March 2026 has been a busy month in European cybersecurity. A medical technology giant was hit by a wiper attack that wiped tens of thousands of devices. The EU proposed amendments that could ease the NIS2 compliance burden for small businesses. Germany’s registration deadline is weeks away. And a string of data breaches — including one at the European Commission itself — reminded us that no organisation is immune.

Here is what happened, why it matters, and what you should be doing about it.

1. Stryker: The Attack That Proves Wiper Malware Is Now a Business Risk

On 11 March 2026, Stryker — one of the world’s largest medical technology companies — suffered a devastating cyberattack. Iranian-linked hackers using the group name Handala deployed wiper malware across the company’s global network, permanently erasing data from tens of thousands of devices.

This was not ransomware. The attackers did not want money. They wanted destruction.

The impact at Stryker’s Cork, Ireland headquarters alone was severe: over 5,500 employees were unable to work, with engineering, product design, and manufacturing operations brought to a standstill. Corporate laptops, mobile phones enrolled in Microsoft Intune, and servers running proprietary applications were wiped or rendered inoperable. Login screens were defaced. Remote device management systems were turned against the company they were meant to protect.

For supply chain professionals and risk managers, the Stryker attack carries a critical lesson: the impact of a cyberattack on a large enterprise cascades immediately to its SME suppliers and partners. Companies relying on Stryker for components, instruments, or services faced disruption with no warning and no control.

NIS2 explicitly requires organisations to assess and manage cybersecurity risk across their supply chains. The Stryker incident is a textbook example of why that obligation exists — and what happens when it is not taken seriously across the ecosystem.

→ CyberSecurityNews – Stryker Cyber Attack: Iran-Linked Hackers, Wiper Malware, Cork HQ Impact

→ Data Breaches Digest – Week 11, 2026: Full Incident Roundup

2. The EU Proposes NIS2 Simplification — Including a New SME Category

On 20 January 2026, as part of a broader cybersecurity legislative package, the European Commission proposed targeted amendments to the NIS2 Directive. The goal: reduce compliance complexity, increase legal clarity, and — notably — ease the burden on smaller businesses.

The headline change for SMEs is the proposed introduction of a new ‘small mid-cap’ enterprise category. This would create a more proportionate compliance pathway for companies that currently fall under NIS2 scope but lack the resources of large enterprises. The Commission estimates that the amendments will ease compliance for approximately 28,700 companies, including 6,200 micro and small-sized enterprises.

Other proposed amendments include:

• Streamlined jurisdictional rules for cross-border entities

• Simplified ransomware data collection requirements

• A strengthened coordinating role for ENISA

• Integration with the Digital Omnibus ‘single-entry-point’ for incident reporting

Once adopted, Member States will have one year to transpose the amended provisions. The proposal is now under negotiation, and political agreement is expected later in 2026.

For SMEs already struggling with the complexity of NIS2, these amendments are a signal that the Commission has heard the feedback — even if relief is still months away.

Importantly, the proposed amendments do not pause existing obligations. If your country has already transposed NIS2, the current rules apply now. The simplification measures, when they arrive, will refine — not replace — what is already on the books.

→ European Commission – Proposal for Targeted Amendments to the NIS2 Directive (January 2026)

→ Inside Privacy – What to Watch in 2026: Key EU Privacy & Cybersecurity Developments

3. NIS2 Transposition: Germany’s April Deadline Is Now Weeks Away

Germany completed its NIS2 implementation on 6 December 2025, when the revised BSI Act entered into force — well over a year after the EU’s October 2024 deadline. That delay is now behind us. What matters now is the compliance clock that started ticking the moment the law took effect.

German-registered entities that fall within NIS2 scope must register with the Federal Office for Information Security (BSI) within three months of the Act’s entry into force. That deadline is April 2026 — weeks away. Beyond registration, the revised BSI Act introduces:

• Personal liability for management: Under Section 38 of the BSI Act, members of management bodies are personally accountable for approving and overseeing cybersecurity risk management measures.

• Significant fines: Particularly important entities face fines up to €10 million or 2% of global annual turnover. Important entities face up to €7 million or 1.4% of global turnover.

• Expanded BSI enforcement powers: Including broad inspection rights, binding orders, and detailed documentation requirements.

Germany’s approach is stricter than the baseline NIS2 Directive in several ways — most notably in how it layers new NIS2 obligations on top of the existing KRITIS framework, creating a more granular and demanding scoping model.

Across the EU more broadly, transposition is accelerating. Germany, Portugal, and Austria have all recently adopted national implementing legislation, while Spain, France, and Poland are nearing completion. As of early 2026, the majority of Member States have transposed NIS2 — meaning enforcement activity will follow.

→ Morrison Foerster – Flipping the NIS2 Switch: What Germany’s Implementation Means for 2026 Compliance

→ Bird & Bird – European Cybersecurity Regulatory Update: NIS2 and Beyond

4. Cyber Resilience Act: Six Months to the First Hard Deadline

The Cyber Resilience Act (CRA) entered into force in December 2024, and for most organisations it has felt abstract — something to think about later. That window is closing.

From 11 September 2026, manufacturers of products with digital elements must comply with the CRA’s vulnerability reporting requirements. This is the first hard, enforceable obligation under the Act. It requires manufacturers to actively report exploited vulnerabilities and serious cybersecurity incidents to ENISA and to the relevant national authority — within tight timelines.

The broader compliance picture looks like this:

• 11 September 2026: Vulnerability and incident reporting obligations begin

• 11 December 2027: Full CRA compliance required — security-by-design, conformity assessments, CE marking, and technical documentation

For SMEs that develop or sell software, hardware, or connected products in the EU market, the CRA is not optional. It applies regardless of whether the manufacturer is based inside or outside the EU — what matters is whether the product is placed on the EU market.

Six months is not long when you factor in supply chain audits, secure development process reviews, and the documentation trail regulators will expect to see.

The 10th Cybersecurity Standardization Conference, held in Brussels on 12 March 2026 and co-hosted by CEN, CENELEC, ETSI, and ENISA, dedicated significant discussion to the timeline of CRA standards and how they interact with NIS2, DORA, and eIDAS. The message from regulators and industry was consistent: begin preparing now, because the December 2027 deadline requires foundational work that cannot be done in the final months.

→ CEN-CENELEC – Highlights from the 10th Cybersecurity Standardization Conference, March 2026

→ Open Regulatory Compliance Working Group – The EU Cyber Resilience Act: Deadlines and Requirements

5. When the EU Commission Gets Breached: A Reminder That No One Is Immune

On 6 February 2026, the European Commission disclosed a data breach affecting staff. The incident was detected on 30 January, when its mobile device management infrastructure identified traces of unauthorised access — later linked to active exploitation of a vulnerability in Ivanti Endpoint Manager Mobile.

The same week, rail pass provider Eurail confirmed that customer data — including names, contact details, travel companion information, and passport numbers — had been stolen and offered for sale. Criminals claimed to have taken 1.3 terabytes from cloud storage and support systems, and threatened wider release if no buyer emerged.

Neither the Commission nor Eurail fits the profile of a poorly resourced organisation caught napping. Both have dedicated security functions, established processes, and regulatory obligations. Both were breached anyway.

If the European Commission cannot fully prevent a breach, your business certainly cannot. The goal is resilience, detection, and response — not the illusion of impermeability.

This is the core argument behind NIS2’s incident reporting requirements. The Directive does not assume organisations will never be breached. It assumes they will — and it requires them to have the governance structures, detection capabilities, and reporting processes in place to manage the aftermath effectively.

For SMEs, the lesson is practical: having an incident response plan is not a luxury. It is a baseline obligation under NIS2 for in-scope entities, and a basic act of business survival for everyone else.

→ Bright Defense – List of Recent Data Breaches in 2026 (Eurail, EU Commission, and more)

What Should You Do With All of This?

The five stories above are not isolated incidents. They form a pattern: the threat landscape is intensifying (Stryker, EU Commission, Eurail), regulatory enforcement is materialising (Germany’s April deadline, NIS2 transposition wave), and the legislative framework is evolving to address SME realities (NIS2 amendments, CRA implementation support).

If you run or advise a business in scope of NIS2 — or if you sell products with digital elements in the EU — here is where to focus your attention:

• Check your NIS2 status. With over 20 Member States now having transposed NIS2, the odds are that the rules apply in your country. If you are not sure whether your organisation is in scope, that question needs answering now.

• Register if you are in Germany. The April 2026 BSI registration deadline is imminent. Do not miss it.

• Map your supply chain. The Stryker attack is a case study in how cyber incidents spread through supplier ecosystems. NIS2 requires you to assess third-party risk. Start with your most critical vendors.

• Plan for CRA. If your business develops or sells products with digital elements, the September 2026 vulnerability reporting deadline is your first hard CRA obligation. Begin building your process now.

• Review your incident response plan. The EU Commission got breached via a known vulnerability type. Do you have a documented plan for detecting, containing, and reporting a significant incident?

──

If you want a practical, jargon-free guide to working through all of this — scoping, governance, risk management, supply chain, incident response, and documentation — I wrote NIS2 Practical Compliance for SMEs exactly for this situation: business owners and directors who need to get compliant without a large security team and without a large budget.

📖 Available on Amazon → amazon.com/dp/B0GRQVQG8C

Angelos Varthalitis is a CISO with over 20 years of cybersecurity experience. He runs avsecadvisory and writes at varthalitis.eu. Views are his own.