Fines, deadlines and real risk: why NIS 2 is not a “later” topic

Промените в Закона за киберсигурност, свързани с NIS 2, обнародвани в Държавен вестник, бр. 17 от 13 февруари 2026 г., поставят конкретни изисквания към организациите, които попадат в обхвата на закона. За тези фирми темата вече не е въпрос на бъдеща подготовка, а на навременна оценка: дали са засегнати, какви задължения имат и доколко текущите им мерки са достатъчни.
One of the most serious elements of the regime is the sanctions. For essential entities, the law provides for a financial penalty of up to EUR 10,000,000 or up to 2% of the total worldwide annual turnover for the previous financial year, whichever is higher. For important entities, the sanction is up to EUR 7,000,000 or up to 1.4% of turnover, again whichever is higher
In addition to the financial sanctions for organizations, the law also provides for personal liability for violations of provisions related to governance. Heads of administrative bodies, managers, or members of management bodies of essential and important entities may be fined from EUR 500 to EUR 5,000.
The law also introduces clear deadlines in the event of a significant incident. An early warning must be submitted within 24 hours, an incident notification within 72 hours, and a final report no later than one month after the notification. This means that in a real situation, the organization must have a pre-established process — who assesses the incident, who gathers the information, who submits the notifications, and how the actions are documented.
The risk for companies is not only in the size of the sanctions. The bigger practical problem is lack of preparedness. If an organization does not know whether it falls within the scope, lacks clarity regarding its obligations, or has not reviewed its measures, it may react too late — during an incident, an inspection, or when required to demonstrate the actions taken.
That is why the first reasonable step is a readiness assessment. It provides answers to the most important questions: whether the company falls within the scope of the law, what its status is, which requirements are applicable, what measures are already in place, and where gaps exist.
NIS 2 is not a topic to postpone, because incident response deadlines are short, sanctions are significant, and the requirements imply prior organization. The earlier a company conducts its assessment, the more clearly and effectively it can plan its next steps.