In terms of administrative fines, the NIS2 directive makes a clear distinction between essential and important organizations.
In the case of essential entities, Member States are mandated to stipulate a maximum fine threshold, set at a minimum of €10,000,000 or 2% of the global annual revenue, whichever amount is higher.
For important entities, NIS2 dictates that Member States impose fines up to a maximum of €7,000,000 or 1.4% of the global annual revenue, choosing the higher of the two values. This distinction underscores the graduated approach to penalties based on the classification of entities. It’s also worth noting that there are many important entities that are new to being in scope of NIS2, and for smaller organizations the task of achieving compliance might seem daunting.
And these smaller businesses (as well as larger enterprises) are also going to have to put serious effort into making sure their cyber security practices are prepared for a NIS2 audit, all of which costs time, staff focus and financial resources. The cost of improving cyber security to comply with a specific regulation, especially for an SME, must be taken into account when budgeting, especially if the organization has a lot of change of their processes and systems ahead of them to achieve the required standard of cyber security defense.