NIS2 is in enforcement: First proceedings, personal liability, BSI audits

7 min read

NIS2 has shifted from preparation to enforcement. The first member states are publishing penalties, Germany has launched proceedings against several entities for late reports, and the BSI is actively auditing. What’s new isn’t the directive itself—it’s the gravity: fines of up to ten million euros or two percent of global annual revenue, and management is personally liable. The question has moved from *if* to *now*.

Related:The token that bypasses MFA  /  Cyber liability in public administration

What the shift to enforcement means

What is NIS2? NIS2 is the EU directive on the security of network and information systems. It requires essential and important entities to implement risk management, incident reporting obligations, and verifiable security measures. Unlike its predecessor, NIS2 explicitly holds management accountable.

For years, NIS2 was a future project—a maturity level to aim for someday. That phase is over. With the first penalties published and active proceedings underway, the directive has become enforceable law. For a SOC, this changes priorities. It’s no longer enough to *have* measures in place. They must be documented, verifiable, and reportable within deadlines when incidents occur.

The reporting obligation is the first stumbling block. The German proceedings target late reports, not missing technology. A preliminary report within 24 hours and a detailed one within 72 hours demand a practiced process—not an ad-hoc response. If you’re figuring out *who* reports *what* *to whom* during an incident, you’ve already missed the deadline that’s now being penalized.

Why Personal Liability Changes Everything

The real game-changer in NIS2 isn’t the size of the fines—it’s who they target. The directive mandates that leadership teams must approve and oversee risk management measures. This makes cybersecurity a literal executive responsibility. In cases of serious violations, leaders face not just financial penalties but personal accountability, including temporary bans from their roles.

For SOC teams, this is both good news and a call to action. Good news because the old problem of security budgets getting stuck at the leadership level disappears—when executives are liable, they pay attention. A call to action because the SOC must now deliver what leadership needs to fulfill their obligations: verifiable proof that measures exist, work, and kick in during an incident.

What a SOC Must Now Prove

The first requirement is the reporting chain. Who detects, who decides, who reports—and within what timeframe. This process must be rehearsed, not just described. A tabletop exercise simulating an incident will expose, in under an hour, where real reporting would fail: unclear responsibilities, missing authority contact details, no prepared report template.

The second is verifiability. The BSI doesn’t check for good intentions—it checks for provable measures. Logs showing patches were applied. Records proving access is monitored. A documented risk assessment signed off by leadership. If it isn’t documented, it doesn’t exist in an audit.

In an audit, what matters isn’t what a team did—it’s what they can prove. An effective measure without evidence is no measure at all in the eyes of regulators.

The third is the supply chain. NIS2 requires assessing the security of suppliers. A company is liable not just for its own systems but for risks introduced through third-party providers. This is work many still face, as it demands an inventory of critical suppliers and their security posture. Those who can’t show progress here have a glaring gap.

The sobering reality: NIS2 isn’t inventing new technology. It’s enforcing discipline around what was already best practice—patching, monitoring, reporting, documenting. The difference is that this discipline is now scrutinized, penalized, and tied directly to leadership accountability. Those who enter the next BSI audit or incident without evidence will have missed the window where preparation was cheaper than the penalty.

Frequently Asked Questions

Is NIS2 really enforceable now?

Yes. Early adopter member states are already publishing sanctions, Germany has launched proceedings for late reporting, and the BSI is actively auditing. The preparation phase has shifted to enforcement.

How high can the fines go?

For essential entities, up to ten million Euro or two percent of global annual revenue—whichever is higher. Personal consequences for leadership may also apply.

What Does Personal Liability for Management Entail?

Executive bodies must approve and oversee security measures. In cases of serious violations, they face not only fines but also personal accountability—and, in extreme cases, temporary bans from professional activity. Cybersecurity is literally a matter for the top brass.

What Is the Deadline for Reporting Incidents?

An initial report must be submitted within 24 hours, followed by a detailed account within 72 hours. Precisely these delayed notifications are at the heart of Germany’s first enforcement actions, making a well-practiced reporting process essential.

What Does the BSI Examine During an Audit?

Proof that measures have been implemented. Logs, records, and a risk assessment signed off by management. If it isn’t documented, it doesn’t exist in the audit—regardless of whether it was technically implemented.

Image source: AI-generated (June 2026)

About the author: Alec Chizhik

More articles by Alec Chizhik