Proposed amendments to NIS2 (recently implemented and already subject to change)

Companies dealt with legal uncertainty when it came to compliance with NIS2 as Member States took time to implement the Directive on a national level. Now that most of the national legislation is implemented and companies are finally ready to implement the NIS2 in full, the European Commission has decided to make further amendments to it. The proposed Amendment Act is currently undergoing public consultation that will close at the end of March. Additionally, the Digital Omnibus Regulation Proposal also intends to amend NIS2. We have summarized the proposed changes and how they would impact companies below. It is expected that the text in the draft Amendment Act will be finalized in early 2027 and the Digital Omnibus Regulation Proposal by mid-2026.

Size threshold for companies listed in Annex I of NIS2

Essential entities are subject to more rigid and involved supervision compared to important entities under NIS2. Given this significant effort for essential entities, the draft act aims to limit the application of this category by introducing a new size threshold criterion for essential entities called ‘small mid-cap enterprises’ to the mix, i.e. entities with over 750 employees and a turnover of up to €150m or up to €129m in annual balance sheet totals. This is likely to alleviate a compliance burden for a significant number of companies.

Cybersecurity certification as an approved NIS2 compliance measure

An accepted compliance measure for essential and important entities under the new draft is a cybersecurity certification. If an organization has the required certification, then the competent authorities will need to refrain from exercising their obligation to inspect, audit, and conduct security scans, and request data or evidence of compliance in relation to essential entities. We will cover the details of what the cybersecurity certification may look like in our next blog on the revisions to the CyberSecurity Act, where the details of the cybersecurity certification are laid out.

Proposed clarifications to the scope of NIS2

 Entities removed from the list of entities subject to NIS2: 

• Micro and small-sized Domain Name System service providers. 

• Producers of electricity, the total generation capacity of which does not exceed 1MW.

• Operators of hydrogen production for non-commercial purposes.

• Healthcare providers that do not fall under the definition of “health services provided by health professionals to patients to assess, maintain or restore their state of health, including the prescription, dispensation and provision of medicinal products and medical devices” under Directive 2011/24/EU on patients’ rights in cross-border healthcare.

• Distributors of chemicals (manufacturers and producers of chemicals are still within the scope of NIS2 if they are required to register substances on their own, or in mixtures, or notify substances in line with Regulation (EC) No 1907/2006 (Registration, Evaluation, Authorisation and Restriction of Chemicals).

Newly added entities to be within the scope of NIS2:

• Providers of the proposed European Digital Identity Wallets. 

• Providers of the proposed European Business Wallets.

• Owners, managers and operators of strategic dual-use infrastructure regardless of their size.

• Operators of submarine data transmission infrastructure. 

Self-registration procedure

Self-registration details are proposed to change to contain the following:

• Specification of the relevant sector, subsector and the type of entity the organization is under the NIS2.

• In addition to the address and contact details of the entities subject to NIS, the organisations need to also clarify the address of their main establishment, where applicable.

• In the event the entities operate outside the EU, the address of its representative.

• Additionally for European Business Wallet providers, the unique identifier and the digital addresses.

Organisations will have only two weeks within which to inform the competent authority of any changes to its details instead of three months (this period varies in each Member State at the moment). The information is still proposed to be submitted using national mechanisms made available by competent authorities in Member States. 

ENISA’s role is expanded, and it will now create and maintain the list of essential and important entities.

A single EU-wide reporting channel for incidents

The Digital Omnibus Regulation Proposal suggests procedural changes to NIS2 incident notifications:

• It introduces a single EU-wide reporting channel for NIS2 incident notifications. This portal would be operated by ENISA, which in turn would forward the notification to the relevant competent authority. 

This channel may also be used if additional notification obligations apply under other EU laws, such as the GDPR, DORA (Digital Operational Resilience Act), or CER (Critical Entities Resilience Directive).

The details of reporting incidents involving ransomware are proposed to contain the following additional information:

• Confirmation if a ransomware attack was detected.

• The attack vector of the ransomware attack.

• Any mitigation measures implemented.

• In case of a significant ransomware attack, whether there was a ransomware demand, the amount and means of payment (which crypto-assets).

Organisations will have 12 months from the date of implementation of the Amendment to NIS2 to comply with the new requirements.