NIS2 2026 Amendments: Scope, Compliance & Timeline | Arté

The NIS2 Landscape Is Shifting If your organization operates within the European Union, the cybersecurity compliance environment just changed again. In late January 2026, the European Commission put forward a set of targeted amendments to the NIS2 Directive — the regulation that defines cybersecurity obligations for essential and important entities across the bloc. These changes aim to reduce regulatory fragmentation between member states, clarify who falls under the directive's scope, and make it easier for organizations — especially those operating across borders — to demonstrate compliance without duplicating effort in every jurisdiction. Who Falls Under the Updated Scope The amended proposal brings two new categories of entities into the "essential" classification: European Digital Identity Wallet providers — regardless of company size, these operators will be treated as essential entities under NIS2 Submarine data transmission infrastructure operators — a recognition of how critical undersea cable networks are to European digital infrastructure On the other side, micro and small DNS service providers are being removed from scope — an acknowledgment that the original directive may have cast too wide a net for certain smaller operators. A new designation for small mid-cap companies operating in NIS2-covered sectors is also being introduced, placing them under the "important entity" classification with proportional obligations. Harmonized Technical Requirements One of the most impactful changes is the push toward a single set of technical requirements across all member states. Once the Commission finalizes implementing rules for the directive's Article 21 security measures, individual member states will no longer be able to layer on additional national requirements. For organizations operating in multiple EU countries, this is a significant shift. Instead of navigating a patchwork of national interpretations, there will be a uniform compliance ceiling that applies everywhere. Certification as a Compliance Path The amendments introduce the concept of using EU cybersecurity certification schemes as a recognized way to demonstrate compliance with NIS2's technical requirements. In practical terms, this means organizations could obtain a single EU-recognized certification and use it as evidence of compliance across all member states where they operate — rather than producing separate documentation for each national authority. For multinational organizations, this could dramatically reduce the administrative overhead of proving compliance in every jurisdiction. Mandatory Ransomware Disclosure A notable addition to the reporting framework: organizations that experience ransomware incidents may now be required to disclose details about ransom demands and any payments made when requested by their national regulatory authority. This includes information about the demanded amount, payment method, and recipient details. The goal is to give regulators better visibility into the ransomware economy and help shape more effective policy responses across the EU. Post-Quantum Cryptography on the Horizon Looking further ahead, the amendments require member states to develop migration strategies for post-quantum cryptography. The proposed timelines set expectations for transitioning away from encryption methods that could be vulnerable to quantum computing: 2030 for systems handling critical and high-sensitivity data 2035 for medium and lower-sensitivity applications While these deadlines may seem distant, organizations handling sensitive data should begin evaluating their cryptographic dependencies now. Where Do Member States Stand Transposition of NIS2 into national law continues to progress unevenly across the EU. Several countries have recently completed their national implementing legislation, while others are in the final stages of their parliamentary processes. Enforcement activity is expected to accelerate throughout 2026 as more countries bring their frameworks online. Organizations that haven't started their NIS2 readiness assessment should treat this as urgent — waiting for full national implementation before acting leaves very little runway for achieving compliance. How Arté Can Help Arté acts as a NIS2 compliance platform — our Compliance Self-Assessment module includes a dedicated NIS2 Compliance Self-Assessment that helps organizations evaluate their current readiness against the directive's requirements. The assessment provides automated scoring, identifies specific compliance gaps, and prioritizes remediation actions. If you haven't started your NIS2 preparation yet, begin with a free assessment to understand where your organization stands today.