Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
8MAY

NIS2 fines now reach directors personally

4 min read
10:57UTC

The EU's NIS2 regime reached full force on 1 June, with personal fines for directors now at the statutory maximum and the Commission referring laggard member states to its top court.

TechnologyDeveloping
Key takeaway

NIS2 now fines directors personally at the full rate, with the Commission taking laggard states to court.

The EU's NIS2 regime reached full enforcement force on 1 June 1. NIS2 is the bloc's 2024 Network and Information Security Directive, which sets binding cybersecurity duties on critical-infrastructure operators and large firms. From this date, personal fines for management-body members apply at 100% of the statutory maximum in member states that have transposed the directive, with the earlier grace-period discount gone. The liability now reaches named directors, not their organisations alone.

The European Commission has referred member states still untransposed 19 months after the October 2024 deadline to the CJEU (Court of Justice of the European Union), the bloc's highest court 2. Those referrals are the enforcement follow-through to the maturity gaps ENISA, the EU cybersecurity agency, flagged when it placed water, rail and waste water in the cyber risk zone and benchmarked member-state readiness . The directors most exposed sit in exactly those laggard, lower-maturity sectors, where boards have had the least time to build the controls the directive now fines them personally for lacking.

Read alongside the UK bill reaching third reading a few sections up, the regulatory direction is the same on both sides of the Channel in a single fortnight: wider duties, sharper penalties, and personal accountability moving up the org chart. The divergence is on the ransomware-payment question, which NIS2 leaves to member states and Westminster has just parked.

Deep Analysis

In plain English

The European Union has a cybersecurity law called NIS2, which stands for the Network and Information Security Directive 2. It requires companies that provide important services, including energy, water, hospitals, and financial services, to meet mandatory cybersecurity standards and to report incidents to regulators quickly. Since 1 June 2026, NIS2 reached its full enforcement phase in the countries that have already built the law into their national systems. The key change from 1 June is that individual company directors can now be fined personally alongside their organisations when a serious cybersecurity failure occurs. At the same time, the European Commission has referred the EU member states that have still not written NIS2 into their national law to the EU's highest court, the Court of Justice of the European Union, which can order them to pay financial penalties until they comply. The EU agency for cybersecurity, ENISA, has specifically flagged water companies, railways, and waste water utilities as the sectors with the biggest gap between what the rules require and what they are actually doing.

Deep Analysis
Escalation

Enforcement risk escalating. The 1 June full personal-liability date removes the last formal grace period. CJEU referrals against non-transposing member states signal the Commission will pursue compliance aggressively. First enforcement decisions against individual directors are likely within 12 to 24 months in high-capacity member states.

What could happen next?
  • Consequence

    Individual directors at essential and important entities in transposed NIS2 member states now face personal fines at 100 per cent of the statutory maximum for serious cybersecurity failures, removing the discretionary reduction that applied during the grace period.

    Immediate · Assessed
  • Risk

    ENISA's NIS360 2026 identification of water, rail, and waste water as highest-risk sectors means the first personal-liability enforcement test cases are most likely to come from infrastructure operators with documented maturity gaps rather than from financial-sector incumbents.

    Medium term · Reported
  • Precedent

    The Commission's CJEU referrals for non-transposition, running in parallel with entity-level enforcement in transposed states, create a two-tier NIS2 enforcement environment that may generate competitive disadvantage for firms operating in non-transposing jurisdictions relative to transposed ones.

    Medium term · Reported
First Reported In

Update #7 · VPN zero-day, no-patch KEV, late Exchange

Bitdefender· 14 Jun 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.