NIS2 Update: EU Moves to Harmonise Cyber Controls, Refine Scope, and Add New In-Scope Entities

The NIS2 Directive continues to evolve – and organisations must keep pace. On 20 January 2026, the Commission unveiled a set of targeted amendments to the NIS2 Directive (the Proposal), signalling the next phase of its push to modernise and streamline the EU’s cybersecurity legal framework.

Positioned within a broader legislative package, also proposing a revised Cybersecurity Act, the Proposal seeks to bring greater coherence to the EU’s cybersecurity legal architecture, aligning NIS2 with the proposed revisions to the Cybersecurity Act, cutting back administrative friction, and easing compliance for organisations operating in critical sectors.

The changes promise clearer scope boundaries, simplified jurisdictional rules, stronger cross‑border supervisory tools, and a unified approach to ransomware reporting, all while encouraging the use of EU‑wide certification schemes as a fast‑track route to demonstrating compliance.

Additionally, there is notably a proposed expansion of scope to bring two additional entity types into being NIS2 “essential” entities:

• Operators of submarine data transmission infrastructure; and
• Providers of European Digital Identity Wallets.

Moreover, a dedicated category for “small mid‑cap” enterprises is also proposed.

Below we break down some of the key focusses of the Proposal that are likely to be significant for in-scope entities currently conducting their NIS2 compliance programmes.

NIS2: The Implementation Challenges So Far

While Member States and in-scope entities are working their way towards implementing NIS2, several practical, interpretative, and supervisory challenges have emerged. The Commission’s review (leading to the Proposal) highlighted concerns around:

• inconsistent application of scope provisions;
• overlapping requirements across EU cybersecurity legislation;
• fragmented supervisory approaches, particularly for cross‑border entities; and
• burdensome or duplicative reporting and supply chain obligations.

With this Proposal, the Commission aims to address these issues and align NIS2 with the broader Cybersecurity Act revision package, which in theory should offer in-scope entities and those in any grey areas of uncertainty as to whether they are caught significant clarification and a better baseline to understand their next steps towards NIS2 compliance – particularly in terms of required cybersecurity measures.

EU Cyber Certifications and Rules Harmonisation: A Clearer Route to Compliance

Welcome news for many organisations will be that the Commission is proposing more harmonised routes to achieving compliance with the technical cyber measures required under Article 21 of NIS2. This takes two forms:

1. The Commission proposes that if an implementing act laying down the technical and methodological requirements under Article 21 has been adopted by the Commission, then Member States cannot impose any additional obligations or sectoral requirements relating to technical, methodological or sectoral requirements.

2. The Commission proposes to implement a certification scheme on the essential or important entity’s cyber posture under a European cybersecurity certification scheme to show compliance under Article 21.

The practical impact for in-scope entities is that with certain technical measures being set at a Commission level could create a ceiling for many jurisdictions, making things significantly more straightforward for organisations that usually operate a centralised cyber security programme. Moreover, combined with certification, multinational entities should be able to develop a more portable, EU‑recognised evidence pack, reducing the need to tailor documentation to each Member State’s preferences for the same Article 21 control set.

Clarification of Scope and Definitions under NIS2

The Proposal aims to clarify how NIS2 applies to different sectors, making the rules for each type of organisation more precise. It refines the definitions applicable to chemical manufacturers, healthcare providers, electricity producers and hydrogen undertakings, addressing ambiguities that have created uncertainty since the Directive’s publication.

In addition, the Proposal would expand NIS2’s reach by adding two new categories of in-scope entities:

• Providers of European Digital Identity Wallets and European Business Wallets will be classified as essential entities regardless of size;
• a new essential entity category for operators of submarine data‑transmission infrastructure is proposed; and
• a dedicated category for “small mid‑cap” enterprises. Entities that fall within this category and operate in NIS2‑covered sectors will be designated as important entities.

At the same time, the Proposal narrows the NIS2’s reach by applying a size-cap rule to DNS providers, which will have the result of removing micro‑ and small‑sized DNS service providers from scope.

Preparing for The Post-Quantum Era: Mandatory PQC Migration Policies

Looking ahead to emerging threats, Member States would be required under the Proposal to adopt policies for migrating to post‑quantum cryptography (PQC) in their national cybersecurity strategies, reflecting growing concern over the long‑term vulnerability of current encryption standards. This proposal comes in light of the Coordinated Implementation Roadmap for the transition to PQC which was adopted by the NIS Cooperation Group in June 2025. The ultimate aim is to achieve the migration by 2030 for critical use cases, and by 2035 for medium and low-level use cases.

Ransomware focus: harmonise data collection and on-request disclosure

The Proposal introduces standard rules for ransomware reporting, requiring entities to disclose if they detected an attack, how it happened, and what steps they took to respond.

If asked by NIS2 regulatory bodies or authorities, entities must reveal if they received a ransom demand, who made it, and whether they paid – sharing the amount, payment method, and recipient details. It is not clear how these will align with incident/breach notification obligations, however, the Commission clarifies this reporting should not create extra obligations under NIS2. Member States should address any increased liability risk when they implement this rule. These proposals have similarities with the recent UK ransomware legislative proposals. In practice, these granular reporting requirements may be challenging for any business impacted by a ransomware incident and, affected entities should update their incident response plans to cover how they will handle requests for ransomware information.

What This Means for Regulated Entities

With this Proposal, organisations within scope of NIS2 can expect a clearer pathway to compliance. However, progress will take time. The proposal is expected to be adopted in late 2026 or, more likely, in 2027. After that, there will be a 12-month period for Member States to implement the rules. Only then will the European Commission set out detailed requirements for technical and sector-specific cybersecurity measures.

This means that the advantages of a more uniform approach will be realised gradually over several years, not immediately. Organisations should continue to follow current national rules, while also preparing for the introduction of new certification-based systems and more coordinated oversight that the Proposal aims to introduce.

DLA Piper is actively collaborating with a range of clients on NIS2 compliance programmes. Leveraging its global network of cybersecurity legal experts, DLA Piper is providing practical and implementable advice to ensure that compliance frameworks remain robust and responsive to future changes. This approach is particularly valuable as new certification pathways and cross-border supervision emerge, offering significant strategic advantages. Furthermore, with the Commission continually reviewing and potentially expanding the scope of NIS2, DLA Piper’s proactive guidance helps organisations avoid the risk of being unexpectedly brought under new rules, ensuring they stay abreast of all regulatory developments.

For more on NIS2, and cyber security governance generally, please reach out to your DLA Piper contact for more information.