preloader

· security digital-security nis2 compliance europe gdpr critical-infrastructure enterprise

NIS2 Enforcement Has Started, and It Looks Exactly Like Early GDPR: Warnings First, Fines Later

Source: CybersecurityTime / ANSSI / BSI

The first wave of NIS2 enforcement activity across the EU is visible now, and it is not what many compliance teams braced for. No national authority, not the BSI, not ANSSI, not Italy’s ACN, has issued a finalised administrative fine under NIS2. What they have issued instead is a large and growing stack of formal notices, remediation orders, and registration chases, and that distinction matters far more than the headline “no fines yet” suggests.

What each regulator is actually doing

Germany’s BSI issued 47 formal enforcement notices in the final quarter of 2025, the large majority for entities that failed to register in the national NIS2 register or failed to designate a mandatory point of contact. These are process failures, not incident-response failures, and they are the easiest violations for a regulator to detect and act on first.

France’s ANSSI has issued remediation orders to 23 entities in the energy and transport sectors specifically, citing inadequate risk management measures. France’s stated approach explicitly prioritises remediation ahead of financial penalties, giving flagged entities a defined path to fix the problem before a fine becomes the next step.

Italy’s ACN, meanwhile, is still working the more basic problem of getting entities onto the register at all. As of March 2026, over 4,800 entities had registered in Italy’s national NIS2 register, but ACN’s own estimate suggests roughly 2,000 entities that should have registered still had not.

Why this looks like 2018 GDPR all over again

Anyone who lived through the first eighteen months of GDPR enforcement will recognise this shape immediately. Regulators started with registration and documentation gaps, the failures that are simplest to identify from public records and self-reported data, and used warnings and corrective orders to build the enforcement muscle before moving to financial penalties. The large GDPR fines that dominate compliance headlines today did not arrive until 2019 and later, well after the initial wave of warnings had run its course.

NIS2 fines can reach 10 million euros or 2 percent of global turnover for essential entities, and 7 million euros or 1.4 percent for important entities, with penalties doubling for repeat violations within three years. Those numbers are not smaller than GDPR’s, and there is no structural reason to expect the fines phase to arrive more slowly this time. If anything, regulators now have a template to follow.

The mistake would be reading “no fines yet” as “no urgency”

The organisations receiving BSI notices and ANSSI remediation orders right now are not being fined, but they are also the entities that a regulator has already identified as non-compliant and is actively tracking. When the fines phase does begin, and every historical precedent from GDPR says it will, the entities already in a regulator’s remediation pipeline are the ones with the shortest distance left to travel before enforcement escalates against them specifically.

For any organisation still treating NIS2 registration, incident reporting processes, or risk management documentation as a lower priority than “the incidents that actually get you fined,” this enforcement pattern is the signal to reprioritise now, while the cost of fixing gaps is still a compliance project rather than a financial penalty.

If your organisation needs to confirm its NIS2 registration status, close gaps in incident reporting or risk management documentation, or benchmark your current compliance posture against what German, French, and Italian regulators are actually checking for, contact Excello Digital. We help European organisations turn NIS2 obligations into a completed checklist before they become an enforcement conversation.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!