On 20 January 2026, the European Commission unveiled a comprehensive cybersecurity package designed to strengthen the EU’s resilience against increasingly sophisticated cyber and hybrid threats (see link). While the headline measure is a revised Cybersecurity Act, the package also introduces significant, targeted amendments to the NIS2 Directive.
These proposals come at a pivotal moment. The Cybersecurity Act, in force since 2019, establishes the frameworks for ENISA and the European Cybersecurity Certification Framework (ECCF). At the same time, many Member States have only recently transposed the NIS2 Directive, and some are still in the process. The new cybersecurity package now seeks to revise these existing frameworks in light of the evolving cyber risk landscape, addressing practical implementation challenges and introducing additional harmonization measures to reduce regulatory fragmentation across the EU.
Revised Cybersecurity Act
The centrepiece of the package is the proposal for a revised Cybersecurity Act, which updates the existing frameworks governing the EU’s Cybersecurity Agency (ENISA) and the European cybersecurity certification schemes in light of past experience and implementation challenges. Among other changes, it seeks to streamline the ECCF by introducing an accelerated default 12‑month timeline for developing certification schemes. This aims at helping businesses demonstrate compliance with EU legislation more efficiently.
In addition, the revised Act introduces an entirely new framework for assessing ICT supply chain risks in sectors of high criticality and other critical sectors through Union‑level coordinated security risk assessments. These assessments may be launched at the request of the Commission or at least three Member States and are intended to identify and mitigate risks linked to (non-EU) supplier dependencies and potential foreign interference.
For example, the mechanisms allow for the designation of “key ICT assets” in critical supply chains and, for entities subject to NIS2‑type obligations, require greater visibility into the suppliers of those assets. They could also lead to phase‑outs or bans on components from “high‑risk suppliers”. In addition, the framework would allow the Commission to mandate practical risk‑mitigation measures – such as prohibiting certain data transfers or remote data processing from third countries, disabling remote access to key assets, or restricting the outsourcing of operational control to managed service providers.
Targeted NIS2 Amendments
The key changes for NIS2-regulated entities focus on simplification, greater harmonization, and addressing specific resilience gaps. The proposed amendments to the NIS2 Directive will need to be transposed into national law one year after their adoption. Still, NIS2‑regulated businesses should consider preparing and following these developments already now.
1. Extending and clarifying the scope of NIS2
The proposal extends the scope of the “digital infrastructure” sector under NIS2 and brings additional stakeholders within its reach, namely:
- providers of European Digital Identity Wallets and European Business Wallets; and
- operators of submarine data transmission infrastructure.
Providers of European Digital Identity Wallets and European Business Wallets would be classified as essential entities irrespective of their size.
In addition, the proposal clarifies certain scope-related aspects regarding other sectors, including for healthcare providers, electricity producers, hydrogen undertakings and businesses in the chemical sector.
2. Introducing a new “small mid-cap” category
To reduce compliance costs for smaller players, the Commission has introduced the category of “small mid-cap enterprises”. Under the proposal, an enterprise qualifies as a small mid-cap if it employs fewer than 750 persons and has an annual turnover of ≤ EUR 150 million or an annual balance sheet total of ≤ EUR 129 million.
This new category of small mid-cap enterprises is intended to benefit from lighter compliance obligations than big players. However, this amendment does not alter the existing minimum thresholds for falling within the scope of NIS2. Instead, the proposed amendment raises the threshold for becoming an essential entity rather than an important one. Entities qualifying as small mid-caps would, as a main rule, be designated as important. This reclassification aims to lower the supervisory and compliance burden for approximately 22,500 companies, ensuring that the most stringent requirements are reserved for larger, systemic players.
3. Greater legal clarity regarding technical or methodological security measures
In a move that will be welcomed by many cross‑border businesses, the proposal introduces a high level of harmonization in relation to technical or methodological security measures. Where the Commission adopts implementing acts setting out technical or methodological requirements, Member States may not impose any additional obligations on the entities covered by those acts. This clarification is particularly significant for entities subject to Commission Implementing Regulation (EU) 2024/2690 (on businesses active in the digital sectors), as it ensures a genuinely harmonized rulebook across Europe and prevents a patchwork of divergent national security standards.
4. More granular ransomware reporting
The proposal aims to harmonize the collection of data on ransomware attacks. It introduces more granular reporting requirements for ransomware incidents to enhance situational awareness and strengthen law enforcement response. The Commission may adopt implementing acts on incident reporting, which would need to include obligations for entities to report:
- whether a ransomware attack was detected;
- the attack vector used; and
- whether mitigation measures were implemented.
In addition, where a significant incident is caused by ransomware, entities would be required – upon request from the CSIRT or competent authority – to provide certain sensitive information, including:
- whether a ransom demand was received and by whom; and
- whether a ransom was paid, along with the amount, the means of payment, and the recipient (including crypto‑wallet details).
As a reminder, the Digital Omnibus aims to streamline incident reporting by proposing a single-entry point for incident reporting (see our The EU Digital Omnibus: Key changes for data, cyber and AI laws blog).
5. Preparing for post-quantum cryptography
Lastly, the amendments introduce a forward-looking obligation for national authorities, recognizing the future threat that quantum computing poses to today’s encryption standards. As part of their national cybersecurity strategies, Member States would be required to adopt dedicated policies for the transition to postquantum cryptography (PQC).
These policies must reflect the transition timelines and requirements set out in Union law, ensuring that operators of critical infrastructure begin preparing now for the emerging ‘harvest now, decrypt later’ threat landscape (see our Quantum Disentangled blog #1 for more details on the impact of PQC for businesses).
Next steps
The proposal will now move to the European Parliament and the Council for the next stage of the legislative process with no concrete timeline yet. As such the Cybersecurity Package is still subject to change.
In particular, businesses regulated under NIS2, should assess how the planned revision of the Cybersecurity Act and the targeted NIS2 amendments could affect their current cybersecurity governance structures. Entities operating in the digital sectors, as well as those that may fall under the new small midcap definition might want to consider realigning their compliance strategies in light of the cybersecurity package’s intention to clarify and simplify NIS2 requirements.
