Easing the NIS2 Burden: Targeted Reforms to Europe’s Cybersecurity Rules

The European Commission has proposed targeted amendments to the NIS2 Directive (Directive (EU) 2022/2555 – NIS2) that would narrow the Directive’s scope, recalibrate supervisory intensity, and introduce elements of maximum harmonization – without materially altering the core cybersecurity risk-management obligations. The proposal was published in January 2026 and will now go through the EU legislative process.

1. Policy Background

NIS2 was adopted in 2022, but a significant number of Member States failed to implement the Directive by the October 2024 implementation deadline – and some still have not done so today (see our NIS2 tracker). Still, drawing on the experience of those Member States that have already adopted implementing acts, the Commission acknowledged that NIS2’s breadth of scope and divergence in national transposition have created legal uncertainty and disproportionate compliance burdens.

The proposal therefore aims to recalibrate the existing framework by clarifying the NIS2 Directive’s scope, harmonizing technical requirements, and streamlining compliance obligations. According to the Commission, the proposed measures could reduce compliance costs for approximately 29,000 companies across the EU that would either fall out of scope or become subject to less intensive supervision.

The proposal forms part of the Commission’s broader effort to strengthen the resilience of the EU in light of an evolving threat landscape and reflects the increasing role of critical infrastructure resilience as a strategic pillar of the Union’s democratic and economic security. This priority is also highlighted in the Draghi report on the future of European competitiveness and its call to strengthen security and reduce dependencies.

2. Clarifying and Rebalancing the Scope

A central element of the proposal is to refine the NIS2 Directive’s scope to improve legal certainty and ensure a more proportionate allocation of regulatory obligations. In several sectors, early implementation revealed that the original drafting lacked sufficient precision, leading to inconsistent interpretation and over-inclusion of entities with limited systemic relevance.

To address this issue, the proposal further specifies the categories of operators covered in, among others, the hydrogen and healthcare sectors. Overall, the amendments pursue a more risk-based allocation of regulatory obligations while addressing gaps identified during the initial implementation phase. Notable changes include:

• Electricity sector – Only producers of electricity with a total generation capacity exceeding 1 MW would fall within the scope of NIS2. Currently, all producers are covered regardless of scale. This excludes small-scale and household producers from NIS2 obligations while allowing supervisory authorities to focus on systemically relevant operators where incidents could threaten grid stability.
• Chemical sector – Coverage shall be limited to manufacturers and producers of chemical substances subject to REACH obligations, de-scoping pure import and distribution trading activities. This aligns NIS2 more closely with actual risk exposure within the EU and reflects the approach already adopted in certain Member States, such as Germany.

At the same time, the proposal expands NIS2 coverage in areas deemed strategically sensitive for European security and resilience. Newly included categories would encompass providers of European Digital Identity Wallets and European Business Wallets, operators of submarine data transmission infrastructure, and owners, managers, and operators of strategic infrastructure with military relevance. This expansion reflects a clear geopolitical dimension of EU cybersecurity policy, linking digital resilience more explicitly to economic security and defense considerations.

3. The Introduction of the “Small Mid-Cap” Category

Aiming to lower compliance costs for approximately 22,500 companies, the proposal introduces a new category of “small mid-cap” enterprises as defined in the Annex to Commission Recommendation (EU) 2025/1099. These are companies with (i) fewer than 750 employees and (ii) annual revenues of no more than EUR 150 million or an annual balance sheet of no more than EUR 129 million. Under the proposal, only entities exceeding the small mid-cap threshold would qualify for classification as “essential” entities. Sectoral inclusion requirements would continue to apply. All smaller entities can – at most – be “important” entities under NIS2. Currently, the threshold to become “essential” is linked to the SME definition which is significantly lower than the one now proposed (i.e., (i) fewer than 250 employees and (ii) annual revenues of no more than EUR 50 million or an annual balance sheet of no more than EUR 43 million).

This amendment primarily affects the supervisory architecture rather than the substantive cybersecurity obligations. Under NIS2, “essential” entities are subject to ex ante supervision (including regular audits and proactive oversight), whereas “important” entities are generally supervised ex post, typically following evidence of non-compliance or incidents. The proposed reform would therefore reduce regulatory intensity – particularly audit exposure and potential enforcement measures – for companies falling below the new threshold. This distinction also affects maximum administrative fine levels, which are higher for essential entities under the current NIS2 framework.

Companies operating near the relevant size thresholds are recommended to reassess their classification once the final text is adopted, including on a consolidated group basis where applicable.

4. Maximum Harmonization of Technical and Methodological Requirements

The proposal introduces a form of sector-specific maximum harmonization for areas covered by Commission implementing acts under Article 21(5) NIS2. Where the Commission specifies technical, methodological, or sector-specific cybersecurity risk-management measures, Member States would be prohibited from imposing additional or divergent requirements on entities covered by those provisions.

This represents a meaningful recalibration of Member State discretion and may substantially reduce gold-plating risks for cross-border operators. However, harmonization would only apply to areas expressly covered by the relevant implementing acts; Member States would retain regulatory flexibility in all other aspects of NIS2.

5. Cyber Posture Certification

Based on the draft proposal, Member States would be permitted to require in-scope entities to demonstrate compliance with their risk management obligations under NIS2 through certification under a European cybersecurity certification scheme adopted pursuant to the proposed revision of the Cybersecurity Act (CSA – see also our Q1, 2025 update on the CSA revision).

Where a valid certificate covers the relevant obligations specified in a further implementing act under Article 21(5) NIS2 (see above), competent authorities would be precluded from imposing additional supervisory measures for the covered aspects. Certification does not, however, relieve entities of their overarching responsibility to ensure ongoing compliance with NIS2.

Although certification would thus not constitute a full safe harbor, it could significantly limit supervisory intervention for certified aspects of compliance. If Member States make use of this option broadly, certification may evolve into a de facto compliance benchmark for certain sectors. It is therefore recommended that companies monitor the development of European cybersecurity certification schemes under the revised CSA, particularly with respect to assurance levels and scope coverage.

6. Ransomware Reporting

Ransomware attacks remain one of the most impactful cyber threats, a trend that the Commission expects to continue. The proposal therefore introduces a harmonized framework for the collection of ransomware-related data under Article 23 NIS2. Entities will, pursuant to a further implementing act, be required to provide information on attack vectors, mitigation measures, and, upon request, ransom demands and payments. Importantly, the proposed recitals clarify that reporting ransomware-related information should not trigger additional obligations or increased liability.

It is therefore recommended that entities assess how enhanced ransomware reporting interacts with parallel obligations under the GDPR, sector-specific regulations (e.g., the Digital Operational Resilience Act ‒ DORA), and law enforcement notification requirements, and review their internal incident documentation processes to ensure they can respond to more granular data requests. Disclosure of ransom payments may also raise sanctions and anti-money laundering risks, particularly where threat actors are linked to sanctioned jurisdictions.

7. Outlook and Next Steps

The European Parliament and the Council will now adopt their respective positions on the proposal before trilogue negotiations commence. The proposal provides for a 12-month transposition period at the Member State level following entry into force.

While certain entities may fall out of scope or face less intensive supervision, the core cybersecurity risk-management obligations remain intact. At the same time, the move toward partial maximum harmonization and certification-based compliance reflects an effort to enhance legal predictability for cross-border operators.

As the legislative process unfolds, the practical impacts for companies will depend less on headline de-scoping figures than on how implementing acts, supervisory practice, and certification schemes evolve in parallel.

We are grateful to our research assistant, Felicitas Lampe, for her contributions to this client alert.