14JUN

NIS2 fines now reach directors personally

4 min read

11:51UTC

The EU's NIS2 regime reached full force on 1 June, with personal fines for directors now at the statutory maximum and the Commission referring laggard member states to its top court.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

NIS2 now fines directors personally at the full rate, with the Commission taking laggard states to court.

The EU's NIS2 regime reached full enforcement force on 1 June ¹. NIS2 is the bloc's 2024 Network and Information Security Directive, which sets binding cybersecurity duties on critical-infrastructure operators and large firms. From this date, personal fines for management-body members apply at 100% of the statutory maximum in member states that have transposed the directive, with the earlier grace-period discount gone. The liability now reaches named directors, not their organisations alone.

The European Commission has referred member states still untransposed 19 months after the October 2024 deadline to the CJEU (Court of Justice of the European Union), the bloc's highest court ². Those referrals are the enforcement follow-through to the maturity gaps ENISA, the EU cybersecurity agency, flagged when it placed water, rail and waste water in the cyber risk zone and benchmarked member-state readiness . The directors most exposed sit in exactly those laggard, lower-maturity sectors, where boards have had the least time to build the controls the directive now fines them personally for lacking.

Read alongside the UK bill reaching third reading a few sections up, the regulatory direction is the same on both sides of the Channel in a single fortnight: wider duties, sharper penalties, and personal accountability moving up the org chart. The divergence is on the ransomware-payment question, which NIS2 leaves to member states and Westminster has just parked.

Deep Analysis

In plain English

The European Union has a cybersecurity law called NIS2, which stands for the Network and Information Security Directive 2. It requires companies that provide important services, including energy, water, hospitals, and financial services, to meet mandatory cybersecurity standards and to report incidents to regulators quickly. Since 1 June 2026, NIS2 reached its full enforcement phase in the countries that have already built the law into their national systems. The key change from 1 June is that individual company directors can now be fined personally alongside their organisations when a serious cybersecurity failure occurs. At the same time, the European Commission has referred the EU member states that have still not written NIS2 into their national law to the EU's highest court, the Court of Justice of the European Union, which can order them to pay financial penalties until they comply. The EU agency for cybersecurity, ENISA, has specifically flagged water companies, railways, and waste water utilities as the sectors with the biggest gap between what the rules require and what they are actually doing.

Deep Analysis

Escalation

Enforcement risk escalating. The 1 June full personal-liability date removes the last formal grace period. CJEU referrals against non-transposing member states signal the Commission will pursue compliance aggressively. First enforcement decisions against individual directors are likely within 12 to 24 months in high-capacity member states.

What could happen next?

Consequence
Individual directors at essential and important entities in transposed NIS2 member states now face personal fines at 100 per cent of the statutory maximum for serious cybersecurity failures, removing the discretionary reduction that applied during the grace period.
Immediate · Assessed
Risk
ENISA's NIS360 2026 identification of water, rail, and waste water as highest-risk sectors means the first personal-liability enforcement test cases are most likely to come from infrastructure operators with documented maturity gaps rather than from financial-sector incumbents.
Medium term · Reported
Precedent
The Commission's CJEU referrals for non-transposition, running in parallel with entity-level enforcement in transposed states, create a two-tier NIS2 enforcement environment that may generate competitive disadvantage for firms operating in non-transposing jurisdictions relative to transposed ones.
Medium term · Reported

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The GDPR's Article 83 fine ceiling, which entered full enforcement in May 2018, provides the closest structural precedent: a new EU framework with personal-liability provisions, a transposition gap (the GDPR is directly applicable rather than transposed, but member-state implementing laws varied), and a documented lag between the formal maximum and actual enforcement practice.

The GDPR's first four years produced 15 fines above €10 million, concentrated in France, Luxembourg, Ireland, and Germany. The NIS2 personal-liability arc will likely follow a similar geographic concentration in member states with established cyber-enforcement institutional capacity.

Counter-parallel: The Network and Information Systems (NIS1) Directive enforcement record offers a cautionary counter-precedent: the first NIS1 enforcement action in the UK (the ICO fine of British Airways, £20 million for the 2018 breach) took two years from the breach to the fine, and eight EU member states issued zero NIS1 fines across the entire 2018-2022 period.

The NIS2 personal-liability milestone on 1 June 2026 is legally sharper than NIS1, but without regulator capacity and political will in each transposed member state, the formal enforcement date may not produce enforcement activity within 2026.

Consensus view: Linklaters' Technology, Media and Telecommunications practice and the European Internet Forum (EIF) both assess the 1 June 2026 full personal-liability milestone as the first time a European cybersecurity director faces a penalty at 100 per cent of the statutory maximum rather than the discretionary reductions that characterised NIS1 enforcement.

The CJEU referrals against non-transposing member states add a second enforcement vector: Commission infringement proceedings historically result in lump-sum penalties and daily fines under Article 260 TFEU, creating a government-level financial consequence running in parallel with entity-level fines on individual directors. ENISA's NIS360 2026 identification of water, rail, and waste water as highest-risk sectors means the first enforcement test cases will likely come from sectors with documented maturity gaps rather than from financial services, where NIS2 adds obligations to an already-regulated base.

Counter-view: Herbert Smith Freehills' Brussels regulatory team notes that personal liability for management-body members requires a national regulator to prove individual culpability, which creates a litigation-intensive enforcement path. Their analysis of the GDPR enforcement record, where Article 83 maximum fines were applied in fewer than 5 per cent of enforcement decisions in the first four years, suggests regulators will concentrate initial NIS2 enforcement on entity-level fines and use personal liability as a board-level deterrent rather than a primary enforcement tool.

The Singapore Cyber Security Agency (CSA) research division adds an Asia-Pacific comparative note: Singapore's similar director-liability model in the Cybersecurity Act 2018 has produced zero personal fines in eight years of operation, suggesting enforcement culture may lag legislative intent substantially.

Key tension: Whether the CJEU referrals against non-transposing member states accelerate enforcement culture in the newly transposed jurisdictions by establishing that non-compliance at state level produces financial consequences, or whether member-state regulators in newly transposed states continue to treat the grace period as a practical compliance baseline regardless of the formal 100 per cent maximum.

Sources:Bitdefender

Mentions:NIS2 →European Commission →CJEU →ENISA →NCSC →GDPR →Luxembourg →Brussels →Westminster →Germany →Network and Information Systems →Singapore →Ireland →France →NIS360 →European Union →

First Reported In

Update #7 · VPN zero-day, no-patch KEV, late Exchange

Bitdefender· 14 Jun 2026

Read original →

Causes and effects

Caused by

ENISA puts water and rail in risk zone

ENISA NIS360 2026's identification of water, rail and waste water as highest-risk sectors provides the enforcement basis underlying the Commission's referral of untransposed member states to the CJEU.

Occurred 28 May 2026

Read story →

ENISA scores NIS2 maturity with NCAF 2.0

ENISA NCAF 2.0's member-state NIS2 maturity benchmarking in April 2026 established the documented readiness gaps the Commission now pursues via CJEU referrals.

Occurred 22 Apr 2026

Read story →

This Event

NIS2 fines now reach directors personally

Cyber accountability now reaches named directors, not their organisations alone, and the enforcement teeth are out.

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.