The EU has kicked off 2026 with a revamp of its cybersecurity rulebook. On 20 January, the European Commission published draft amendments to the NIS2 Directive (which has yet to be fully transposed in all Member States) and a new proposal for a Cybersecurity Act 2 (“CSA2”).
Together, they signal a shift toward a more interventionist EU cybersecurity regime.
NIS2 amendments: what changes
The Commission’s proposal to streamline NIS2 brings a mix of clarifications and new obligations that could reshape how organisations approach cybersecurity compliance.
Scope Creep
The scope of the Directive quietly expands to include operators of submarine data transmission infrastructure, a move that could draw in edge-case tech entities who previously argued their private subsea cables fell outside “public” networks (e.g. those which lease the operation to a provider of publicly electronic communications networks). Other potential scope creep areas look to be in the healthcare and chemical sectors as well as electricity and hydrogen undertakings.
Diligence questionnaire?
The proposal also hints at more practical tools to ease compliance. For example, a proposal for future guidelines to standardise supply‑chain due diligence questionnaires, which will be a welcome relief to common suppliers to in-scope entities who have likely been inundated for diligence exercises of different shapes and sizes.
Certification
The proposal looks to set up a cybersecurity certification scheme. The certification won’t certify products (as is currently the case for NIS2) but can effectively certify an organisation’s overall cyber posture. For companies operating across multiple Member States, this could significantly lower the complexity and cost of compliance.
Incident reporting
On the operational front, the proposal tightens expectations around incident reporting. Ransomware incidents will need more structured reporting, including attack vectors and mitigation steps, though sensitive details like whether a ransom was paid and to whom, would only be disclosed upon request. This has some parallels with the recent UK consultation and response on ransomware legislative proposals.
Harmonised measures and centralised registry?
Technical cybersecurity measures may soon be fully harmonised through Commission implementing acts, preventing Member States from layering on their own additional technical requirements. This will be welcome news to entities which are subject to jurisdiction in a number of different Member States. ENISA’s expanded role – centralising the EU‑wide entity registry and supporting cross‑border supervisory cooperation – could bring much‑needed consistency to enforcement. But timelines will get tighter: updates to registration information would need to be submitted within two weeks (instead of the three months currently provided for).
The overall direction? A (hopefully) cleaner, more uniform NIS2 framework, with fewer national divergences but higher expectations on timely, structured compliance.
Cybersecurity Act 2: new rules for supply chains
The draft CSA2 amends the 2019 Cybersecurity Act to turn it into a binding regulatory framework.
A central feature is the Commission’s new power to label certain third countries as “high‑risk”, with suppliers from those jurisdictions effectively excluded from cybersecurity standardisation work and public procurement. The proposal also allows the Commission to identify “key ICT assets” used across critical sectors, from cloud services and semiconductors to medical devices and connected vehicles, and impose bans or phase‑outs if those assets come from high‑risk suppliers.
Telecom operators would face mandatory phase‑outs for certain core and transport network components, marking the EU’s strongest move yet on supply‑chain security.
CSA2 also significantly strengthens the EU’s cybersecurity certification system. ENISA would be tasked with preparing European cybersecurity certification schemes within 12 months of a Commission request, covering not only ICT products and services but also an organisation’s overall cyber posture.
While certification remains voluntary in principle, EU or national legislation can still make it mandatory for certain products, as seen with France’s SecNumCloud certification for cloud services.
In sum, CSA2 marks a clear direction of travel: tighter EU control over supply chains, stricter expectations on security, and a more unified European approach to cyber resilience.
Way forward and next steps
Both proposals need approval from the EU Parliament and Council and will likely be amended throughout the legislative phase.
While the NIS2 simplification proposal might be approved faster, the politics behind the CSA2 will be tough, especially in the current geo-political landscape.
Several Member States are already pushing back, concerned about the cost and feasibility of phasing out certain foreign vendors in telecoms. As a result, the Council might dilute parts of the proposal, and the legislative process may prove lengthy, dragging approval into 2027.
/Passle/5c4b4157989b6f1634166cf2/MediaLibrary/Images/2025-11-18-11-52-26-962-691c5dfa104d74a7c40dcb41.jpg)
/Passle/5c4b4157989b6f1634166cf2/SearchServiceImages/2026-01-19-13-38-23-910-696e33cf7a3631344c2f2f42.jpg)
/Passle/5c4b4157989b6f1634166cf2/SearchServiceImages/2026-01-13-12-37-35-768-69663c8f966611ff708e0fc1.jpg)