On 20 January 2026, the European Commission published a proposal to amend the Directive (EU) 2022/2555 (NIS2) as part of a broader package to streamline the EU’s cybersecurity framework. The Commission also issued a proposal to revise the EU Cybersecurity Act (CSA2), which we cover in a separate blog post.
The proposed amendments build on earlier streamlining efforts in the Commission’s Digital Omnibus Package—published on 19 November 2025—which introduced the first wave of technical adjustments to NIS2. Those earlier amendments focused on creating a single framework for reporting cyber incidents and clarifying how NIS2 interacts with sectoral regimes such as the CER Directive and DORA.
With this proposal, the Commission now aims to clarify the scope of the law, harmonize technical measures, introduce certification‑based compliance pathways, and strengthen cross‑border supervision through an expanded role for ENISA.
Below, we summarize the main elements of the proposal and what they could mean for entities in scope of NIS2.
1. Greater Harmonization of Technical Requirements
NIS2 is a minimum‑harmonization directive, allowing Member States to “gold-plate” the substantive requirements set out in the law. As a result, some Member States have introduced additional obligations, such as Belgium’s requirement for a coordinated vulnerability disclosure policy.
NIS2 already requires the Commission to adopt an implementing act setting out the measures that certain digital infrastructure and digital service providers must comply with, and allows it to adopt similar acts for other covered entities. The proposal would broaden the Commission’s role by requiring regular assessments and consultations on whether additional implementing acts are needed for entities that operate in other sectors covered by NIS2. Crucially, where the Commission adopts such acts, Member States would be prevented from adding any further technical, methodological, or sector‑specific requirements.
2. New Ransomware Reporting Rules
The Commission already has the power under NIS2 to pass implementing acts that establish the format and procedure for incident notifications and define when certain incidents count as significant (it has not yet exercised this power). Under the proposal, any such implementing act would need to require companies to report additional facts for incidents arising from ransomware attacks, including whether they detected an attack, the attack vector, and whether mitigation measures have been implemented.
The proposal also gives national authorities the power to request additional information when a reported significant incident is caused by ransomware. This includes information about whether a ransom demand was made and by whom, whether a ransom was paid, the amount, the payment method, the recipient or receiving end, and, where relevant, information about any crypto‑assets or crypto‑asset service providers involved.
3. New Rules on EU‑Level Cybersecurity Certification
NIS2 provides that Member States can require essential and important entities to use ICT products and services certified under EU cybersecurity schemes created under the Cybersecurity Act. Under the proposed new text, Member States could require entities to obtain a “cyber‑posture certificate”—an entity-level certification rather than a product- or service-level certification—issued under a future European cybersecurity certification scheme to be adopted pursuant to the proposed CSA2.
Where an entity has obtained a valid EU cyber‑posture certificate under a scheme adopted pursuant to Article 74 CSA2, and the certificate demonstrates compliance with the NIS2 security risk‑management requirements in Article 21 (as specified in an implementing act under Article 21(5) or national transposition), competent authorities may not subject the entity to additional security audits pursuant to Article 32(2)(b) (essential entities) or Article 33(2)(b) (important entities) for the requirements covered by the certificate. Other supervisory tools under Articles 32 and 33 (e.g., on‑site inspections, security scans, or targeted information requests) remain available. Recital 7 notes this amendment is designed to enable relevant entities to benefit from more coherent and less burdensome supervisory approaches across the internal market. For example, Belgium’s transposition law includes rules requiring entities to obtain a specific certification, but in the future, if a company has obtained an EU cyber‑posture certificate, this could reduce or eliminate the need for any Belgian‑specific certification to the extent it would otherwise duplicate the requirements already covered by the EU certificate.
4. More Coordinated EU Oversight of Cross‑Border Entities
The proposal would give ENISA a more operational role in supervising companies engaged in covered activities across several Member States. In particular, ENISA would support national authorities by facilitating cooperation, helping determine a lead authority for joint actions, and reducing duplicative supervisory requests. It would also prepare a cybersecurity risk analysis within 15 months of entry into force, to assess the impact that incidents affecting entities that provide cross-border services would have on the internal market. Based on the risk assessment, ENISA can recommend joint supervisory activity by multiple competent authorities, which ENISA may participate in directly, upon request.
Importantly, this does not create a GDPR‑style one‑stop‑shop for entities not covered by the NIS2 equivalent in Article 26. Companies would also continue to report incidents and address potential non‑compliance through their national competent authorities, not ENISA.
5. Clarifying Scope and Size‑Related Adjustments
The proposal introduces a new category of covered entities: “small mid-caps.” This covers entities with fewer than 750 employees and less than €150 million in annual turnover. To the extent that these types of organizations otherwise fall within scope of NIS2, they would generally be treated as important entities (and therefore subject only to ex post regulation). We understand that the Parliament is considering options to expand the category to organizations with well above 750 employees.
The proposal also would clarify several sector definitions in the Annexes. For instance, whereas Annex II previously covered the manufacture, production and distribution of chemicals, the proposal removes “distribution,” thereby narrowing the scope to entities engaged specifically in chemical manufacturing and production activities. In addition, DNS providers would no longer fall within scope automatically unless they meet the standard NIS2 size thresholds
6. New Rules on EU Representatives
NIS2 already obliges digital service providers to appoint an EU representative if they are not established in the EU but offer services within it. Those entities fall under the jurisdiction of the Member State where the representative is established.
The proposal would expand the requirement to appoint a representative, so that it applies to any “essential or important entity” not established in the Union but offering services within it. The wording here is unclear and hopefully the scope will be clarified during the legislative process.
Next Steps
The proposal will now proceed through the ordinary legislative procedure, with negotiations in the European Parliament and Council expected later in 2026. The current draft foresees a 12‑month transposition period following the Directive’s entry into force, although this may be amended during the legislative negotiations.
* * *
Covington’s Privacy and Cybersecurity team will continue to monitor developments as trilogue negotiations unfold and implementation guidance becomes available. If you would like assistance assessing how these proposed changes may affect your organization, updating your NIS2 compliance strategy, or preparing internal briefings, please let us know.