member State Implementations (Key Jurisdictions)

Germany

Germany transposed NIS2 via BSIG-NIS2 (Bundesgesetz zur Umsetzung der NIS-2-Richtlinie, 2024). Criminal liability provisions in §65 et seq. BSIG-NIS2:

Negligent failure to implement Art.21 security measures: up to €500,000 fine (Ordnungswidrigkeit, quasi-criminal)
Willful failure causing significant harm: escalation to Strafrecht (criminal law), fines or up to 2 years imprisonment
Referral threshold: BSI (Bundesamt für Sicherheit in der Informationstechnik) refers to Staatsanwaltschaft when: administrative remediation orders (Art.32(4)) have been ignored twice, or when the violation is wilful and caused significant national infrastructure harm

France

France transposed via Loi NIS2 (2024) with amendments to Code pénal Art.323-x:

Personal liability for RSSI (Responsable Sécurité Systèmes Information) when negligence can be proven
Criminal fines up to €75,000 for natural persons
Imprisonment up to 3 years for repeated or willful violations
ANSSI makes referrals to Parquet when incidents reveal criminal negligence in incident reporting (Art.23 non-disclosure particularly targeted)

Netherlands

Netherlands transposed via Wbni-NIS2 (Wet beveiliging netwerk- en informatiesystemen, updated 2024):

Criminal track under Wet op de economische delicten (WED): economic offence framework applies
NCSC/Rijksinspectie referral when: Art.23 notification obligations wilfully avoided, or management actively concealed an incident
Personal fines up to €900,000 for executives under WED category 1
Imprisonment: up to 6 years for category 1 economic offences in the most severe cases

Italy

Italy transposed via D.Lgs. NIS2 (2024):

ACN (Agenzia per la Cybersicurezza Nazionale) has explicit criminal referral authority
Personal criminal liability for amministratori delegati and CISOs
Criminal penalties under Codice Penale: fines up to €150,000 and imprisonment up to 5 years for wilful non-compliance causing serious harm
Italy has the most aggressive criminal track in the EU4 jurisdictions

Sweden

Sweden transposed via Lag (2022:482) updated for NIS2:

NCSC-SE referral to åklagare (prosecutor) when wilful concealment of incidents established
Primarily fine-based criminal track; imprisonment reserved for critical infrastructure cases

4. When Does a Criminal Referral Happen?

NCAs do not routinely refer cases to criminal prosecutors. The referral threshold in practice requires multiple conditions to be met simultaneously:

Step 1: Art.23 notification missed → NCA investigation opens (Art.33/Art.32)
Step 2: Art.21 security measures found inadequate → binding instruction issued (Art.32(4)/Art.33(5))
Step 3: Remediation order ignored or compliance faked → escalation review
Step 4: Evidence of wilful misconduct OR management concealment → criminal referral trigger
Step 5: NCA refers file to national prosecutor

The referral trigger is almost always wilful misconduct or concealment rather than simple negligence. A company that genuinely tried to comply but fell short typically stays on the administrative track (Art.35/36). Criminal referrals target:

Art.23 non-disclosure: Deliberately not reporting a significant incident to the NCA
False compliance certificates: Submitting inaccurate audit responses to the NCA
Repeated defiance: Ignoring binding remediation orders from the NCA multiple times
Senior management override: Executive decision to override security team recommendations leading to a breach
Critical infrastructure impact: Incidents affecting essential services at national scale

5. Personal Exposure by Role

Art.37's "natural persons responsible for" language creates a hierarchy of personal exposure:

from dataclasses import dataclass
from enum import Enum
from typing import Optional

class ExposureLevel(Enum):
    CRITICAL = "criminal referral likely if organisation breaches"
    HIGH = "named in NCA investigation, potential co-liability"
    MODERATE = "operational responsibility, documented exposure"
    LOW = "indirect exposure through employer liability"

@dataclass
class RoleExposure:
    role: str
    exposure_level: ExposureLevel
    art37_pathway: str
    mitigation: str

ROLE_EXPOSURE_MAP = [
    RoleExposure(
        role="CEO / Managing Director",
        exposure_level=ExposureLevel.CRITICAL,
        art37_pathway="Legal representative under Art.37(1). Primary target in most MS transpositions.",
        mitigation="Documented security governance decisions. Board-level cybersecurity oversight minutes."
    ),
    RoleExposure(
        role="CTO",
        exposure_level=ExposureLevel.CRITICAL,
        art37_pathway="'Responsible for' technical security measures under Art.21. Named in many MS criminal provisions.",
        mitigation="Written security architecture decisions. Escalation trails when resources denied."
    ),
    RoleExposure(
        role="CISO / Head of Information Security",
        exposure_level=ExposureLevel.HIGH,
        art37_pathway="Operational Art.21 accountability. Criminal exposure if Art.23 reporting chain blocked.",
        mitigation="Documented incident response procedures. Written record of management notifications."
    ),
    RoleExposure(
        role="DPO (Data Protection Officer)",
        exposure_level=ExposureLevel.MODERATE,
        art37_pathway="Co-liability where GDPR-NIS2 overlap exists (Art.21(1) data security measures).",
        mitigation="Independent reporting line to management. Written recommendations on record."
    ),
    RoleExposure(
        role="Board Member (non-executive)",
        exposure_level=ExposureLevel.MODERATE,
        art37_pathway="Art.20(1) management body oversight liability. Board-level approval of security policies.",
        mitigation="Board security review minutes. Adequate challenge documented in board papers."
    ),
    RoleExposure(
        role="Security Engineer / Developer",
        exposure_level=ExposureLevel.LOW,
        art37_pathway="Individual contributors rarely named unless deliberate sabotage proven.",
        mitigation="Standard professional conduct. Escalate security concerns in writing."
    ),
]

def assess_criminal_exposure(
    entity_type: str,
    repeated_nca_orders_ignored: bool,
    art23_notification_missed: bool,
    wilful_misconduct_evidence: bool
) -> dict:
    """
    Assess Art.37 criminal referral likelihood for an entity.
    Returns exposure level and recommended actions.
    """
    risk_score = 0
    
    if entity_type in ["essential", "important"]:
        risk_score += 10  # Base NIS2 scope
    
    if repeated_nca_orders_ignored:
        risk_score += 40  # Major escalation factor
    
    if art23_notification_missed:
        risk_score += 30  # Primary criminal referral trigger
    
    if wilful_misconduct_evidence:
        risk_score += 50  # Near-certain criminal referral
    
    if risk_score >= 80:
        level = "CRITICAL — criminal referral highly likely"
        actions = [
            "Engage criminal defence counsel immediately",
            "Do not communicate with NCA without legal advice",
            "Preserve all documentation (do not delete)",
            "Conduct internal investigation under legal privilege"
        ]
    elif risk_score >= 40:
        level = "HIGH — administrative track with criminal escalation risk"
        actions = [
            "Engage regulatory counsel",
            "Respond fully and promptly to NCA information requests",
            "Document remediation actions with timestamps",
            "Brief board and management on exposure"
        ]
    else:
        level = "STANDARD — administrative track only"
        actions = [
            "Maintain Art.21 security measures documentation",
            "Ensure Art.23 notification procedures are tested",
            "Annual review of compliance posture"
        ]
    
    return {
        "risk_score": risk_score,
        "level": level,
        "recommended_actions": actions,
        "criminal_referral_triggers_present": (
            repeated_nca_orders_ignored or 
            art23_notification_missed or 
            wilful_misconduct_evidence
        )
    }

6. Art.37 and the Art.23 Notification Obligation

The most common criminal referral pathway in EU precedent (using GDPR Art.84 as proxy, given NIS2 is newer) runs through notification failures. Art.23 NIS2 requires:

24 hours: Early warning to NCA after learning of significant incident
72 hours: Incident notification with initial assessment
1 month: Final report with full impact analysis

Deliberately suppressing an Art.23 notification is the most direct path to criminal referral across all MS implementations. The commercial pressure to avoid disclosing a breach (customer contracts, share price, reputational damage) is precisely the scenario criminal sanctions are designed to deter.

For developers building incident response tooling or managing Art.23 notification pipelines: the notification trail itself becomes evidence in any subsequent criminal investigation. Gaps in the timeline — especially the 24-hour early warning — are scrutinised closely.

7. Practical Developer Actions to Minimise Art.37 Exposure

Criminal liability under Art.37 is not primarily about technical security gaps. It is about governance, documentation, and cooperation. The following actions reduce personal criminal exposure:

Action	Why It Matters Under Art.37
Document all security architecture decisions in writing	Establishes you did not act with criminal negligence
Maintain a timestamped Art.23 notification log	The 24h/72h/1mo chain must be provably met
Escalate in writing when security budget is denied	Creates record that you raised the issue; management overrode
Test incident response procedures quarterly	Demonstrates ongoing Art.21 compliance effort
Brief management body on cybersecurity risks per Art.20(1)	Management oversight trail required across all MS criminal tracks
Never instruct staff to delay NCA notification	This is the single clearest criminal trigger across all MS

Organisations covered by both NIS2 and GDPR face two parallel criminal sanction regimes:

Dimension	NIS2 Art.37	GDPR Art.84
Permissive or mandatory	Permissive — MS may provide criminal penalties	Permissive — same structure
Scope	Network and information security failures	Personal data processing violations
Overlap zone	Art.21 security measures (also GDPR Art.32)	Data breach incidents trigger both
German implementation	BSIG-NIS2 §65+	BDSG §42 (up to 3 years)
French implementation	Code pénal Art.323-x (NIS2)	Code pénal Art.226-16 (GDPR)
Risk amplifier	Same incident may trigger referral under both	Cross-referral between CNIL/ANSSI (FR), BSI/BfDI (DE)

When a significant incident involves personal data exposure AND security failure, both ANSSI and CNIL (France) or BSI and BfDI (Germany) may open parallel investigations — each with its own criminal referral pathway.

9. EU Infrastructure and Art.37 Jurisdiction

Art.37 jurisdiction follows entity classification, not data location. However, infrastructure jurisdiction matters in practice because it determines:

Which NCA has primary enforcement authority — determined by Art.26 (establishment) and Art.27 (representative)
Which national criminal law applies — the MS where the entity is established or has its primary operations
Cross-border incident coordination — Art.23 notifications to multiple NCAs when the incident has cross-border impact

An SaaS operator established in Germany running infrastructure in Germany faces BSI jurisdiction and BSIG-NIS2 criminal provisions. The same operator with infrastructure in a US-owned cloud provider with servers in Germany faces CLOUD Act reach-back risk alongside NIS2 exposure — a compound jurisdiction problem that EU-native infrastructure eliminates at the infrastructure layer.

Running on EU-native managed infrastructure (with no US parent company subject to CLOUD Act orders) does not change your Art.37 exposure as an entity, but it removes the scenario where a US government data request creates an Art.23 notification dilemma: disclose to the NCA (required) vs comply with a US court order requiring silence.

10. Developer Compliance Checklist: Minimising Art.37 Exposure

Tier 1: Incident Notification (Highest Criminal Risk)

Art.23 early warning (24h) procedure documented and assigned to named individual
Art.23 72h notification template prepared and tested in tabletop exercise
NCA contact details for your jurisdiction bookmarked and confirmed current
Legal counsel pre-identified for NCA communication support

Tier 2: Governance Documentation (Management Liability Trail)

Board/management body receives annual cybersecurity risk briefing (Art.20(1))
Security architecture decisions recorded with approver and date
Budget denial escalations documented in writing
CISO/CTO reporting line to CEO documented

Tier 3: Art.21 Compliance Evidence

Security measure implementation documented (encryption, access control, BCDR)
Vulnerability management process with timestamped scan logs
Supplier security assessments on file (Art.21(2)(d))
Incident response playbook tested within last 12 months