Article 36: Penalties

Article 36: Penalties requirement means you must track and implement the NIS 2 penalties regime as it is transposed in each EU Member State where you operate, and keep your NIS 2 controls “exam-ready” because local authorities can impose effective, proportionate, and dissuasive penalties for noncompliance. The operational goal is fast, provable compliance with national NIS 2 measures. (Directive (EU) 2022/2555, Article 36)

Key takeaways:

• Article 36 is implemented through national law; your job is to map each jurisdiction’s penalties and supervisory expectations to your control program. (Directive (EU) 2022/2555, Article 36)
• Treat penalties as a governance requirement: define accountability, decision rights, and evidence that shows controls operate, not just that they exist. (Directive (EU) 2022/2555, Article 36)
• Prioritize “penalty-trigger” areas in audits: incident reporting readiness, cybersecurity risk management controls, and third-party dependencies. (Directive (EU) 2022/2555, Article 36)

Article 36 is short, but it changes how you run your NIS 2 compliance program. It does not give you a single EU-wide fine table to follow. Instead, it obligates each Member State to create and enforce penalties for violations of the national measures that transpose NIS 2. That means your operational requirement is jurisdiction management: you must know which national regime applies to which parts of your business, what behaviors trigger penalties, and how you prove compliance under supervisory scrutiny. (Directive (EU) 2022/2555, Article 36)

For a Compliance Officer, CCO, or GRC lead, the practical challenge is avoiding “policy compliance” that collapses during an inquiry. Supervisors typically ask for evidence tied to timelines, system scope, and decision logs. Article 36 also has a coordination dimension: Member States had to notify the European Commission of their penalty rules and updates, so your “source of truth” must stay current as national rules evolve. (Directive (EU) 2022/2555, Article 36)

Use this page to operationalize the article 36: penalties requirement into a concrete workplan: map jurisdictions, identify penalty triggers, assign control owners, and build a retention-ready evidence set.

Regulatory text

Regulatory excerpt (quoted): “Member States shall lay down rules on penalties applicable to infringements of national measures adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. Member States shall, by 17 January 2025, notify the Commission of those rules and of those measures and shall notify it, without delay of any subsequent amendment affecting them.” (Directive (EU) 2022/2555, Article 36)

Plain-English interpretation (what the requirement means)

• Penalties are real and local. Your exposure is driven by each Member State’s transposed NIS 2 law and enforcement practice, not by a single harmonized EU penalty schedule. (Directive (EU) 2022/2555, Article 36)
• Supervision expects execution. “Effective, proportionate and dissuasive” signals that penalty frameworks must have teeth, and regulators will expect evidence that your controls operate in practice. (Directive (EU) 2022/2555, Article 36)
• Change is expected. Member States must notify amendments “without delay,” so your compliance mapping must include an update mechanism, not a one-time assessment. (Directive (EU) 2022/2555, Article 36)

Who it applies to

Entity scope: Any organization that is in scope of NIS 2 under applicable national measures (commonly “essential” or “important” entities under NIS 2 categories, as implemented locally). Article 36 itself is addressed to Member States, but it creates operational consequences for regulated entities because it is the legal basis for penalty regimes tied to NIS 2 obligations. (Directive (EU) 2022/2555, Article 36)

Operational contexts where it bites hardest:

• Multi-country EU operations where different business units fall under different national transposition rules.
• Centralized security programs supporting distributed legal entities.
• Heavy reliance on third parties that affect service availability, incident containment, or reporting quality. (Directive (EU) 2022/2555, Article 36)

What you actually need to do (step-by-step)

Treat Article 36 as a penalty-readiness requirement: establish a repeatable way to identify penalty triggers and prove control operation.

Step 1: Build a jurisdictional “penalties & supervision” register

Create a register that includes, per Member State where you operate:

• The national NIS 2 transposition reference your counsel confirms is applicable to your entity/entities.
• The competent authority (or authorities) and supervisory touchpoints.
• A penalties summary: penalty types, escalation paths, and any administrative measures relevant to your obligations under national law.
• Update cadence and an “owner” responsible for monitoring amendments. (Directive (EU) 2022/2555, Article 36)

Operator tip: Don’t mix this into a generic legal register. You need a working tool that ties directly to controls, evidence, and response playbooks.

Step 2: Map “penalty triggers” to your control obligations

Convert the jurisdictional view into a control view:

• List your NIS 2-derived obligations as implemented nationally (risk management measures, incident handling and reporting, governance, and third-party dependencies).
• For each obligation, identify what would constitute a violation in operational terms (e.g., “reporting clock starts at X event,” “scope includes these networks/services,” “required approver is role Y”).
• Assign a single accountable owner and backup per obligation/control. (Directive (EU) 2022/2555, Article 36)

This is where many programs fail: they track “we have a policy,” but not “what exact behavior would be penalized.”

Step 3: Make incident reporting provable, not aspirational

Because penalties often attach to failure to notify, late notification, or incomplete notification under the national measures, you need:

• A documented incident triage and escalation workflow with clear decision rights.
• A clock-and-trigger model: what starts the reporting clock, who can declare an incident, and what evidence supports the timeline.
• A case file structure that captures: detection time, classification rationale, escalation steps, notification decision, and communications. (Directive (EU) 2022/2555, Article 36)

If you use Daydream for compliance execution, configure the incident workflow as a controlled process with assigned tasks, timestamped approvals, and retention tags. That turns “we followed the procedure” into exportable evidence.

Step 4: Integrate third-party dependencies into penalty exposure management

Article 36 itself is about penalties, but penalties attach to violations of the national NIS 2 measures, and third-party failure is a common root cause of those violations operationally. Build a third-party dependency layer:

• Identify critical third parties (providers that could materially affect availability, integrity, confidentiality, or incident reporting).
• Link third-party risk assessments to NIS 2 control requirements and remediation tracking.
• Require contract clauses or operating procedures that support your obligations (notification cooperation, access to incident facts, and evidence sharing). (Directive (EU) 2022/2555, Article 36)

Step 5: Set up an “exam-ready” evidence retention model

Define what you will retain, where, and who owns production during an inquiry:

• Evidence inventory by control area (governance, risk management, incident handling, third-party oversight).
• Retention and legal hold triggers for incident-related records.
• A regulator response playbook: intake, privilege handling, document production, and communications approval flow. (Directive (EU) 2022/2555, Article 36)

Step 6: Run a penalty-readiness tabletop and close gaps

Run a scenario that is designed to produce the artifacts an authority will ask for:

• A cross-border incident with shared services, where different Member States may have different supervisory expectations.
• A third-party-originated incident where you must obtain facts quickly.
• A decision to notify vs not notify, with documented rationale and approvals. (Directive (EU) 2022/2555, Article 36)

Track actions to closure in your GRC system, with owners and due dates that reflect your internal risk appetite.

Required evidence and artifacts to retain

Use this as a baseline “penalty defense file” structure:

• Jurisdictional applicability memo(s) and an up-to-date NIS 2 obligation register with country mapping. (Directive (EU) 2022/2555, Article 36)
• Control ownership matrix (RACI) for NIS 2 obligations and national variants. (Directive (EU) 2022/2555, Article 36)
• Incident management artifacts: triage SOP, escalation matrix, on-call logs, ticket timelines, classification notes, notification drafts, and approval records. (Directive (EU) 2022/2555, Article 36)
• Third-party dependency inventory and critical third-party oversight artifacts (risk assessments, assurance results, remediation tracking, contractual cooperation evidence). (Directive (EU) 2022/2555, Article 36)
• Board/management oversight evidence: meeting minutes and decisions showing governance of cybersecurity risk and compliance posture, aligned to national measures. (Directive (EU) 2022/2555, Article 36)
• Change management record for updates to your mapping when Member States amend penalty rules or supervisory measures. (Directive (EU) 2022/2555, Article 36)

Common exam/audit questions and hangups

Expect questions framed as “show me,” not “tell me”:

1. Which national NIS 2 law applies to this legal entity and this service? Show the mapping and decision logic. (Directive (EU) 2022/2555, Article 36)
2. What are the penalty consequences for failing to meet the national measures? Provide a jurisdiction summary and internal escalation thresholds. (Directive (EU) 2022/2555, Article 36)
3. Prove you can meet incident reporting requirements. Produce a recent drill file with timestamps, approvals, and lessons learned. (Directive (EU) 2022/2555, Article 36)
4. How do you manage third-party dependencies that affect reporting and containment? Show onboarding criteria, monitoring, and contractual cooperation. (Directive (EU) 2022/2555, Article 36)
5. How do you stay current as national rules change? Show your update mechanism and evidence of updates applied. (Directive (EU) 2022/2555, Article 36)

Frequent implementation mistakes (and how to avoid them)

Mistake	Why it creates penalty risk	Practical fix
Treating Article 36 as “legal-only” and ignoring operational mapping	Penalties apply to infringements of national measures; ops teams execute those measures	Maintain a jurisdictional obligation register with control owners and milestones
One EU-wide incident workflow without local variants	Local transposition may drive different expectations, authorities, or processes	Add jurisdiction fields, decision rights, and reporting routes per country
Evidence scattered across tickets, email, and chat with no retention plan	You can’t prove timelines and decisions under scrutiny	Standardize incident case files and retention tags in your GRC/ticketing stack
Third-party risk run separately from NIS 2 obligations	Third parties can block you from meeting national measures	Tie critical third-party oversight to NIS 2 control requirements and remediation
No process to monitor amendments	Member States can amend rules and must notify the Commission	Assign a named owner for updates and document each mapping refresh (Directive (EU) 2022/2555, Article 36)

Enforcement context and risk implications

No specific public enforcement cases are provided in the source catalog for this requirement, so don’t anchor your program on anecdotal penalty figures. Operationally, treat Article 36 as a signal that penalties are intended to deter noncompliance, so regulators will scrutinize whether you executed the national measures, not whether your policy language reads well. (Directive (EU) 2022/2555, Article 36)

Risk implications to brief to executives:

• Regulatory risk: failure to comply with national NIS 2 measures can lead to penalties under national law. (Directive (EU) 2022/2555, Article 36)
• Operational risk: weak incident timelines, unclear decision rights, and third-party opacity create repeatable compliance failures.
• Reputational risk: supervisory actions can become public depending on national practice; plan communications and evidence discipline accordingly. (Directive (EU) 2022/2555, Article 36)

Practical 30/60/90-day execution plan

Day 30 (Immediate stabilization)

• Stand up the NIS 2 jurisdictional obligation register and name control owners. (Directive (EU) 2022/2555, Article 36)
• Document your incident triage, escalation, and evidence capture workflow as it exists today.
• Identify critical third-party dependencies tied to service delivery and incident response.

Day 60 (Control hardening)

• Map penalty-trigger obligations to controls, tickets, and playbooks per jurisdiction. (Directive (EU) 2022/2555, Article 36)
• Implement an exam-ready incident case file structure with required fields and approvals.
• Connect third-party risk assessments to remediation tracking for NIS 2-relevant gaps.

Day 90 (Proof and repeatability)

• Run a penalty-readiness tabletop (cross-border + third-party scenario) and capture the full evidence pack.
• Close gaps with tracked remediation and executive visibility.
• Establish the “amendment monitoring” process with documented refresh evidence. (Directive (EU) 2022/2555, Article 36)

Frequently Asked Questions

Does Article 36 impose a specific fine amount I can plan around?

No. Article 36 requires Member States to set penalties in national measures; it does not provide a single fine schedule in the directive text provided here. Your planning input is each applicable national transposition. (Directive (EU) 2022/2555, Article 36)

What is the fastest way to operationalize the article 36: penalties requirement in a multi-country environment?

Build a jurisdictional register that maps legal entities and services to national NIS 2 measures, then connect each obligation to a control owner and evidence set. Keep the register current as national rules change. (Directive (EU) 2022/2555, Article 36)

What evidence do regulators ask for that teams often can’t produce?

Timelines and decision logs for incident classification, escalation, and notification are common gaps, especially when information is split across tools. Standardize incident case files and approvals so you can reproduce the story quickly. (Directive (EU) 2022/2555, Article 36)

How should third-party risk management connect to penalties?

Penalties attach to infringements of national measures, and third-party outages or delayed cooperation can cause missed obligations in practice. Track critical third parties as dependencies, require cooperation for incident facts, and link remediation to NIS 2 controls. (Directive (EU) 2022/2555, Article 36)

Our security program is centralized. Do we still need local variants?

Often yes, because supervisory expectations, competent authorities, and procedural details can vary by Member State transposition. Keep one global baseline, then document the local deltas in your obligation register. (Directive (EU) 2022/2555, Article 36)

How can Daydream help without turning this into “tool compliance”?

Use Daydream to manage the obligation register, assign control ownership, track remediation, and retain incident evidence with timestamps and approvals. The value is faster, cleaner production of proof under inquiry. (Directive (EU) 2022/2555, Article 36)