Key Takeaway: The NIS2 grace period is over. Germany issued the first fine in February 2026 (EUR 850,000). Nineteen member states are under European Commission infringement procedures for late transposition. Early enforcement patterns show regulators targeting missing risk management policies, absent incident reports, and lack of documented management approval, not sophisticated technical controls.
Until early 2026, NIS2 enforcement was theoretical. The deadline had passed, but every month without a fine reinforced a comfortable assumption: that regulators would spend a long runway in education mode before taking action. February changed that. Germany's Federal Office for Information Security (BSI) imposed the first public NIS2 fine on a mid-sized cloud service provider, and the pattern behind that case is now clear across several early enforcement actions.
This update summarizes where enforcement actually stands in April 2026: which countries have transposed, which have not, what the first fines targeted, and what your management team should be doing differently in Q2 and Q3 2026 in light of these signals.
The grace period is over
Throughout 2025 and early 2026, a common executive view was that NIS2 would follow the GDPR pattern: years of light enforcement while authorities built capability, then a gradual ramp. That assumption is no longer safe. Three signals tell you why.
First, the Commission escalated. On 7 May 2025 the European Commission sent reasoned opinions to 19 member states for failing to notify full transposition of the directive. That is the formal step before a Court of Justice referral. It is a clear signal that the Commission treats NIS2 as a priority directive, not a discretionary target.
Second, national authorities built capacity. Germany's BSI, France's ANSSI, Italy's ACN, and the Netherlands' NCSC all expanded their regulated-entity supervision teams through 2025 and early 2026. These are no longer understaffed policy functions. They have examiners whose job is to find non-compliance.
Third, the first fine landed. The February 2026 German penalty is meaningful not for its size but for what it chose to target: a mid-sized, non-famous cloud provider. That choice tells every comparable entity that the regulator is willing to act on ordinary companies, not just headline-worthy flagship cases.
Case study: Germany's first NIS2 fine
The facts
A mid-sized German cloud service provider, regulated as an essential entity under NIS2, was penalized EUR 850,000 in February 2026 by the BSI. The specific findings publicly cited by the authority fell into two categories: failure to implement documented cybersecurity risk management measures commensurate with the entity's risk profile, and deficient incident response procedures that meant a 2025 security event was neither classified correctly nor reported within the 24-hour and 72-hour windows required under Article 23.
What the authority did not cite
The fine was not about a sophisticated breach, a nation-state attacker, or exotic technical failures. It was about the basics. The entity could not produce evidence of a formal risk assessment, a management-approved security policy, or a documented incident response plan. These are Article 21 foundational obligations, not advanced controls.
Why it matters
The BSI has signaled that the first enforcement priority is evidence of governance and process, not the technical quality of tooling. If you can produce documented policies, board sign-off, a risk register, and a tested incident plan, you are ahead of what regulators are actually auditing in 2026.
Transposition status across the EU (April 2026)
NIS2 is a directive, which means every EU member state must transpose it into national law. The deadline was 17 October 2024. As of April 2026, transposition is still uneven. Understanding your country's status is critical because fines and supervisory powers only become enforceable once the national law is in force.
Fully transposed, enforcing
National law in force and supervisory authority active.
Belgium, Croatia, Italy, Lithuania, Romania, Slovakia, Germany (first fine issued Feb 2026), and others.
Transposed late, ramping up
Law recently in force, supervisory practice still forming.
France, Netherlands, Austria, Poland, Spain, and most of the 19 member states that received reasoned opinions have now transposed during late 2025 or early 2026.
Still incomplete
Transposition not complete. Commission referral to the Court of Justice of the EU is the likely next step.
A small number of member states remain non-compliant. Consult the ECSO NIS2 Transposition Tracker and the Commission's Digital Strategy portal for current status.
What this means in practice: Even if your home member state has not fully transposed, you are likely affected in three ways. Customer contracts may require compliance under another member state's law. Your group holding company may be subject in a country that has transposed. And harmonized Commission guidance applies across the single market regardless of local delay. Treat the directive as operative everywhere.
What regulators are targeting first
Based on the first handful of enforcement actions, formal supervisory guidance published by ENISA and national authorities, and ongoing client work with essential and important entities, three enforcement priorities stand out clearly in 2026.
Priority 1: Documented governance and management approval
The very first question a supervisor asks is: can you produce a written, management-approved cybersecurity policy and risk assessment? This is the fastest-to-check and hardest-to-fake signal of NIS2 seriousness. The German fine turned on exactly this gap. Entities without board-level sign-off on their risk management framework are the lowest-hanging enforcement target.
Priority 2: Incident notification compliance
Article 23 imposes a three-stage reporting regime: early warning within 24 hours, incident notification within 72 hours, and a final report within one month. Regulators cross-reference public disclosures, customer complaints, and peer reports against your submitted notifications. Entities that suffered a 2025 or 2026 incident but did not notify, or notified late, are being specifically investigated.
Priority 3: Registration and entity identification
Most member states require in-scope entities to register with the national authority. Failure to register is a simple, binary non-compliance finding. Authorities are working through registration databases and flagging sectoral entities that should be listed but are not. Being unregistered is the easiest deficiency to find and one of the easiest to fix.
5 lessons from early NIS2 enforcement
Paperwork beats tooling in the first audit
Regulators cannot audit your SIEM configuration on a first visit, but they can audit whether you have a signed cybersecurity policy and a risk register. Spend proportionately. Mature governance documentation is cheaper than new tools and has a higher enforcement-risk payoff.
Management liability is now real, not theoretical
The German case named a named responsible manager. Across several member states, transposition laws allow personal sanctions including temporary bans on management positions. Directors and senior officers should insist on formal sign-off records and evidence of training, both for their own protection and for the entity's.
Mid-sized entities are not too small to fine
The first fine did not land on a Fortune 500 company. It landed on a mid-sized cloud provider. Regulators are deliberately picking cases that demonstrate reach. Essential and important entities of all sizes should assume they are in the first enforcement cohort.
Incident notification is a separate enforcement vector
An entity can be fully compliant with Article 21 risk measures and still be fined for Article 23 notification failures. Treat incident reporting as a separate, specifically-resourced workstream with named roles, trained responders, and tested channels to your national authority.
Supply chain scrutiny is arriving fast
Several 2026 supervisory programs have announced specific supply chain thematic reviews. Regulators will ask how you identify, assess, and contractually bind your critical suppliers. If your vendor list has more than a few dozen names, start tiering and documenting now. Expect to be asked in the next twelve months.
What to prepare for Q2 and Q3 2026
If you have not already started a structured NIS2 programme, the lesson from the first fines is that the runway has closed. Here is a prioritized list of work for the next two quarters that directly addresses what the early enforcement wave is testing.
Q2 2026 priorities
- Confirm your entity classification (essential vs important) and register with the national authority if not already done.
- Produce or refresh a management-approved cybersecurity policy with an explicit reference to NIS2 Article 21.
- Document your Article 23 incident notification process with named roles, thresholds, and a tested channel to your national CSIRT.
- Conduct management training on cybersecurity risk and sign-off. Keep attendance records.
Q3 2026 priorities
- Complete a supply chain risk assessment. Tier your critical vendors, map concentration risk, and add NIS2-aligned contractual clauses.
- Run a tabletop exercise simulating a significant incident with full Article 23 notification timeline.
- Perform an independent gap assessment against the 10 Article 21 measures. Prioritize top three residual risks.
- Prepare a pre-audit readiness pack: registration, policy, risk register, evidence log, incident records, training records, supplier list. One folder, ready to hand to a supervisor.
Frequently asked questions
What was the first NIS2 fine?
Germany's BSI issued the first public NIS2 penalty in February 2026, fining a mid-sized cloud service provider EUR 850,000 for failing to implement documented risk management measures and incident response procedures. The fine is notable not for its size but for its target: an ordinary regulated entity, not a headline case.
Which countries have fully transposed NIS2 in 2026?
Transposition is progressing unevenly. By mid-2025, 19 member states received reasoned opinions from the Commission. Most have since transposed, including France, Netherlands, Austria, and Spain. A small number remain non-compliant and face potential referral to the Court of Justice of the EU. The ECSO Transposition Tracker provides a current country-by-country view.
Can my organization be fined if my country has not transposed NIS2 yet?
National administrative fines require a national transposition law in force. But your exposure is broader than that. If your group operates in a transposed member state, you are subject there. If your customers or contracts are governed by transposed laws, flow-down obligations apply. And once your country transposes, any historical significant incidents may be revisited by the supervisor.
What are the maximum fines under NIS2?
For essential entities, up to EUR 10 million or 2 percent of global annual turnover, whichever is higher. For important entities, up to EUR 7 million or 1.4 percent of global annual turnover. Beyond monetary penalties, supervisory authorities can suspend certifications, issue binding instructions, and in some member states temporarily ban individuals from management functions.
What are regulators targeting first in 2026?
Three clear priorities: (1) missing or inadequate management-approved risk management policies, (2) late or absent incident notifications under Article 23, and (3) failure to register with the national authority. All three are process and governance failures, not technical ones, and all three are the first things a supervisor asks for.
Will there be more NIS2 fines in 2026?
Almost certainly. National authorities across Germany, France, Italy, the Netherlands, and Spain have all announced supervisory programmes for 2026. Expect cross-border coordination through ENISA's cooperation network and a steady cadence of fines through the rest of the year, with supply chain thematic reviews gaining prominence in H2.
How do competent authorities pick which entities to inspect?
In 2026, selection is a mix of sector risk-based sampling, follow-up after self-reported incidents under Article 23, and responses to third-party complaints or media coverage. Essential entities in energy, health, and digital infrastructure are inspected proactively. Important entities are usually only inspected after an incident notification or complaint.
Are you ready for an NIS2 audit?
We help essential and important entities prepare a defensible NIS2 evidence pack: policy, risk register, incident procedures, supplier map, training records. All the things the first fines cited as missing.
Request a readiness review