Press Center

Malware and antivirus software


Enforcement, supervision and penalties: how does it work?

Created: 2023-03-14 09:56:03

In our previous blogs, we presented what the NIS2 Directive will entail, what to expect from it, and what the reporting and duty-of-care obligations will entail. The Directive also foresees enforcement mechanisms to ensure effective compliance with the rules and sanctions in case of breach of the rules.

Enforcement mechanisms

Member States must ensure that they carry out effective supervision to ensure compliance with the requirements of NIS2. Regarding essential entities, this implies proactive supervision. In contrast, it implies reactive supervision for important entities, which may be triggered by evidence, indication, or information that the entity allegedly does not comply with the Directive. Indeed, in the latter case, action should only be taken when, for a Member State, it appears that an important entity does not comply with the obligations laid down in the Directive.

The measures taken by competent authorities must be effective, proportionate, and dissuasive. For both types of entities, the competent bodies will have the power to subject them to on-site inspections and off-site ex-post supervision conducted by trained professionals, targeted security audits, security scans, requests to access data, documents and information, and requests for evidence of implementation of cybersecurity policies, such as the results of security audits carried out by a qualified auditor and the respective underlying evidence. Random checks further expand the list together with ad hoc audits in the case of essential entities. Except for duly substantiated cases, the audited entities will need to bear the costs of the security audits.

If an infringement is discovered, the competent authorities can exercise further enforcement powers, such as issuing warnings, adopting instructions, ordering entities to cease conduct of activities that infringe on the Directive, ordering entities to inform the natural or legal persons that may be affected by the misconduct, or even making the information public. Should these measures not lead to remedying the situation, the competent authorities may temporarily suspend the entity’s activities and the organization’s manager, who is discharging responsibilities at a chief executive or representative legal level.


The NIS2 Directive sets up a consistent framework for sanctions across the Union, by establishing a minimum list of administrative sanctions for breach of the cybersecurity risk management and reporting obligations. These sanctions include binding instructions, implementing the recommendations of a security audit, bringing security measures in line with NIS requirements, and administrative fines. Concerning administrative penalties, the new NIS Directive distinguishes between essential and important entities.

Member States must provide the relevant authorities the ability to impose considerable fines. Regarding essential entities, the NIS2 Directive requires Member States to provide for a certain level of administrative fines, notably a maximum of at least €10,000,000 or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Concerning important entities, the NIS2 Directive requires Member States to provide a maximum fine of at least €7,000,000, or at least 1,4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Management bodies of essential and important entities may also be held liable for non-compliance with the provisions of the NIS2 Directive. If your organization is a covered entity and fails to build and maintain cyber-fitness, there will be fines and penalties for non-compliance with risk management measures or reporting obligations.

To strengthen the supervision that helps ensure effective compliance, the NIS2 Directive provides a minimum list of supervisory means through which competent authorities may supervise essential and important entities. These include regular and targeted audits, on-site and off-site checks, information requests, and document or evidence access.

When exercising their enforcement powers, competent authorities should give due regard to the particular circumstances of each case, such as the nature, gravity, and duration of the infringement, the damage caused or losses incurred, and the intentional or negligent character of the violation.

To ensure real accountability for the cybersecurity measures at the organizational level, NIS2 introduces provisions on the liability of natural persons holding senior management positions in the entities falling within the scope of the new NIS2 Directive.

About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit or call (65) 6296-4268.


ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.