Fines and the liability of senior management
The directive introduces fines that carry weight in the budget of any company. For essential entities they reach up to 10 million € or 2 % of total worldwide annual turnover — whichever amount is higher. For important entities it is up to 7 million € or 1.4 %.
New and decisive: senior management must approve the risk-management measures and oversee their implementation — and is liable for breaches. This responsibility cannot be fully delegated and cannot be contracted away. Cybersecurity has thereby become, once and for all, a matter for the boardroom rather than for the IT department alone.
Timelines differ between member states. Germany applies its law from day one, with registration due within three months; Poland grants a longer window, with obligations phasing in until April 2027. Wherever you operate, the direction is the same — and across the market, most affected companies still have work ahead of them.