SkarpSkarp
Get the App

Chapter 8 of 9

Supervision, Sanctions, and Enforcement Risks

Explores how ANCI and sectoral authorities supervise compliance, the types of sanctions available, and what this means practically for ICT service providers supporting essential services.

10 min readen

1. Why Supervision and Sanctions Matter for ICT Providers

In this module, you connect legal enforcement to day‑to‑day decisions in ICT operations that support essential services and Operators of Vital Importance (OVI).

You have already seen:

  • Who is covered (essential operators, OVI, key ICT / digital providers)
  • What they must do (risk management, incident reporting, specific OVI duties)

Now we look at what happens if they do not comply:

  • Who supervises (with a focus on ANCI and sectoral authorities)
  • How supervision works in practice
  • Types and levels of sanctions, including high monetary fines
  • How enforcement risk should influence:
  • Governance (boards, CISOs, risk committees)
  • Investment (security budgets, tools, staffing)
  • Contracts (SLAs, liability, audit rights)

Keep in mind:

  • Across Europe, the current baseline is NIS2 and its national implementations (replacing the original NIS Directive). National cybersecurity authorities (like ANCI in this context) now have stronger supervisory and fining powers.
  • OVI (or their national equivalents, such as "operators of essential services" or "essential entities") typically face stricter oversight and higher expectations because of the systemic impact of their failure.

2. Who Supervises: ANCI vs Sectoral Authorities

Supervision is usually shared between:

  1. ANCI (National Cybersecurity Authority)
  • Central authority for:
  • Cybersecurity policy and implementation of NIS2‑style frameworks
  • Cross‑sector risk management and incident reporting rules
  • Coordinating national response to major cyber incidents
  • Focuses on:
  • Horizontal ICT and cybersecurity controls (governance, risk management, technical and organisational measures)
  • Digital and ICT service providers that support multiple sectors
  1. Sectoral authorities / regulators
  • Examples (names vary by country):
  • Energy regulator
  • Financial supervisory authority
  • Transport / aviation / rail authority
  • Health ministry or health data authority
  • Focuses on:
  • Sector‑specific safety, continuity, and service quality
  • Sector‑specific security standards (e.g. for SCADA, medical devices)
  1. Coordinated supervision
  • In complex cases (e.g. a cloud provider serving many critical hospitals and banks), ANCI and sectoral regulators may:
  • Share information
  • Conduct joint inspections
  • Coordinate enforcement so the operator is not punished twice for the same fact pattern, but all relevant risks are addressed.

For ICT providers, this means you may be supervised indirectly (through your client’s sectoral regulator) and directly (by ANCI for cybersecurity obligations).

3. ANCI’s Supervisory and Investigative Powers

Under modern NIS2‑based regimes (in force or being enforced across the EU since 2024–2025), national cybersecurity authorities like ANCI have strong investigative powers, typically including:

  1. Information requests
  • Require operators and key ICT providers to supply:
  • Policies (e.g. information security policy, incident response plan)
  • Risk assessments and audit reports
  • Logs and incident records
  • Evidence of compliance with security measures
  • Often with short deadlines (e.g. 10–30 days).
  1. On‑site and remote inspections
  • Announced or unannounced visits to:
  • Data centres, operations centres, or control rooms
  • Corporate offices (for documentation and interviews)
  • Remote inspections via:
  • Secure portals, screen‑sharing, or remote system access
  1. Technical testing and audits
  • Penetration testing or vulnerability scanning (directly or via accredited third parties)
  • Verification of:
  • Network segmentation
  • Backup and recovery procedures
  • Access control and identity management
  1. Incident‑related investigations
  • After a major incident, ANCI can:
  • Request detailed incident timelines and root‑cause analysis
  • Examine whether required preventive and detective controls were in place
  • Assess the timeliness and quality of reporting (as covered in your incident‑management module)

For OVI and their critical ICT providers, these powers are used more frequently and more deeply, reflecting their higher systemic importance.

4. Example: How a Supervision Case Unfolds

Imagine a cloud provider hosting critical applications for several hospitals (OVI‑level operators in the health sector).

  1. Trigger event
  • A ransomware attack disrupts patient record systems for 24 hours.
  • Hospitals report the incident to ANCI and their health regulator.
  1. Initial ANCI actions
  • ANCI requests from both the hospitals and the cloud provider:
  • Incident notification forms
  • Logs related to access, backups, and system changes
  • Evidence of applied security measures (multi‑factor authentication, network segmentation, backup tests).
  1. On‑site inspection
  • ANCI visits the cloud provider’s primary data centre.
  • Activities include:
  • Interviewing the CISO, SOC analysts, and incident response lead
  • Checking whether backup restoration tests were actually performed and documented
  • Reviewing contracts between the hospitals and the cloud provider to see how security responsibilities were allocated.
  1. Findings
  • ANCI identifies that:
  • Backups existed but were not regularly tested.
  • Critical admin accounts lacked MFA.
  • The provider failed to notify the hospitals within the required early warning timeframe.
  1. Enforcement outcome
  • ANCI issues:
  • A formal order to remedy (implement MFA, test and document backups, improve monitoring)
  • A monetary fine proportional to the impact and negligence
  • The health regulator may add sector‑specific measures, such as extra continuity testing requirements for the hospitals.

This example shows how ANCI’s powers translate into real operational and financial consequences for ICT providers supporting OVI.

5. Types and Ranges of Sanctions

Under NIS2‑style national laws (now active or applied across the EU since 2024–2025), sanctions can be substantial, especially for OVI and essential entities. Typical tools include:

  1. Non‑monetary measures
  • Warnings and reprimands: Formal notice that compliance is insufficient.
  • Orders to remedy or improve: Mandated implementation of specific controls (e.g. deploy EDR, segregate networks) within a set deadline.
  • Binding instructions: Detailed technical or organisational requirements (e.g. mandatory external audits, extra staff training).
  • Temporary restrictions: In extreme cases, limits on certain activities, or requirements to suspend risky services until fixed.
  1. Monetary fines
  • For essential/OVI operators and their key ICT providers, NIS2‑aligned regimes allow high administrative fines.
  • Typical ranges (national details vary, but the pattern is similar):
  • Up to several million euros, or
  • A percentage of global annual turnover (for example, up to 1–2% for the most severe breaches), whichever is higher.
  • Fines can be applied for:
  • Failing to implement appropriate risk‑management measures
  • Failing to report incidents correctly or on time
  • Not cooperating with supervisory authorities or obstructing inspections
  1. Personal liability of management (in some countries)
  • Some national laws allow:
  • Temporary bans on managers holding certain positions
  • Personal administrative fines for intentional or grossly negligent non‑compliance

For ICT providers, the key message is: cybersecurity non‑compliance is now a board‑level financial risk, not just a technical issue.

6. Enforcement Risk Factors: A Prioritization Exercise

Regulators like ANCI rarely fine every breach at the maximum level. They look at several risk and conduct factors.

Activity

Rank the following four fictional situations from lowest to highest enforcement risk (1 = lowest, 4 = highest), based on how ANCI is likely to see them. Then compare with the model answer below.

Scenario A

A regional water utility (essential operator) has a minor documentation gap in its risk assessment. Technical controls are largely appropriate. It cooperates fully once ANCI points out the issue.

Scenario B

A data centre hosting systems for multiple OVI fails to patch a critical vulnerability for months, despite vendor warnings and prior ANCI guidance. An attack causes a 12‑hour outage for emergency services.

Scenario C

A hospital (OVI) suffers a phishing incident affecting a small number of non‑critical systems. It reports slightly late but provides full details and quickly implements better email filtering and training.

Scenario D

A cloud provider repeatedly ignores ANCI’s information requests, provides incomplete logs, and blames clients for security responsibilities that clearly lie with the provider under the law.

Write down your ranking, then unfold the model answer:

<details>

<summary>Model ranking and reasoning</summary>

1 (Lowest) – Scenario A

  • Low impact, mostly a paperwork / maturity issue.
  • Strong cooperation and low risk exposure.

2 – Scenario C

  • Limited impact and good remediation.
  • Slight reporting delay, but strong cooperation and learning.

3 – Scenario D

  • Even without a big incident, non‑cooperation and obstruction are major red flags.
  • ANCI is likely to react strongly to protect its supervisory role.

4 (Highest) – Scenario B

  • High impact on OVI and public safety.
  • Known vulnerability left unpatched for months (clear negligence).
  • Prior guidance ignored.

This reflects typical factors: impact, risk exposure, recurrence, negligence, and cooperation.

</details>

7. Appeals, Remedies, and OVI Qualification

When ANCI takes a formal decision (e.g. a fine, an order to remedy, or a designation as OVI), operators and ICT providers usually have access to administrative and judicial remedies.

  1. Challenging ANCI decisions
  • Common steps in many EU systems:
  1. Administrative review: Request ANCI to reconsider or clarify its decision, especially when facts were misunderstood.
  2. Appeal to an administrative court: Challenge the legality, proportionality, or procedural correctness of the decision.
  • Courts can:
  • Confirm, reduce, or annul fines
  • Adjust deadlines or scope of remedial orders
  1. OVI qualification and its consequences
  • Being designated as an Operator of Vital Importance (OVI) (or equivalent national category) typically means:
  • Stricter supervision (more frequent audits, more detailed reporting)
  • Higher expectations for resilience and incident response
  • Potentially higher sanction ceilings due to systemic importance
  • Some laws allow operators to:
  • Contest the designation if they believe the criteria (e.g. size, criticality, cross‑border impact) are misapplied
  • Request a review if their role or risk profile changes over time
  1. Practical implications for ICT providers
  • If your client is OVI, your own services are likely to be treated as critical dependencies.
  • You may be indirectly affected by:
  • Stricter contract clauses
  • Increased audit and reporting duties
  • Higher expectations around recovery times and redundancy

Enforcement risk is therefore not only about avoiding fines, but also about how you are classified and how that classification shapes your long‑term obligations.

8. Quick Check: Understanding Sanction Drivers

Answer this question to test your understanding of what drives ANCI’s enforcement choices.

Which combination of factors is MOST likely to push ANCI toward a high monetary fine against an ICT provider supporting OVI?

  1. Low impact incident, full cooperation, rapid remediation, first‑time issue
  2. High impact outage affecting critical services, known unpatched vulnerability, repeated past warnings, and poor cooperation during investigation
  3. Minor documentation gaps in risk assessments, but strong technical controls and transparent communication
Show Answer

Answer: B) High impact outage affecting critical services, known unpatched vulnerability, repeated past warnings, and poor cooperation during investigation

High fines are most likely when there is: (1) high impact on essential/OVI services, (2) clear negligence such as ignoring known vulnerabilities, (3) recurrence or prior warnings, and (4) weak cooperation with ANCI. The other options describe relatively low‑risk or well‑managed issues.

9. Applying Enforcement Risk to Governance and Contracts

Now connect enforcement risk to governance, investment, and contracting.

Thought Exercise

You are the security manager of an ICT provider that hosts critical applications for an OVI energy operator.

  1. Governance

List two concrete governance measures you would propose to the board to manage ANCI enforcement risk. Examples might include:

  1. Investment

Your budget is limited, but ANCI has recently stressed the importance of backup testing and vulnerability management. Which two priority investments would you recommend, and why in terms of enforcement risk?

  1. Contracts

You are renegotiating your SLA with the OVI client. Name two clauses you would adjust to better handle regulatory expectations and potential sanctions:

When you are done, compare with the model ideas below.

<details>

<summary>Model ideas (not exhaustive)</summary>

Governance

  • Establish a cyber risk committee that regularly reviews NIS2 / ANCI compliance and major incidents.
  • Include cyber and regulatory compliance KPIs in executive performance metrics.

Investment

  • Implement an automated vulnerability management platform with clear SLAs for patching critical issues.
  • Invest in regular backup testing and documented disaster‑recovery exercises to show ANCI you can restore critical OVI services.

Contracts

  • Add clear incident notification timelines and cooperation duties (log sharing, joint investigations) aligned with ANCI’s expectations.
  • Clarify allocation of security responsibilities (e.g. who manages patching, who manages identity and access) and include rights for the OVI to audit or receive independent audit reports.

</details>

10. Key Term Review

Use these flashcards to reinforce the most important concepts from this module.

ANCI (National Cybersecurity Authority)
The central authority responsible for implementing national cybersecurity law (including NIS2‑style rules), supervising essential/OVI operators and key ICT providers, and coordinating incident response.
Operator of Vital Importance (OVI)
An operator whose services are so critical that disruption would have a serious impact on public security, safety, or the economy. OVIs face stricter obligations, closer supervision, and potentially higher sanctions.
Supervisory powers
Legal powers granted to ANCI and sectoral authorities to request information, conduct inspections, perform audits or tests, and issue binding instructions to ensure compliance.
Enforcement factors
Key elements considered when deciding sanctions: risk exposure, actual impact, recurrence or past warnings, degree of negligence, and level of cooperation with authorities.
Monetary sanctions (fines)
Financial penalties that can reach millions of euros or a percentage of global turnover for serious or repeated non‑compliance with cybersecurity obligations.
Appeals and remedies
Legal mechanisms (administrative review and court appeals) that allow operators and ICT providers to challenge ANCI’s decisions, including fines, orders, and OVI designations.

Key Terms

ANCI
National cybersecurity authority responsible for supervising compliance with cybersecurity law (including NIS2‑style frameworks), especially for essential and OVI operators and their ICT providers.
NIS2
The EU Directive on measures for a high common level of cybersecurity across the Union, which replaced the original NIS Directive and significantly strengthened supervisory and sanctioning powers. National laws implementing NIS2 started entering into force around 2024.
Appeals
Formal procedures that allow organisations to challenge or seek review of regulatory decisions, including ANCI’s sanctions or OVI designations, usually before administrative bodies or courts.
Sanctions
Measures imposed by authorities in response to non‑compliance, ranging from warnings and remedial orders to high monetary fines and, in some cases, personal liability for managers.
Enforcement risk
The combined likelihood and potential impact of regulatory action (investigations, orders, fines) on an organisation, influenced by its compliance posture and behaviour toward authorities.
Incident reporting
The legal obligation of essential and OVI operators and certain ICT providers to notify authorities like ANCI about significant cybersecurity incidents within defined timeframes and with specific content.
Supervisory powers
Legal tools that allow authorities to monitor and enforce compliance, including information requests, inspections, audits, and binding instructions.
Operator of Vital Importance (OVI)
An organisation whose services are critical for society or the economy and therefore subject to stricter cybersecurity and resilience obligations and closer supervision.