Home > Blog > European Commission Proposes Amendments to NIS2 Directive
Compliance

European Commission Proposes Amendments to NIS2 Directive

By whois-secure March 31, 2026 2 views

Introduction

On January 20, 2026, the European Commission announced a proposal to amend the Network and Information Security Directive 2 (NIS2), aiming to enhance cybersecurity measures across the European Union. These proposed changes introduce new obligations for regulated entities, including expanded reporting requirements and adjustments to the directive's scope.

Key Proposed Amendments

Expanded Scope

The proposed amendments seek to broaden the directive's applicability by including operators of submarine data transmission infrastructure. Conversely, entities involved in the distribution of chemicals would be removed from the directive's scope, although manufacturers and producers of chemicals would remain covered. Additionally, the proposal suggests modifying size thresholds to determine which entities are classified as "essential," thereby subjecting them to more stringent requirements.

Ransomware Reporting Obligations

Under the current NIS2 Directive, organizations are required to report "significant incidents." The proposed amendments would introduce a specific requirement for companies to provide detailed information on ransomware-related incidents. This includes disclosing whether a ransom demand was made, whether it was paid, and the recipient of the payment, if requested by authorities.

Appointment of Representatives

Presently, the NIS2 Directive mandates that providers of digital services without an establishment in the EU appoint a representative within one of the member states where they offer services. The proposed changes would extend this requirement to all companies offering NIS2-regulated services in the EU, encompassing sectors such as credit institutions and certain manufacturers.

Implementation Status Across Member States

As of March 2026, 22 out of 27 EU member states have transposed the NIS2 Directive into national law. The countries that have adopted the directive include Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Germany, Greece, Hungary, Italy, Latvia, Lithuania, Malta, Poland, Portugal, Romania, Slovakia, Slovenia, and Sweden. The remaining member states—France, Ireland, Luxembourg, Netherlands, and Spain—are in the process of implementing the directive, with draft legislation at various stages of development.

Notably, there is variation in how member states are implementing key elements of the directive. For instance, while countries like Belgium, Croatia, Greece, Italy, and Slovakia have adopted the "main establishment" principle—applying NIS2 obligations primarily to entities headquartered within their jurisdictions—Hungary requires service providers to register locally and comply with its national cybersecurity laws, regardless of their main establishment's location.

Implications for Organizations

The proposed amendments and the ongoing implementation of the NIS2 Directive underscore the need for organizations operating within the EU to reassess and enhance their cybersecurity frameworks. Key steps include:

  • Advancing Compliance Programs: Organizations should continue developing and refining their NIS2 compliance programs, focusing on critical systems and documentation, such as incident response plans, to mitigate enforcement risks.
  • Engaging Management Bodies: It's essential to keep management informed about compliance progress, as they can be held personally liable for non-compliance under the directive.
  • Consulting Guidance from Authorities: Organizations should consider recommendations from EU and national agencies, like the European Union Agency for Cybersecurity (ENISA), which align NIS2 compliance expectations with existing standards such as ISO 27001.
  • Monitoring National Implementations: Keeping track of the directive's implementation status in relevant jurisdictions is crucial to identify and address country-specific compliance requirements.

Conclusion

The European Commission's proposed amendments to the NIS2 Directive reflect a concerted effort to strengthen cybersecurity resilience across the EU. As member states continue to implement and enforce these regulations, organizations must proactively adapt to the evolving compliance landscape to ensure robust protection against cyber threats.

For more detailed information, refer to the original publication by Skadden, Arps, Slate, Meagher & Flom LLP: European Commission Announces Potential NIS2 Cybersecurity Reform With Implementation Well Underway.

Tags: NIS2 Directive European Commission cybersecurity compliance regulatory updates EU cybersecurity
CyberEdge Learning
Level Up Your Cybersecurity Skills
Liked this article? Go deeper with hands-on training, certification prep, and real-world labs at CyberEdge Learning.
Start Free →