§65 BSIG + Art. 34 NIS 2

The NIS 2 fine procedure step by step

Article 34 NIS 2 sets the ceiling. The German Ordnungswidrigkeitengesetz sets the procedure. §65 BSIG ties them together.

Simon OrzelSimon Orzel·

What this article describes

NIS 2 obliges Member States to provide for administrative fines against entities that fail their cybersecurity risk management or reporting duties. Article 34 NIS 2 sets the maximum amounts and the calculation criteria. Each Member State plugs that ceiling into its own administrative offence law.

In Germany, the BSI Act implements the fine catalogue in §65 BSIG. The procedural rails sit in the Ordnungswidrigkeitengesetz (OWiG): hearing under §55 OWiG, fine notice under §41 OWiG, objection within two weeks under §67 OWiG. The substantive calculation rules in §17 OWiG operate alongside the NIS 2 specific factors in Article 34(7).

This page describes what the procedure looks like from the outside. It does not advise on how to respond. Concrete defence in a §65 BSIG procedure requires criminal and regulatory counsel.

Legal anchor across the three layers
Directive ceiling, national fine catalogue, procedural code.

EU layer: Article 34 NIS 2

Member States shall ensure that administrative fines imposed on essential and important entities pursuant to this Article in respect of infringements of this Directive are, in each individual case, effective, proportionate and dissuasive.

Article 34(4) sets the maximum at 10 million EUR or 2 percent of total worldwide annual turnover of the preceding financial year for essential entities. Article 34(5) sets 7 million EUR or 1.4 percent for important entities, whichever is higher in each case.

National layer: §65 BSIG (Germany)

Eine Ordnungswidrigkeit kann bei einer besonders wichtigen Einrichtung mit einer Geldbuße bis zu zehn Millionen Euro oder bis zu zwei Prozent des im vorangegangenen Geschäftsjahr weltweit erzielten Gesamtumsatzes des Unternehmens, dem die Einrichtung angehört, geahndet werden, je nachdem, welcher Betrag höher ist. Bei einer wichtigen Einrichtung beträgt die Geldbuße bis zu sieben Millionen Euro oder bis zu 1,4 Prozent des Gesamtumsatzes.

§65 BSIG mirrors the Article 34 NIS 2 ceiling. The list of fineable conduct in §65(1) BSIG covers, among others, failures of the §30 BSIG risk management measures, missed §32 BSIG incident reporting, and missed §33 BSIG registration.

Procedural code: OWiG

Vor Erlass eines Bußgeldbescheids ist dem Betroffenen Gelegenheit zu geben, sich zu der Beschuldigung zu äußern. (§55 OWiG)

The OWiG governs the procedure. §55 OWiG requires a hearing before the fine notice. §41 OWiG specifies the form of the Bußgeldbescheid. §67 OWiG gives the addressee two weeks from service to lodge an Einspruch. §17 OWiG governs the substantive calculation, applied together with Article 34(7) NIS 2 criteria.

Three core stages of the procedure
Initiation, Anhörung, calculation. Each stage is fixed by code, not by negotiation.
Trigger

Initiation

A §65 BSIG procedure typically starts after the supervisory authority establishes a triggering event: failure of the §30 BSIG cybersecurity measures discovered in an audit or self report, a missed or late §32 BSIG incident notification (24 hour early warning, 72 hour follow up, one month final report), or a missed §33 BSIG registration. The authority opens an Ordnungswidrigkeitenverfahren and notifies the entity.

§55 OWiG

Anhörungsschreiben

Before any fine notice can issue, the authority sends an Anhörungsschreiben listing the alleged conduct, the legal basis under §65 BSIG, and a deadline to comment. The hearing letter is procedural, not a verdict. Silence does not stop the procedure. The §65 BSIG framework provides for the matter to be decided on the file if the entity does not respond.

Art. 34(7) NIS 2 + §17 OWiG

Bußgeldbescheid

If the authority concludes the offence is established, it issues a Bußgeldbescheid under §41 OWiG. The amount is calculated against the Article 34(7) NIS 2 criteria (severity, duration, intent or negligence, prior infringements, financial benefit, cooperation, prior measures) together with §17 OWiG. The notice carries a §67 OWiG instruction: two weeks to lodge an Einspruch.

Two principles that shape the amount
Both sit in Article 34 NIS 2 and apply across all Member States.

Effective, proportionate, dissuasive

Article 34(1) NIS 2 binds the authority to proportionality. The 10 million EUR or 2 percent ceiling is a maximum, not a tariff. §17 OWiG requires the authority to weigh the significance of the offence and the economic circumstances of the entity. In practice, the calculation moves both ways: up for severity and recurrence, down for genuine cooperation and demonstrable prior measures.

Cooperation is a calculation factor

Article 34(7)(f) NIS 2 lists the degree of cooperation with the competent authorities as a mitigating factor. Voluntary disclosure of the breach, evidence of corrective measures, and full file access all count on the calculation. The entity's prior measures under §30 BSIG (Article 34(7)(d) NIS 2) are read against the same baseline.

Who runs the procedure
Same NIS 2 ceiling, three national authorities running it.
DE

Bundesamt für Sicherheit in der Informationstechnik

The BSI is the competent supervisory authority for most NIS 2 sectors in Germany under §1 BSIG. It opens and runs the §65 BSIG fine procedure. Operators of critical installations (KRITIS) sit under the same authority. Bußgeldbescheide and Einspruch correspondence run through the BSI.

EU

ENISA and Cooperation Group

ENISA does not impose fines. It produces guidance and coordinates the NIS Cooperation Group under Article 14 NIS 2. ENISA outputs (incident taxonomy, sector specific guidance) inform what counts as state of the art under Article 21(2) NIS 2 and therefore feed into the Article 34(7) calculation.

DE

Sectoral supervisors

For finance, energy, transport, and health, sector regulators retain a parallel role under §61 BSIG and sector specific law. The §65 BSIG ceiling still applies. Where DORA covers a financial entity, DORA's own sanction regime takes precedence on cybersecurity measures, but the Article 27 NIS 2 registration duty still runs.

Three pitfalls in §65 BSIG procedures
Misreadings of the procedure that the OWiG and Article 34 NIS 2 do not support.

  • The 2 percent ceiling is calculated on the German entity's turnover.

    Article 34(4) NIS 2 and §65 BSIG calculate the percentage on the total worldwide annual turnover of the undertaking the entity belongs to in the preceding financial year. For subsidiaries inside a larger group, this can lift the ceiling by orders of magnitude above the local revenue.

  • If we ignore the Anhörung, the matter goes away.

    §55 OWiG only requires the authority to give the entity an opportunity to comment. It does not require an answer. The §65 BSIG framework provides for the matter to proceed to a Bußgeldbescheid on the file if no comment arrives. The procedural code does not slow down for silence.

  • Full disclosure of every operational detail will minimise the fine.

    Article 34(7)(f) NIS 2 rewards cooperation with the competent authority. It does not require the entity to construct the authority's case for it. The line between cooperation and self incrimination is the point at which counsel is involved. Procedural admissions made without counsel are difficult to retract.

Practitioner view

The two week Einspruch deadline in §67 OWiG runs from service of the Bußgeldbescheid. It is a statutory deadline, not negotiable. Missing it makes the notice final under §66 OWiG, after which only narrow restitution routes remain. The hearing letter under §55 OWiG carries no equivalent deadline of its own, but the authority sets one in the letter.

Concrete defence in a §65 BSIG procedure requires criminal and regulatory counsel. This article describes the procedure and the legal anchors. It does not address how to respond to a specific hearing letter or fine notice. Anything that touches the entity's risk management substance (§30 BSIG), its reporting history (§32 BSIG), or its prior measures under Article 21 NIS 2 should be discussed with counsel before it leaves the entity.

Where the platform fits

A §65 BSIG procedure is decided on the file. The Article 34(7) NIS 2 calculation rewards prior measures, cooperation, and a documented history. That history is built before any letter arrives: who signed off on which control, when an incident was reported, what evidence sat behind the §30 BSIG risk management measures.

The platform records that history continuously. Sign offs, assignment trails, incident notifications, and policy approvals carry timestamps and identities. None of that decides a procedure. All of it is the kind of file the §17 OWiG and Article 34(7) NIS 2 calculation looks at.

Sources
  • Directive (EU) 2022/2555 (NIS 2), Article 34: General conditions for imposing administrative fines on essential and important entities.
  • Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSIG), §65: Bußgeldvorschriften.
  • Gesetz über das Bundesamt für Sicherheit in der Informationstechnik (BSIG), §30 (Risikomanagement), §32 (Meldepflichten), §33 (Registrierung).
  • Gesetz über Ordnungswidrigkeiten (OWiG), §17 (Bemessung), §41 (Bußgeldbescheid), §55 (Anhörung), §66 (Rechtskraft), §67 (Einspruch).
  • ENISA, NIS 2 Cooperation Group outputs and technical implementation guidance.
Check whether you fall under NIS 2 first
Scope decides whether §65 BSIG and Article 34 NIS 2 apply to the entity at all.
Run the applicability check