Artikel | 5. February 2026
What Does Non-Compliance Really Cost?
1. The Compliance Cost Paradox #
The IBM Cost of a Data Breach Report 2024 puts the average global cost of a data breach at USD 4.88 million, an all-time high at publication. In heavily regulated European markets, total costs often exceed the global average because regulatory proceedings, legal fees, and operational disruptions carry particular weight.
Against this stand the costs of preventive measures: a backup system, an information security management system, perhaps an external audit per year. These investments can be planned, budgeted, and amortised. A data breach cannot be planned.
The paradox: compliance appears as a cost factor because the costs are visible. Non-compliance appears as a savings option because the costs are invisible, until the incident. The task of decision-makers is to make this asymmetry visible.
2. Direct Fines and Penalties by Regulatory Framework #
Fines are the most easily quantifiable part of non-compliance costs. The frameworks are defined by EU law and publicly known. Less well known is that these maxima are increasingly applied in practice.
Overview: Fine Frameworks Across the EU #
- (all organisations processing personal data): up to EUR 20 million or 4% of global annual turnover, whichever is higher (Art. 83 )
- NIS2, essential entities (large organisations in high-criticality sectors): up to EUR 10 million or 2% of global annual turnover, whichever is higher
- NIS2, important entities (medium-sized organisations in defined sectors): up to EUR 7 million or 1.4% of global annual turnover, whichever is higher
- (financial sector): national supervisory authorities sanction financial entities with the full toolkit from remediation orders to operating restrictions; for critical ICT third-party providers, the EU supervisory authorities can impose periodic penalty payments of up to 1% of average daily worldwide turnover, applied daily until the violation is remediated (Art. 35 )
- National record-keeping and tax rules (all organisations subject to bookkeeping requirements): no fixed fine framework, but estimated tax assessments, back payments plus interest, and in serious cases criminal proceedings
Why DORA Penalties Are Particularly Dangerous #
The daily approach is not an academic construction. For a critical ICT provider with annual turnover of EUR 500 million, 1% of average daily turnover equals approximately EUR 13,700 per day. After 60 days of violation: around EUR 820,000, for the delayed remediation alone. For larger providers, these figures multiply. Financial entities themselves face supervisory measures that can be more expensive than any fine: restrictions on business activity.
Record-Keeping Violations: The Underestimated Risk #
Record-keeping violations rarely make headlines, but they regularly hit mid-sized organisations in tax and regulatory audits. Across the EU, accounting records and business documents must be retained immutably for defined periods; MiFID II adds strict record-keeping duties for investment services. In Germany, for example, an organisation that cannot present its bookkeeping records in an audit-proof, immutable form risks:
- Estimated tax assessments by the tax authority
- Tax back payments covering multiple fiscal years
- Back payment interest
- In extreme cases: criminal tax proceedings
Equivalent consequences exist in other member states. The common denominator: missing or manipulable records shift the burden of proof against the organisation.
3. Indirect Costs: Often Larger Than the Fines #
In practice, fines frequently make up only a fraction of the total damage. Indirect costs are harder to predict but well documented.
Operational Disruption #
attacks are the most common trigger for serious compliance incidents. Incident response firms consistently report average downtimes of several weeks following a ransomware attack. For manufacturing companies or service providers with continuous delivery obligations, every week of downtime is direct revenue loss.
Typical cost items in an operational disruption:
- Revenue loss during downtime
- Overtime and extra hours for restoration
- Emergency procurement of replacement systems
- Contract penalties toward customers (SLA violations)
- Costs for service providers
External Specialists: Forensics, Legal, Consultants #
A serious data breach incident typically incurs the following external costs:
- IT forensics: damage analysis, evidence preservation for authorities and insurers; typically EUR 20,000 to EUR 200,000 and more depending on complexity
- Legal costs: coordination with authorities, reporting obligations, contract law; typically EUR 5,000 to EUR 50,000 depending on the incident
- PR and crisis management: especially for public organisations or consumer data; variable, but substantial
- Notification of affected parties: for obligations: postage, call centre, processing effort
Reputational Damage and Customer Loss #
Reputational damage and customer loss following data breaches are increasingly the largest damage component, and the hardest to quantify. A rule of thumb from insurance practice: in B2B organisations, a serious incident can cost a meaningful share of the affected customer base.
Productivity Loss #
Employees occupied during and after an incident with manual processes, makeshift systems, or restoration work are absent from day-to-day operations. This item is rarely tracked internally, but it is real.
4. Personal Liability: Not Only the Organisation Pays #
A central shift in the current regulatory wave: liability no longer remains at the company level. Decision-makers are personally accountable.
NIS2: Management Duties with Personal Consequences #
Article 20 of the NIS2 Directive requires that management approves the cybersecurity risk management measures, oversees their implementation, and attends training. National implementation acts attach liability to a breach of these duties:
- Personal liability towards the company in cases of culpable breach, reaching private assets
- Suspension from management functions as a possible supervisory measure against managers of essential entities in serious cases
- Training obligation for the management body, with documentation
Negligence applies when known risks were ignored: the executive was aware of a security deficiency (for example through audit findings) and did not act.
DORA: The Management Body Is Responsible #
(Regulation (EU) 2022⁄2554) addresses financial entities and their ICT service providers. Art. 5 assigns full responsibility for ICT risk management to the management body. This is not a delegation option; it is a statutory obligation of the board.
GDPR: Controllers and Management #
Under the , organisations are the primary addressees of fines, but managing directors who knowingly tolerate flawed data processing operate in a zone of personal liability under national corporate and tort law.
The common denominator of all current EU regulations: ignorance is no protection. Documented knowledge without action establishes personal liability.
5. The Business Case for Compliance Investments #
At this point the calculation can be reversed. Instead of treating compliance as a cost factor, the question becomes: what does it cost not to invest?
Comparison: Prevention vs. Incident #
Typical annual prevention costs for a mid-sized organisation:
- Backup system with air gap and immutability (for example the Silent Brick System): EUR 15,000 to 40,000 (reference value, depending on size and configuration; not a binding price indication)
- ISMS operation and external audit: EUR 10,000 to 30,000
- Training and awareness: EUR 3,000 to 10,000
- Total prevention: EUR 28,000 to 80,000 per year
Typical costs of a single serious incident:
- Fine (NIS2, mid-sized organisation, realistic range): EUR 500,000 to 5,000,000
- IT forensics and external consultants: EUR 50,000 to 250,000
- Operational disruption (2 to 4 weeks): EUR 100,000 to 2,500,000
- Reputational damage (estimated): variable, often above EUR 500,000
- Total incident (conservative): EUR 650,000 to 7,750,000
The ratio is clear: prevention costs are typically 2 to 5% of potential incident costs.
Cyber Insurance: Compliance as a Pricing Factor #
The cyber insurance market is growing strongly across Europe. Insurers ask detailed questions in the underwriting review: Are there s? Is an air gap in place? Have recovery tests been documented?
Organisations that demonstrate verifiable measures, for example through a hardware system or a physical air gap, pay lower premiums or obtain insurance coverage at all. For some risk profiles, cyber insurance is no longer available without demonstrated offline backups.
The Silent Brick System provides exactly the technical evidence insurers require: a physical air gap (Silent Brick Pro, with bricks physically removable from the Controller X) and galvanic separation (Silent Brick Max Air, no removal needed). Silent Cubes complement this with hardware long-term archiving that meets EU and national audit-proof retention requirements.
6. Three Quick Wins for the Internal Business Case #
If you are an IT leader, CISO, or compliance officer needing to justify compliance investment internally, these three approaches help:
Quick Win 1: Calculate the Fine Scenario #
Determine your global annual turnover. Calculate 2% (NIS2, essential entities) or 4% (). This is your theoretical maximum risk from fines alone, without operational disruption, without forensics, without reputational damage. Put the costs of the requested measures against this figure.
Quick Win 2: Negotiate Insurance Premiums #
Request a detailed breakdown from your cyber insurer: which technical measures reduce your premium by how much? Many insurers provide these figures on request. This makes the investment in backup infrastructure directly translatable into premium savings.
Quick Win 3: Document Audit Findings as Liability Protection #
Have internal or external audits document current compliance gaps in writing. After an incident, this report is your most important line of defence: it demonstrates that you identified the risk and initiated measures. It is also the strongest internal argument: “Here are the gaps, here are the risks, here is the budget we need.”
Conclusion #
Compliance is not a cost factor. Non-compliance is one, and one you can neither plan nor control.
The complete bill from fines, operational disruptions, external specialists, reputational damage, and personal liability exceeds the costs of preventive measures in every realistic scenario.
Decision-makers who treat compliance as an investment rather than a checkbox exercise are better positioned in the event of an incident: technically, legally, and financially. The first step is making the invisible costs of non-compliance visible.
CTA #
How well is your backup infrastructure positioned for NIS2, , and compliance? The Silent Brick System provides physical air gap, immutability, and tested recoverability on-premises, without cloud dependency. Silent Cubes add hardware archiving for audit-proof retention. Schedule a Demo or View Technical Details for the Silent Brick System.
Further Resources #
→ Guide (/en/blog/revisionssicherheit-leitfaden/) → NIS2 Personal Liability: What Executives Need to Know (/en/blog/nis2-persoenliche-haftung/) → NIS2 Implementation Deadlines: Timeline and Fines (/en/blog/nis2-umsetzungsfristen/) → and Cloud Storage: What Is Permitted (/en/blog/dsgvo-cloud-speicherung/) → Requirements for the Financial Sector (/en/blog/dora-anforderungen-finanzsektor/) → Silent Brick System (/en/produkte/silent-brick-system/) → Silent Cubes (/en/produkte/silent-cubes/)
Source notes: IBM Cost of a Data Breach Report 2024; Art. 83 ; Directive (EU) 2022⁄2555 (NIS2); Regulation (EU) 2022⁄2554 (). Regulatory information provided without warranty; we recommend legal advice for individual cases.
Ransomware
Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.
DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
Immutable Storage
Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights).
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
WORM
WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.
Audit-Proof Archiving
Audit-proof archiving describes the legally required property of an archiving system that preserves documents completely, immutably, traceably and accessibly at all times — and that this can be demonstrated without gaps to tax authorities, auditors and data protection supervisory bodies.
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).
DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
DORA
DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting.
Disaster Recovery
Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage.
GDPR
The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing).