On 25 February 2026, three committees of the European Parliament voted to push back against one of the more consequential definitions in the January 2026 NIS2 amendment package. The Commission had proposed classifying entities with fewer than 750 employees and annual turnover of up to €150 million as a new ‘small mid-cap’ category — shifting them from essential to important status, and with it, from proactive supervisory scrutiny to reactive enforcement.^[1]

The Parliament wants that threshold raised. Fewer than 1,000 employees. Turnover up to €200 million. Balance sheet up to €172 million.^[2]

The gap between the two positions is not a rounding error. It is the difference between tens of thousands of organisations being subject to full essential entity obligations — including mandatory ex ante audits, the highest fine ceilings, and personal management liability — and operating under the lighter-touch important entity regime.

For CISOs at organisations near any of these thresholds, the message is straightforward: a compliance classification that feels settled today may not be settled at all. And the governance response to that uncertainty is not to wait.

What the Commission Proposed — and Why It Matters

The January 2026 amendment package introduced the ‘small mid-cap’ category for the first time in NIS2’s scope architecture. Under the Commission proposal, qualifying entities — fewer than 750 employees, turnover ≤ €150 million or balance sheet ≤ €129 million — operating in NIS2-covered sectors would, as a main rule, be classified as important rather than essential.^[3]

That reclassification has direct operational implications. Under NIS2, essential and important entities share the same Article 21 risk-management obligations. But the supervisory architecture is fundamentally different. Essential entities face ex ante oversight: regular audits, proactive inspections, ongoing supervisory engagement. Important entities are generally supervised ex post, meaning authorities intervene primarily when incidents occur or non-compliance is evidenced. Fine ceilings are also higher for essential entities: up to €10 million or 2% of global turnover, versus €7 million or 1.4% for important entities.^[4]

The Commission estimates that the small mid-cap category as drafted would ease compliance for approximately 22,500 companies across the EU.^[5]

Parliament Pushes the Ceiling Higher — Significantly

The Parliament committees’ February 2026 position would expand that number considerably. By raising the employee threshold from 750 to 1,000, and the turnover ceiling from €150 million to €200 million, the Parliament is proposing to reclassify a substantially larger population of entities from essential to important.^[6]

The logic behind the Parliament’s position reflects a consistent concern in the simplification debate: that the Commission’s definition of ‘small mid-cap’ maps too closely onto existing SME definitions and leaves a large cohort of mid-sized businesses — operationally significant, but not large by EU standards — subject to supervision intensity calibrated for major critical infrastructure operators.

The Parliament also specified that the thresholds should be reviewed every five years, and that SME support should not be diluted in the process.^[7]

Neither position is final. The proposal now enters trilogue negotiations between the Commission, Parliament, and Council, with political agreement targeted for early 2027. The final threshold could land anywhere between the two positions — or be modified further during negotiation. That is precisely what makes the current period operationally hazardous for CISOs who treat NIS2 classification as a fixed input.

Essential vs Important Is Not Just a Label

The governance significance of the essential/important distinction is sometimes underestimated in compliance programme design. Classification is treated as a scoping question resolved at programme initiation and then set aside. In a stable regulatory environment, that approach is defensible. In the current environment, it is not.

Consider the practical exposure for a critical sector organisation currently sitting at 820 employees and €160 million in annual turnover. Under the Commission proposal, it would qualify as a small mid-cap and shift to important status. Under the Parliament’s proposed threshold, it would remain essential. If the trilogue outcome lands anywhere between the two positions, the organisation could be reclassified in either direction depending on the final text — and the compliance obligations attached to that classification would change accordingly.

That uncertainty has immediate governance implications. Boards that have been briefed on a specific supervisory profile need to be aware that the profile is not yet fixed. CISOs managing audit exposure, documentation requirements, and incident response obligations calibrated to essential entity standards need to design compliance architecture that can absorb reclassification without requiring a programme rebuild. And management bodies operating under the assumption that personal liability provisions apply — or do not apply — based on current classification may need to revisit that assumption when the final text is adopted.

The Supply Chain Ripple Effect

The threshold debate also has a less obvious but equally significant implication for supply chain governance. NIS2 imposes explicit supply chain security obligations on essential entities: they must assess and manage the cybersecurity risks posed by their suppliers and service providers.

When a supplier is reclassified from essential to important, its supervisory intensity decreases. It faces less frequent audits, less proactive regulatory scrutiny, and — in the event of non-compliance — lower fine exposure. That reduction in regulatory pressure does not necessarily translate into a reduction in risk. It may simply mean that the risk becomes less visible to regulators.

For essential entities that rely on mid-sized suppliers currently sitting near the reclassification thresholds, this matters. A supplier that moves from essential to important under the amended framework may face reduced incentive to maintain documentation, audit trails, and incident response capabilities at the level previously expected. The essential entity receiving services from that supplier retains its own Article 21 supply chain obligations regardless of how the supplier is classified.

CISOs managing vendor risk programmes should be mapping which of their key suppliers sit near the relevant thresholds now — before the final text is adopted — and assessing what reclassification would mean for the assurance those suppliers provide.

What CISOs Should Do Before the Trilogue Concludes

The instinct in a period of regulatory uncertainty is to pause investment and wait for clarity. That instinct is understandable. It is also the wrong response.

Article 21 obligations apply in full under current national transpositions, regardless of how the small mid-cap debate resolves. Enforcement is active and accelerating across Member States through 2026. The reclassification discussion is a future-state variable; the compliance obligations attached to current classification are operative now.

Within that context, four actions are immediately relevant:

• Map your classification threshold exposure. Identify whether your organisation — or any subsidiary or affiliate — sits within a plausible range of the competing threshold proposals. Document the analysis. If the final text shifts your classification, the governance response should be a structured reassessment, not an emergency exercise.

• Design compliance architecture for portability. The core Article 21 control framework applies equally to essential and important entities. Build your compliance evidence pack, documentation structure, and audit trail to the essential entity standard regardless of which classification you hold. If you are reclassified to important, the compliance overhead decreases but the evidence remains usable. If you remain essential, you have not over-invested.

• Reassess your vendor risk framework through the reclassification lens. Identify suppliers near the threshold thresholds. Update your supply chain assurance model to account for the possibility that key suppliers’ supervisory profiles may shift. Move toward certification-based assurance where possible — the amendment package’s broader push toward EU-level cybersecurity certification schemes is directly relevant here.

• Brief the board accurately. The ‘simplification is coming’ narrative will reach boardrooms before the nuance does. CISOs need to be ahead of that conversation. The governance message is consistent: current obligations apply in full; classification certainty will not exist until 2027 at the earliest; and the correct response to that uncertainty is programme maturity, not deferral.

The Broader Governance Signal

The threshold debate between the Commission and the Parliament is, at one level, a technical legislative negotiation. At another level, it is a symptom of a wider problem: NIS2 is a compliance framework that arrived before the regulatory architecture supporting it was complete, and which is now being refined mid-implementation.

That dynamic is not unique to NIS2. It is characteristic of the current phase of EU digital regulation more broadly. CISOs who have spent the last two years treating NIS2 as a point-in-time implementation project — with a defined scope, a defined classification, and a defined endpoint — are discovering that the framework does not stay still long enough for that model to work.

The organisations that will navigate this period most effectively are those that have built compliance as an operational capability rather than a project: adaptive, evidence-based, and embedded in governance rather than delegated to a programme team. Whether the threshold lands at 750, 1,000, or somewhere in between, that capability will be the difference between reclassification as a managed transition and reclassification as a disruption.

The threshold is still being negotiated. Your compliance programme should not be.

References

[1] Global Regulation Tomorrow — European Parliament committees endorse proposals for simplified rules for small ‘mid-cap’ companies (25 February 2026)

[2] Ibid.

[3] Morrison Foerster — Easing the NIS2 Burden: Targeted Reforms to Europe’s Cybersecurity Rules (March 2026)

[4] DLA Piper — NIS2 Update: EU Moves to Harmonise Cyber Controls (February 2026)

[5] IAPP — EU Cybersecurity Reboot: Practical Impacts of the Proposed NIS2 and CSA2 Reforms (March 2026)

[6] Global Policy Watch — European Commission Proposes Targeted Amendments to NIS2 (January 2026)

[7] Global Regulation Tomorrow — European Parliament committees endorse proposals (February 2026

)