SaaSFort
NIS2 Directive · Article 34

NIS2 Article 34 — penalties for essential entities

Article 34 sets the financial-penalty ceiling for essential entities. Administrative fines reach up to €10,000,000 OR 2% of the total worldwide annual turnover of the undertaking — whichever is higher. The "or" is not optional; supervisors use the higher number when calculating maximum exposure. Important entities face a lower ceiling (€7M / 1.4%) under Art. 35.

Scan your domain free (60s) See the auditor-handoff pack

Who Article 34 applies to

Essential entities. (Important entities = Art. 35; same regime, lower ceiling.)

What Article 34 obliges you to do

  • Treat NIS2 non-compliance as a board-level financial risk, not an IT operational risk
  • Reflect the up-to-€10M / 2% turnover exposure in the entity's risk register
  • Combine with Art. 32(6) management-ban exposure when assessing personal-liability disclosures
  • Document remediation actions promptly — the supervisor weighs cooperation and remediation when setting the actual fine within the maximum

Common misconception

"€10M is the cap, so a small SaaS is safe."

False. The cap is whichever is HIGHER — €10M OR 2% of global turnover. For a 500-person SaaS doing €50M turnover, the 2%-of-turnover ceiling is €1M, which is the binding number; but a fast-growing scale-up crossing €500M turnover faces a €10M-and-up ceiling. The cap scales with the entity.

Get the external-posture evidence in 60 seconds

An auditor reviewing Article 34 compliance will ask for evidence. SaaSFort produces the externally-observable portion (TLS, headers, DNS, certs, exposed surfaces) in 60 seconds — mapped to Art. 21 sub-clauses and ISO 27001 Annex A.

Run my free scan See plans from €9/mo

Frequently asked questions

How do supervisors set the actual fine within the Art. 34 ceiling?

Authorities consider the gravity, duration and recurrence of the breach, intent vs negligence, financial benefit obtained, harm caused, cooperation with the supervisor, and prior infringements. Demonstrable remediation lowers the effective fine; ignoring an enforcement order raises it.

Is the Art. 34 fine separate from member-state penalties?

No — Art. 34 sets the EU-level ceiling and member states implement it. In Germany, §41 BSIG transposes the Art. 34 ceiling. The fine you see is the same number, levied under national law.

BSI enforcement window — what changes after the deadline

Related cornerstones: Article 23 — incident response · NIS2 / BSI / ISO 27001 glossary · BSI IT-Grundschutz Bausteine · Industry-specific NIS2 checklists