Skip to main content
Version status: Amended | Document consolidation status: Updated to reflect all known changes
Version date: 20 May 2024 - onwards
Version 4 of 4

Article 16 Penalties

1. Without prejudice to Article 31 of Directive (EU) 2022/2555 of the European Parliament and of the Council [Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).], Member States shall lay down the rules on penalties applicable to infringements of this Regulation. Those penalties shall be effective, proportionate and dissuasive.

2. Member States shall ensure that infringements of this Regulation by qualified and non-qualified trust service providers be subject to administrative fines of a maximum of at least:

(a) EUR 5 000 000 where the trust service provider is a natural person; or

(b) where the trust service provider is a legal person, EUR 5 000 000 or 1 % of the total worldwide annual turnover of the undertaking to which the trust service provider belonged in the financial year preceding the year in which the infringement occurred, whichever is higher.