NIS2 Is Being Rewritten: What the 2026 Amendment Proposal Means for You and Your Clients

Twenty-two of 27 EU member states have now transposed NIS2 into national law. While most organisations are still scrambling to meet the original requirements, the European Commission has already published a proposal to change the rules. On January 20, 2026, the Commission released an amendment package that touches scope, ransomware reporting, certification, and cross-border supervision.

This isn't a complete rewrite. But for IT consultants, MSPs, and vCISOs advising clients on NIS2 compliance, it introduces enough new complexity to warrant a close read — now, not after trilogue negotiations wrap up later in 2026.

Why the Commission Is Already Amending a Directive That Isn't Fully Implemented

NIS2 became enforceable in October 2024. Several countries missed the transposition deadline; a handful are still working through it. The Commission's broader Digital Omnibus Package, launched in November 2025, is systematically streamlining EU digital legislation to reduce fragmentation. NIS2 got caught in that sweep. Real-world implementation also exposed gaps — particularly around divergence in national rules and the lack of any harmonised certification pathway.

The January 2026 proposal is described as "targeted" — the Commission isn't revisiting the fundamental architecture of NIS2. The ten security measures in Article 21 remain unchanged. The incident reporting timelines (24 hours, 72 hours, one month) are unchanged. What's changing is how the directive interacts with certification, how ransomware incidents get reported, and who exactly falls within scope.

NIS2 Implementation Status by Country (2025–2026)
✅
Fully in force
🇧🇪Belgium
🇭🇷Croatia
🇭🇺Hungary
🇱🇹Lithuania
🇱🇻Latvia
🇮🇹Italy
6 countries
📋
Adopted — late 2025
🇩🇪Germany
🇨🇿Czech Republic
🇫🇮Finland
3 countries
⏳
In progress — expected 2026
🇳🇱Netherlands
🇫🇷France
🇪🇸Spain
🇵🇱Poland
🇦🇹Austria
🇸🇪Sweden
🇮🇪Ireland
7 countries

Ransomware Reporting: New Obligations on the Horizon

This is the change most relevant to your day-to-day incident response work.

Under current NIS2, organisations must report "significant incidents" following the standard three-step timeline. The amendment proposal adds ransomware-specific reporting requirements on top of that. If a national authority requests it, organisations will be required to disclose whether a ransom demand was made and by whom, whether a ransom was paid, the amount and payment method, and the identity of the recipient (including any crypto-asset service provider involved).

Disclosure of ransom payment is not automatic — it's triggered by an authority request. The proposal targets the information asymmetry that regulators have struggled with: authorities often have no visibility into whether victims quietly pay ransoms, which undermines threat intelligence and attribution efforts.

For IT consultants advising clients: this doesn't change your incident response playbook today, since the amendment still needs to pass through EU legislative procedure. But it signals clearly where enforcement is heading. Clients who manage ransomware incidents need to start building internal documentation practices now — logging decision points, amounts, and communications — so they're not reconstructing that information under regulatory pressure after the fact.

NIS2 Incident Reporting Timeline
24h
⚡
Early Warning
Notify the competent authority (CSIRT/NCA) within 24 hours of becoming aware of a significant incident.
Step 1
72h
📋
Incident Notification
Submit a detailed notification within 72 hours with an initial assessment of severity, impact and indicators of compromise.
Step 2
1mo
📊
Final Report
Deliver a comprehensive final report within one month covering root cause, remediation taken and cross-border impact.
Step 3
24h
⚡
Early Warning
Notify the competent authority (CSIRT/NCA) within 24 hours of becoming aware of a significant incident.
72h
📋
Incident Notification
Submit a detailed notification within 72 hours with an initial assessment of severity, impact and indicators of compromise.
1mo
📊
Final Report
Deliver a comprehensive final report within one month covering root cause, remediation taken and cross-border impact.

Scope Changes: Who's In, Who's Out

The proposal makes three notable scope adjustments. Operators of undersea cables and submarine communication systems will be brought within scope for the first time — a direct new obligation for carriers, telecoms, or data centre operators with subsea connectivity assets. Chemical distribution goes out: the amendment removes "distribution" from Annex II, limiting coverage to manufacturers and producers. A new "small mid-cap" category covers organisations with fewer than 750 employees and under €150 million turnover — these would generally be treated as "important entities" rather than "essential entities," meaning reactive rather than proactive supervision.

Does NIS2 Apply to Your Organisation?
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes▼
No▼
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
✗
NIS2 does not directly apply to your organisation.
Yes▼
No▼
✓
NIS2 applies to your organisation as an Essential or Important Entity.
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes▼
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
1
Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes ↓No →
2
Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
Yes ↓No →
3
Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes ↓No →
✗
NIS2 does not directly apply to your organisation.
✓
NIS2 applies to your organisation as an Essential or Important Entity.
!
NIS2 may apply to your organisation — seek legal advice to confirm your status.
Applies
Possibly applies
Does not apply

Certification as a Compliance Pathway: The Cyber-Posture Certificate

Under the proposed amendment, entities will eventually be able to obtain an EU "cyber-posture certificate" — a new entity-level certification under a future European cybersecurity certification scheme aligned with Cybersecurity Act 2 (CSA2). If an entity holds a valid cyber-posture certificate covering Article 21 requirements, competent authorities cannot subject it to additional security audits for those requirements. Prove compliance once, avoid duplicative national audits.

CSA2 is itself still a proposal. The certification schemes don't exist yet. But for clients building long-term compliance programmes, the direction is clear: invest in frameworks and controls that will be certifiable, not just documentable. ENISA's guidance mapping NIS2 requirements onto ISO 27001 controls is likely to become the foundation for future cyber-posture certificates — ISO 27001 work today is a head start.

For more background on the ten Article 21 security measures, see the NIS2 Article 21 deep dive.

Stronger ENISA Role: What Cross-Border Supervision Looks Like

ENISA gets a more operational role under the proposal. It will facilitate cooperation between national competent authorities, help determine a lead authority for joint supervisory actions, conduct a cybersecurity risk analysis within 15 months of entry into force, and participate directly in joint supervisory activities upon request. This is not a GDPR-style one-stop-shop — entities still report incidents through national authorities. But the coordination layer is being strengthened, which should reduce the problem of an entity in five countries facing five separate and sometimes contradictory supervisory processes.

What Changes and When: A Practical Timeline

Parliament and Council negotiations are expected through the second half of 2026. Conservative estimate: these amendments won't be in national law before late 2027 or early 2028. Start advising clients now — but selectively. The ransomware documentation requirement is low-cost to implement now and high-cost to reconstruct after an incident. The certification pathway is aspirational — build toward ISO 27001 alignment. Scope changes are the highest priority for clients in affected sectors.

The Bigger Picture: NIS2 Enforcement Is Already Starting

The European Commission's message is clear: 2026 is the year enforcement begins in earnest. Seven member states have already been referred to the Court of Justice for missing the transposition deadline. National authorities are starting to conduct inspections. The first fines are expected before year end. Clients who have been treating NIS2 compliance as a future problem are running out of runway.

NIS2 Penalty Escalation — Beyond the Fine
!
Trigger event
Non-Compliance Detected or Incident Occurs
A supervisory authority identifies a compliance gap or an organisation fails to meet NIS2 requirements
Authorities can impose
▼
Non-Monetary Penalties
1
Compliance orders with binding deadlines
2
Mandatory security audits at your expense
3
Public disclosure of violations
4
Binding instructions on specific security measures
Escalates to
▼
Operational & Personal Consequences
1
Suspension of certifications or operating licences
2
Temporary ban on management functions for individuals
3
Public naming of responsible natural persons
Trigger
Non-monetary
Operational / personal

The proposed amendments don't give organisations more time. They add new obligations on top of the existing baseline. The most defensible position for any in-scope organisation right now is a documented gap analysis showing where they stand against Article 21, what remediation is in progress, and what the timeline looks like.

If your clients haven't done that gap analysis yet, run it now. The NIS2 quick-scan at NIS2Certify gives you a structured starting point in under 20 minutes.