Home > Blog > European Commission Proposes Amendments to NIS2 Directive
Compliance

European Commission Proposes Amendments to NIS2 Directive

By whois-secure April 2, 2026 6 views

European Commission Proposes Amendments to NIS2 Directive

On January 20, 2026, the European Commission announced a proposal to amend the NIS2 Directive, introducing additional requirements for regulated entities, including potential ransomware reporting obligations. This proposal builds upon the Commission's November 2025 announcement to revise EU digital laws and aims to enhance the cybersecurity framework across member states.

Key Proposed Changes

  • Scope Expansion: The proposal seeks to include operators of submarine data transmission infrastructure within the directive's scope, while removing entities involved in the distribution of chemicals. Additionally, it adjusts size thresholds for entities to be classified as "essential entities."
  • Ransomware Reporting: Organizations reporting significant incidents linked to ransomware would be required to provide detailed information, such as ransom demands, payments, and recipient details, upon request.
  • Representative Appointment: The requirement to appoint a representative in the EU would be expanded to all companies offering NIS2-regulated services, including credit institutions and certain manufacturers.

These amendments aim to strengthen the EU's cybersecurity posture by addressing emerging threats and ensuring comprehensive coverage of critical infrastructure sectors.

Implementation Status Across Member States

As of March 27, 2026, twenty-two out of twenty-seven EU countries have implemented the NIS2 Directive into national law. The remaining countries have advanced draft legislation outlining national frameworks. Notably:

  • Germany: Adopted its NIS2 implementation law on December 6, 2025, integrating the directive into the existing BSI Act. The revised act introduces new compliance obligations, including mandatory registration and enhanced risk management measures. (Morrison Foerster)
  • Denmark: Implemented the NIS2 Act on July 1, 2025, aligning closely with EU baseline requirements. (NIS2Have)
  • Finland: Enforced the Cybersecurity Act 124/2025 on April 8, 2025, focusing on clear sector-specific guidance. (NIS2Have)

These developments indicate a concerted effort across the EU to bolster cybersecurity resilience through legislative measures.

Implications for Organizations

Organizations operating within the EU should proactively assess their compliance with the evolving NIS2 framework. Key steps include:

  • Reviewing and updating cybersecurity policies to align with new reporting obligations, particularly concerning ransomware incidents.
  • Ensuring the appointment of EU representatives where required, to facilitate compliance with the directive.
  • Monitoring national implementations of NIS2 to understand jurisdiction-specific requirements and timelines.

By staying informed and adapting to these regulatory changes, organizations can enhance their cybersecurity posture and ensure compliance with EU directives.

For more detailed information, refer to the European Commission's announcement on the proposed NIS2 amendments. (Skadden)

Tags: NIS2 Directive European Commission cybersecurity compliance ransomware reporting EU regulations
CyberEdge Learning
Level Up Your Cybersecurity Skills
Liked this article? Go deeper with hands-on training, certification prep, and real-world labs at CyberEdge Learning.
Start Free →