Source: OJ L 333, 27.12.2022, p. 80–152Current language: EN
- High common level of cybersecurity for entities
Basic legislative acts
- NIS 2 directive
Article 34 General conditions for imposing administrative fines on essential and important entities
Summary What does Article 34 of the NIS 2 directive say?
This article sets out the administrative fines regime for both essential and important entities that breach their obligations under the Directive.
It directly builds on Articles 32 and 33, which govern supervisory and enforcement powers, by establishing that fines are an additional tool on top of those existing measures.
The article draws a clear distinction between the two categories of entity, setting higher fine thresholds for essential entities than for important ones.
It also includes flexibility for Member States whose legal systems do not natively provide for administrative fines, allowing courts or tribunals to impose them instead, and leaves it to each Member State to determine whether and how fines apply to public administration entities.
Important points:
- Essential entities face fines of up to at least EUR 10,000,000 or at least 2% of total worldwide annual turnover, whichever is higher, for breaching the cybersecurity risk-management or incident reporting obligations.
- Important entities face a lower threshold of up to at least EUR 7,000,000 or at least 1.4% of total worldwide annual turnover, whichever is higher, for the same categories of breach.
- Administrative fines are imposed in addition to, not instead of, the other enforcement measures available under Articles 32 and 33.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Member States shall ensure that the administrative fines imposed on essential and important entities pursuant to this Article in respect of infringements of this Directive are effective, proportionate and dissuasive, taking into account the circumstances of each individual case.
Administrative fines shall be imposed in addition to any of the measures referred to in Article 32(4), points (a) to (h), Article 32(5) and Article 33(4), points (a) to (g).
When deciding whether to impose an administrative fine and deciding on its amount in each individual case, due regard shall be given, as a minimum, to the elements provided for in Article 32(7).
Member States shall ensure that where they infringe Article 21 or 23, essential entities are subject, in accordance with paragraphs 2 and 3 of this Article, to administrative fines of a maximum of at least EUR 10 000 000 or of a maximum of at least 2 % of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher.
Member States shall ensure that where they infringe Article 21 or 23, important entities are subject, in accordance with paragraphs 2 and 3 of this Article, to administrative fines of a maximum of at least EUR 7 000 000 or of a maximum of at least 1,4 % of the total worldwide annual turnover in the preceding financial year of the undertaking to which the important entity belongs, whichever is higher.
Member States may provide for the power to impose periodic penalty payments in order to compel an essential or important entity to cease an infringement of this Directive in accordance with a prior decision of the competent authority.
Without prejudice to the powers of the competent authorities pursuant to Articles 32 and 33, each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public administration entities.
Where the legal system of a Member State does not provide for administrative fines, that Member State shall ensure that this Article is applied in such a manner that the fine is initiated by the competent authority and imposed by competent national courts or tribunals, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by the competent authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. The Member State shall notify to the Commission the provisions of the laws which it adopts pursuant to this paragraph by 17 October 2024 and, without delay, any subsequent amendment law or amendment affecting them.
Relevant recitals
Recital 126 Immediate enforcement decisions
In duly substantiated cases where it is aware of a significant cyber threat or an imminent risk, the competent authority should be able to take immediate enforcement decisions with the aim of preventing or responding to an incident.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
public administration entity
- it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character;
- it has legal personality or is entitled by law to act on behalf of another entity with legal personality;
- it is financed, for the most part, by the State, regional authorities or by other bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional authorities or by other bodies governed by public law;
- it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital;
Definition
significant cyber threat
Definition
incident
Definition
risk
Definition
network and information system
- an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;
- any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or
- digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;
Definition
cyber threat
Definition
entity