The European Commission’s January 2026 cybersecurity package came with a reassuring headline: simplification. Clearer scope. Reduced compliance costs. Harmonised controls. For organisations still mid-implementation on NIS2 — and for boards who only recently acknowledged that cybersecurity is their problem — that framing is dangerously comfortable.

The reality is more operationally complex. The Commission has proposed substantive changes to a directive that many Member States only recently transposed, and which some are still in the process of implementing. For CISOs, the question is not whether the amendments are welcome — many of them are — but what to do when the rules shift before the ink on your current compliance programme has dried.

This article unpacks what actually changed, what the governance implications are, and what CISOs should do right now.

What the Commission Actually Proposed

On 20 January 2026, the European Commission published a targeted proposal to amend the NIS2 Directive (Directive (EU) 2022/2555), as part of a broader package that also introduced a revised Cybersecurity Act (CSA2). The amendments build on the earlier Digital Omnibus Package from November 2025, which introduced the first wave of streamlining measures — including a single incident reporting entry point covering NIS2, GDPR, DORA, eIDAS, and the CER Directive.^[1]

The January 2026 proposal goes further. Its stated goals: clarify scope, harmonise technical measures, introduce certification-based compliance pathways, and strengthen cross-border supervision through an expanded ENISA mandate.^[2]

These are genuine improvements. But the timeline matters enormously.

The Compliance Paradox

The most operationally significant fact about the January 2026 amendments is buried in the fine print: organisations should not expect to benefit from them anytime soon.

The proposal must first complete trilogue negotiations between the European Parliament and the Council, with political agreement targeted for early 2027. After adoption, Member States will have a 12-month transposition period. Only then will the Commission begin issuing detailed technical requirements at Article 21 level.^[3]

The practical implication: the harmonised, simplified NIS2 that the Commission is describing will not be operationally real for most organisations until 2028 or later. In the meantime, current national rules apply in full. The compliance programmes CISOs are running today remain the operative framework.

This creates a governance dilemma that boards are poorly equipped to navigate. The moment they hear “simplification is coming,” the instinct is to defer investment and wait. That is precisely the wrong response — and part of the CISO’s job right now is to pre-empt it.

What Actually Changes: The Five Threads

1. Gold-Plating Gets a Ceiling

One of the more consequential changes targets the fragmentation created by Member State gold-plating. Under NIS2 as originally transposed, it is a minimum-harmonisation directive — meaning Member States can impose additional obligations beyond the baseline. Belgium, for example, introduced a mandatory coordinated vulnerability disclosure policy on top of Article 21 requirements.^[4]

The January 2026 proposal changes this in a specific and important way. Where the Commission adopts implementing acts specifying technical, methodological, or sectoral risk-management measures under Article 21(5), Member States will no longer be permitted to impose further national requirements for those measures. This effectively shifts the definition of core cybersecurity controls to the EU level.^[5]

For CISOs managing compliance programmes across multiple EU jurisdictions, this is significant. It means that once Article 21 implementing acts are in place, a centralised control framework can be applied without customisation to each Member State’s additional preferences. The compliance overhead of running parallel documentation per jurisdiction — currently estimated at €150,000–€300,000 annually for a mid-sized organisation operating across five Member States — has a defined end state.^[6]

The caveat: this ceiling only applies where the Commission has issued implementing acts. It has not yet done so under existing NIS2 authority. The gold-plating problem persists until the new framework is fully operational.

2. Certification as Compliance Proof

The most board-friendly development in the package is the introduction of certification as a pathway to demonstrating NIS2 compliance — and the explicit limitation it places on supervisory authorities.

Under the proposal, organisations will be able to rely on European cybersecurity certification schemes, including future entity-level cyber-posture certifications, to demonstrate compliance with NIS2 risk-management obligations. Critically, where certification demonstrates compliance, competent authorities will not be permitted to subject the entity to security audits.^[7]

This is a strategic shift. Certification moves from being a voluntary quality label to being a core compliance and risk management instrument. For multinationals, it creates the possibility of a portable, EU-recognised evidence pack that reduces duplicative supervisory demands across jurisdictions.^[8]

The governance implication is clear: investment in certification schemes is no longer purely defensive or reputational. It carries a direct regulatory return — audit exemption. That is a board-level argument for security investment that CISOs have rarely had available to them.

3. The Supply Chain Questionnaire Problem Gets Acknowledged

The Commission explicitly recognises in the proposal that NIS2 supply-chain obligations have generated burdensome and inconsistent supplier questionnaires, often cascading obligations down the supply chain.^[9]

This matters not just as a compliance signal but as a governance validation. The “questionnaire flood” is a real operational problem — organisations receiving dozens of overlapping, inconsistently scoped security assessments from customers and partners, each calibrated to a different national interpretation of Article 21. The Commission’s acknowledgement creates the foundation for a more standardised, certification-based approach to supply chain assurance.

For CISOs managing vendor risk programmes, the direction of travel is toward EU-level certification schemes replacing ad hoc questionnaire-based assurance. The practical implication is that vendor risk governance frameworks should be designed now to accommodate certification-based evidence rather than being locked into proprietary questionnaire formats.

4. Ransomware Reporting Gets Granular — and Legally Exposed

The proposal introduces a significant new disclosure requirement for ransomware incidents. Under the amended framework, incident reports for ransomware attacks must include whether the attack was detected, the attack vector, and whether mitigation measures were implemented.^[10]

More significantly, national authorities will be empowered to request additional information, including whether a ransom demand was made, whether a ransom was paid, the amount paid, the payment method, the recipient, and details of any crypto-asset service providers involved.^[11]

This is not a simplification measure. It is a substantive expansion of incident disclosure obligations with direct legal and commercial implications. Organisations that pay ransoms — and the data suggests a significant proportion still do — will now face disclosure requirements that carry potential regulatory, contractual, and reputational consequences.

CISOs should be updating their incident response playbooks and legal privilege frameworks now. The decision to pay or not pay a ransom has always carried legal risk; under the proposed amendments, it carries disclosure risk regardless of the decision made.

5. New Entities Enter Scope

The proposal expands the scope of NIS2 to include providers of European Digital Identity Wallets, providers of European Business Wallets, and operators of submarine data transmission infrastructure.^[12] Providers of Digital Identity and Business Wallets would be classified as essential entities irrespective of their size.

Additionally, a new “small mid-cap” enterprise category is introduced: entities employing fewer than 750 persons with annual turnover of €150 million or less, or a balance sheet total of €129 million or less. These entities would, as a main rule, be classified as important rather than essential — reducing supervisory intensity for approximately 22,500 companies.^[13]

For CISOs at organisations currently classified as essential, this reclassification at the margins does not change obligations. But it does affect supply chain exposure: important entities face lower supervisory pressure, which may affect the assurance they provide to essential entity partners.

What Has Not Changed

It is worth being explicit about what the January 2026 amendments do not affect.

Article 21 obligations remain in force. The risk management measures — covering incident handling, business continuity, supply chain security, encryption, access control, and multi-factor authentication — apply now under current national transpositions. The amendments do not suspend or defer them.

Board accountability is unchanged. NIS2’s requirement that management bodies approve and oversee cybersecurity risk management measures, and the provision for personal liability in cases of serious negligence, remains fully operative. The amendments do not reduce management exposure.

Enforcement timelines are unchanged. The 24-hour early warning, 72-hour detailed notification, and one-month final report structure remains in place. The Digital Omnibus single entry point, when operational, will streamline how reports are filed — not when.

What CISOs Should Do Right Now

The January 2026 amendments create a specific governance challenge: how to run a compliance programme in a framework that is formally mid-revision, while enforcement under the current framework is active and escalating.

The answer is not to pause. It is to build compliance architecture that is adaptive rather than point-in-time.

Proceed with current Article 21 compliance programmes in full. The amendments do not provide grounds for deferral. Enforcement is active across transposed jurisdictions and supervisory activity is accelerating through 2026.^[14]

Design for certification from the start. Where possible, align current control frameworks and evidence packs with the EU cybersecurity certification schemes that will eventually serve as compliance proof. The investment made now in certification-compatible documentation is not wasted — it is the foundation of the future compliance model.

Update ransomware response playbooks immediately. The expanded disclosure requirements for ransomware incidents represent a near-term operational and legal risk. Incident response plans, legal privilege frameworks, and ransom decision authorities should all be reviewed before the next incident, not after.

Prepare the board for the timeline reality. The narrative that “NIS2 is being simplified” will reach boardrooms before the nuance does. CISOs should proactively brief boards on what the amendments mean in practice: the benefits are real but years away; current obligations apply in full; and the compliance investments being made now are not being made redundant.

Reassess supply chain governance. The Commission’s acknowledgement of the questionnaire problem signals a shift toward certification-based supply chain assurance. Vendor risk frameworks should be redesigned now to accommodate that model.

The Governance Test

The January 2026 NIS2 amendments are, in a technical sense, a simplification exercise. In a governance sense, they are something more demanding: a test of whether organisations have built compliance programmes with the maturity to absorb regulatory evolution without losing momentum.

The organisations that will struggle are those that treated NIS2 as a point-in-time certification exercise — a project with a start date and an end date. The organisations that will benefit from the amendments, when they arrive, are those that have built compliance as an operational capability: adaptive, evidence-based, and embedded in governance rather than delegated to a project team.

For CISOs, the message is unchanged from what it has always been. The threat landscape does not wait for regulatory certainty. Neither should you.

References

[1] Bird & Bird — European Cybersecurity Regulatory Update NIS2 and Beyond (accessed March 2026)

[2] Inside Privacy — European Commission Proposes Targeted Amendments to NIS2, 23 January 2026

[3] DLA Piper — NIS2 Update: EU Moves to Harmonise Cyber Controls, February 2026

[4] Inside Privacy — European Commission Proposes Targeted Amendments to NIS2, 23 January 2026

[5] McDermott Will & Emery — New EU Cybersecurity Package, February 2026

[6] Maiky.io — NIS2 Amendments: What SMEs Need to Know, February 2026

[7] McDermott Will & Emery — New EU Cybersecurity Package, February 2026

[8] IAPP — EU Cybersecurity Reboot: Practical Impacts of the Proposed NIS2 and CSA2 Reforms, 2026

[9] McDermott Will & Emery — New EU Cybersecurity Package, February 2026

[10] Inside Privacy — European Commission Proposes Targeted Amendments to NIS2, 23 January 2026

[11] Ibid.

[12] Freshfields — EU Cybersecurity Package: Commission Proposes Targeted NIS2 Amendments, January 2026

[13] Ibid.

[14] Inside Privacy — What to Watch in 2026: Key EU Privacy & Cybersecurity Developments, 28 January 2026