EU Compliance
Risk Calculator
Calculate your organization's maximum exposure under GDPR, NIS2, and the new EU AI Act. Understand why compliance is cheaper than the fine.
Network & Information Security Directive
Critical infrastructure & essential services
Worldwide annual revenue (not EU-only). Estimates statutory maximums, not expected fines.
0–€20M linear (SME); above that log scale. Use exact input for values below €10.000.
NIS2 expands scope across critical sectors and increases management-body accountability. Treat it as an operating model, not a one-time project.
Failure to implement appropriate security measures or report significant incidents within required timelines.
- —Shows simplified statutory maximum caps: fixed amount vs percentage of global turnover (whichever is higher).
- —Real-world outcomes depend on severity, duration, negligence/intent, cooperation, and national enforcement practice.
- —Not legal advice. Use as a risk communication tool, then validate with counsel.
Understanding EU Regulatory Fines
How are fines calculated?
EU regulatory fines follow a "whichever is higher" model. For each regulation, the penalty is the greater of a fixed minimum amount or a percentage of global annual turnover. This ensures that fines are proportionate to the size of the organization.
NIS2 Directive (Network and Information Security)
The NIS2 Directive replaces NIS1 and significantly expands its scope to cover 18 critical sectors including energy, transport, banking, healthcare, and digital infrastructure. Essential entities face fines of up to €10 million or 2% of global turnover. Important entities face up to €7 million or 1.4%.
GDPR (General Data Protection Regulation)
GDPR has been in force since 2018 and has resulted in over €4 billion in cumulative fines. For major violations (unlawful processing, failure to obtain consent, data transfers without safeguards), fines reach €20 million or 4% of global turnover. Lesser violations cap at €10 million or 2%.
DORA (Digital Operational Resilience Act)
DORA applies to virtually all EU-regulated financial entities — banks, insurers, investment firms, payment institutions, and crypto-asset service providers — plus their critical ICT third-party providers. Financial entities face penalties determined by national competent authorities, typically aligned at €10 million or 2% of global turnover. Critical ICT third-party providers (CTPPs) face periodic penalty payments of up to 1% of average daily worldwide turnover for up to 6 months (~0.5% annual effective maximum).
EU AI Act (Artificial Intelligence Act)
The AI Act introduces the highest fines in EU regulatory history. Violations of prohibited AI practices (social scoring, unauthorized biometric identification, subliminal manipulation) carry penalties of €35 million or 7%of global turnover—nearly double GDPR's maximum.
The Cumulative Risk
Organizations operating AI systems that process personal data in critical infrastructure or financial sectors may face regulatory scrutiny under all four frameworks simultaneously. A single incident could trigger investigations under NIS2 (security), DORA (ICT resilience), GDPR (data breach), and the AI Act (AI governance), potentially resulting in cumulative fines from independent legal bases.
Compliance is an Investment, Not a Cost
For a €100M revenue company, the theoretical combined exposure under all four regulations reaches approximately €75M (NIS2 €10M + DORA €10M + GDPR €20M + AI Act €35M). FortisEU's comprehensive compliance platform costs approximately 0.01% of that potential fine, while providing automated evidence collection, continuous monitoring, and audit-ready documentation.