The headline number scares people: up to 10 million EUR or 2% of global turnover. But the fine most SaaS vendors should worry about is smaller, arrives sooner, and does not come from a regulator. It comes from losing the deal. Here is what NIS2 actually puts at risk, and who ends up paying.
The Two Fine Ceilings
NIS2 sets penalty ceilings by entity class. The class you fall into depends on your sector and size, which our scope self-check walks through.
- Essential entities: up to 10 million EUR, or 2% of total worldwide annual turnover, whichever is higher.
- Important entities: up to 7 million EUR, or 1.4% of total worldwide annual turnover, whichever is higher.
Most B2B SaaS vendors that fall in scope land in the “important entity” category. The ceiling is high, but ceilings are not the everyday reality. Regulators reserve maximum fines for serious, sustained, or negligent failures. What matters more for a small vendor is the ladder of consequences below the ceiling.
It Is Not Only a Money Fine
NIS2 gives national authorities more than the power to fine. In Germany, the BSI can also:
- Issue binding instructions to fix specific deficiencies
- Order you to notify affected customers of an incident
- Suspend a certification or authorisation tied to your service
- Hold management personally accountable for oversight failures
That last point catches founders off guard. Under the German transposition, management bodies must approve and monitor cybersecurity risk measures, and they can be held personally liable for failing to do so. Our deeper piece on Geschäftsführer liability covers how that works. The obligation cannot simply be delegated away to an IT contractor.
What Actually Triggers a Penalty
A regulator does not fine you for having a vulnerability. Every system has vulnerabilities. Penalties follow from failures of process and duty:
- No risk-management measures. You never implemented the Article 21 measures at all.
- Failure to report an incident. NIS2 requires an early warning within 24 hours and a fuller report within 72 hours. Missing that window is a distinct violation.
- Ignoring a binding instruction. The authority told you to fix something and you did not.
- Failure to register. In Germany, covered entities must register with the BSI. Missing it is penalised on its own, before any breach.
The common thread is demonstrable neglect. A vendor who took reasonable, documented measures and reported promptly is in a very different position from one who did nothing and hid an incident.
The Fine You Will Feel First
For most SaaS vendors, the regulator is not the first cost of non-compliance. The first cost is commercial.
An EU enterprise customer has its own supply-chain duty under NIS2. Before it signs you, its procurement team asks for evidence of your security posture. If you cannot produce it, the deal stalls or dies. That happens months or years before any regulator would come knocking, and it happens on every enterprise deal, not just in the rare enforcement case.
So the practical risk ladder for a small vendor is:
- Now: deals stall because you cannot show evidence in a security review.
- Soon: a covered customer requires NIS2-mapped proof as a contract condition.
- Later, if negligent: regulatory instructions, registration penalties, or a fine.
You address all three with the same thing: documented, current evidence that you took reasonable measures.
The Cheapest Way to Show Reasonable Measures
“Reasonable and proportionate measures” is the standard NIS2 sets. You do not need a six-figure security program to meet it as a small vendor. You need to implement the Article 21 basics and be able to show them. Our breakdown of what auditors actually ask for maps each measure to its evidence.
The observable half, the part a regulator or customer can check from outside, is a short list: TLS with no deprecated versions, security headers, no exposed admin panels, email authentication, and no public JavaScript with known CVEs. Start by seeing where you stand. Run a free external scan and read your A-F grade in about a minute.
Then keep the evidence current. SaaSFort scans your domain across 60 external checks, grades it A to F, and maps each finding to its NIS2 Article 21 control. The one-time audit pack is €39: a dated, branded PDF you attach to a security review or keep on file as proof you assessed your posture. No subscription, no card on the first scan. It is not a compliance program by itself, but it is the concrete artifact that turns “we take security seriously” into something a reviewer or regulator can actually read.
Get your NIS2 evidence pack for €39
FAQ
How much is the maximum NIS2 fine? For essential entities, up to 10 million EUR or 2% of global annual turnover, whichever is higher. For important entities, up to 7 million EUR or 1.4% of turnover. Most B2B SaaS vendors in scope are important entities. Maximum fines are reserved for serious or negligent failures, not for a single vulnerability.
Can I be personally liable as a founder or director? Under the German NIS2 transposition, yes. Management bodies must approve and oversee cybersecurity risk measures and can be held personally accountable for failing to do so. The duty cannot be fully delegated to a contractor or a single employee.
Do fines apply if I have not had a breach? Yes. Several violations do not require a breach: failing to register with the BSI, failing to implement risk-management measures, or ignoring a binding instruction are each penalised on their own.
What is the fastest way to reduce my risk? Implement the Article 21 basics, register if you are required to, and keep dated evidence of your external posture. A current scan report is the cheapest piece of that evidence and the one a customer’s security review asks for first.
Ready to put this into practice?
Two ways to start — pick what fits. Free Scan if you want to see your security grade in 60s with no commitment. Free 14-day Growth trial if you're ready to monitor multiple domains, export NIS2 reports, and download Deal Reports — no credit card required.
No credit card · Cancel anytime · GDPR-ready · EU-hosted