Targeted NIS2 amendments: Greater legal certainty and convergence

Although presented as a simplification exercise, the proposed NIS2 amendments would amount to a substantive recalibration. The emphasis is on legal certainty and convergence, while formally retaining NIS2 as a minimum-harmonisation directive.

1. Clearer scope and more predictable entity classification

To reduce the compliance burden, the proposal introduces more precise and proportionate scope rules, including:

• Sector-specific clarifications and thresholds, notably:
  • A 1 MW–generation capacity threshold for electricity producers
  • Targeted refinements for the healthcare, hydrogen, and chemical sectors
• Inclusion of European Business Wallets providers, as well as entities identified as owners, managers, and operators of strategic dual-use infrastructure within the scope of NIS2.
• Creation of a new small midcap enterprise category. As a main rule, small midcap entities referred to in Annex I will be classified as important rather than essential, reducing supervisory intensity.

Impact for business:

• Companies operating close to NIS2 thresholds should reassess their classification and regulatory exposure once the legislative process is more advanced.
• Globally acting companies are likely to benefit from greater consistency across Member States, reducing conflicting supervisory outcomes.

2. Risk-management measures: Minimum harmonisation with real convergence

NIS2 remains a minimum-harmonisation instrument. However, where the Commission adopts implementing acts specifying technical, methodological, or sectoral risk-management measures under Article 21(5), Member States will no longer be permitted to impose further national requirements for those measures.

This effectively shifts the definition of core cybersecurity controls to the EU level.

Impact for business:

• The exposure to national gold-plating of baseline cybersecurity controls will be reduced.
• There will be greater predictability for cross-border compliance programmes and internal control frameworks.
• Chief information security officers and legal teams should expect more uniform supervisory benchmarks over time.

3. Cybersecurity certification as a compliance tool

The revised NIS2 Directive is explicitly aligned with CSA2’s reform of the European Cybersecurity Certification Framework (ECCF). Organisations will be able to rely on European cybersecurity certification schemes, including future entity-level cyber-posture certifications, to demonstrate compliance with NIS2 risk-management obligations.

Where certification demonstrates compliance with the requirements, competent authorities will not be allowed to subject the entity to security audits.

Impact for business:

• Certification will become a strategic compliance instrument, not merely a voluntary quality label.
• Multinational organisations may be able to reduce duplicative audits and supervisory demands across jurisdictions.

4. Supply-chain security: From questionnaire fatigue to standardisation

The Commission explicitly recognises that NIS2 supply-chain obligations have generated burdensome and inconsistent supplier questionnaires, often cascading obligations down the supply chain.

The amendments foresee EU-level guidance on supply-chain security, addressing an appropriate level of detail, structure, and format for such information requests.

Impact for business:

• Supplier due-diligence processes may become standardised across the EU.
• The pressure to cascade extensive compliance questionnaires to out-of-scope suppliers will be reduced.
• There will be greater clarity during negotiations for contractual cybersecurity obligations.

5. Ransomware reporting: Better data, built-in safeguards

The amendments to NIS2 would introduce a basis for more harmonised EU-wide data collection on ransomware incidents, including attack vectors and mitigation measures. Sensitive information, such as ransom payments, will be disclosed only upon request of the Computer Security Incident Response Team or the competent authority.

Impact for business:

• Reporting expectations will increase.
• Incident-response playbooks will need to reflect more structured EU-level reporting workflows.

6. EU representative: Scope expansion

The proposed replacement of Article 26(3) removes the express limitation to entities referred to in Article 26(1)(b), comprising digital infrastructure, digital providers, and managed (security) service providers. As a result, the obligation to designate an EU-based representative would apply to all essential and important entities not established in the EU but offering services within it, including providers of public electronic communications networks and publicly available electronic communications services.

Jurisdiction would attach to the Member State where the representative is established, except for electronic communications providers, which would continue to fall under the jurisdiction of the Member State in which they provide their services. Where no representative is designated, any Member State in which services are offered may initiate enforcement action for infringements of NIS2.

Impact for business:

• Compliance obligations for non-EU providers will expand, notably in the telecommunications and electronic communications sectors, which are not currently subject to a representative requirement.
• Non-EU entities operating in multiple Member States without a designated representative will have increased enforcement exposure.
• Representative designation will become more strategically important, because the location of the representative may determine the primary supervisory interface for most non-EU operators.

7. Postquantum cryptography: A regulatory horizon signal

As part of the national cybersecurity strategy, Member States will be required to adopt policies for the transition to postquantum cryptography (PQC), taking into account the transition timelines and relevant requirements set out in applicable EU legal acts and policies, with EU-level timelines targeting 2030 for critical use cases and 2035 for medium- and low-risk use cases.

Impact for business:

• PQC moves from a theoretical issue to a medium-term regulatory expectation.
• Companies with long-lived systems or encrypted data should factor PQC into technology road maps and procurement decisions.

_______________________________________________________________

CSA2: From dormant framework to operational instrument

CSA2 seeks to address the limited uptake of EU cybersecurity certification and to reinforce the EU’s capacity to manage strategic ICT risks.

It introduces three core pillars:

• A significantly strengthened ENISA
• A simplified and expanded ECCF
• An ICT supply-chain framework

8. The operationalisation of ENISA’s mandate

CSA2 clarifies ENISA’s role and assigns it concrete, delivery-oriented tasks across four clusters:

• Support for implementation of EU cyber law and policy
• Operational cooperation
• Cybersecurity certification and standardisation
• Implementation of the Cybersecurity Skills Academy

Impact for business:

• ENISA tools and guidance are likely to function as de facto compliance standards for national authorities.
• Increased EU coordination should reduce inconsistent national supervision for cross-border operators.
• Certification and skills frameworks will increasingly be used to evidence compliance, governance maturity, and operational readiness.

9. Certification: From a nice-to-have label to a compliance and market-access tool

CSA2 aims to make the ECCF more effective and more usable across the entire market, including certification for ICT products, services, and processes; managed security services; and the cyber posture of entities. European cybersecurity certification will continue to be voluntary, unless otherwise specified in EU or national law.

What changes in substance:

• A broader scope, including an entity-level cyber-posture concept.
• A stronger link between certification and compliance via presumption of conformity mechanisms where EU or national law recognises certification to demonstrate compliance.

Impact for business:

• Certification can become a differentiator (and in some contexts, a quasi-requirement), especially in regulated sectors.
• Where EU or national law provides presumption of conformity, certification can reduce duplicative audits and lower friction with multiple supervisors.
• Expect more request for proposals and vendor contracts to require – or reward – EU certification.

10. Trusted ICT supply-chain framework: EU-level mechanism to address nontechnical risk

A core CSA2 revision is the EU-level trusted ICT supply-chain framework to address nontechnical risks (e.g., jurisdiction to which a supplier of certain components is subject) in sectors of high criticality and other critical sectors covered by NIS2. It is designed to (i) identify key ICT assets in critical ICT supply chains and (ii) impose appropriate and proportionate mitigation measures on NIS2-covered entities.

The framework sits alongside (and does not displace) obligations under the Cyber Resilience Act and national rules implementing Article 21 NIS2, and it explicitly allows Member States to have and maintain higher supply-chain requirements if consistent with EU law.

11. Coordinated security risk assessments

CSA2 enables the Commission – or at least three Member States – to trigger EU-level coordinated security risk assessments through the NIS Cooperation Group. These assessments must identify key ICT assets of the respective supply chains; assess threat actors, vulnerabilities, and risk scenarios; and propose mitigation measures. As a rule, they must be completed within six months, with shorter timelines possible in urgent cases. Where the Commission considers that a significant cyber threat endangering the functioning of the internal market, it may conduct its own assessment after consulting Member States.

Based on these assessments, the Commission may identify key ICT assets by implementing act, taking into account their essential and sensitive functions, the potential for serious disruption or data exfiltration, supplier concentration risks, and the results of the risk assessments.

In parallel, CSA2 establishes a mechanism to address nontechnical risks linked to third countries. Where a third country is found to pose a serious and structural nontechnical risk to ICT supply chains – based on factors such as vulnerability disclosure laws or practices, lack of effective oversight, or substantiated malicious cyber activity – the Commission may designate that country as posing cybersecurity concerns. Entities established in, or controlled by, such countries or otherwise designated following a specific risk assessment may be classified as high-risk suppliers.

Impact for business:

• Companies should expect deeper scrutiny of supplier dependencies, ownership structures, and concentration risks.
• Certain suppliers or components may become legally constrained or unavailable, directly affecting sourcing strategies, cost structures, and deployment timelines.
• Robust asset and supply-chain mapping will become a prerequisite for compliance and risk management.

12. Binding mitigation measures and prohibitions

Following risk assessments, the Commission may impose binding mitigation measures by implementing act. These include transparency obligations and restrictions on data transfers, remote data processing from a third country, outsourcing and contractual arrangements, audited technical controls, personnel vetting, and diversification of supply of ICT components.

Where necessary, the Commission may go further and prohibit certain types of NIS2-covered entities from using, installing, or integrating ICT components from high-risk suppliers in key ICT assets, subject to transition and phase-out periods. Before adopting such measures, the Commission must assess potential risks and dependencies.

Impact for business:

• CSA2 enables a shift from assessment to operationally intrusive and enforceable controls.
• Expect concrete consequences in particular for IT architecture, outsourcing models, data flows, and supplier contracts.
• Exit strategies, diversification planning, and migration budgets will become essential compliance tools.

13. Exemptions: Limited flexibility under strict conditions

Entities established in or controlled by entities from a third country posing cybersecurity concerns may make a reasoned request to the Commission to be exempted. Exemptions require clear evidence of effective mitigation, may be time limited and conditional (e.g., audits and reporting), and are subject to fees. Decisions are recorded in a public register.

Impact for business:

• Exemptions may provide short-term relief where alternatives are unavailable but create delay, compliance overhead, and reputational exposure.
• Exemptions should be viewed as exceptional and temporary, not a long-term sourcing strategy.

14. Mandatory phase-out of high-risk suppliers

For mobile, fixed, and satellite electronic communications networks, CSA2 identifies key ICT assets and mandates the phase-out of components from high-risk suppliers. For mobile electronic communications networks, the phase-out period must not exceed 36 months from publication of the relevant high-risk supplier list; timelines for fixed and satellite networks will be set via implementing acts.

Impact for business:

• Telecom operators will face the clearest, most immediate outcome: mandatory replacement programmes with fixed deadlines.
• Significant capital expenditure, procurement, and service-continuity risks are likely, with downstream effects for customers.

Conclusion and recommended next steps for companies

Taken together, the proposed NIS2 amendments and CSA2 point to a clear change in direction in EU cybersecurity law, moving away from fragmented national approaches towards greater coordination and more harmonised supervision.

For businesses, cybersecurity is increasingly treated as a matter of enterprise risk management and corporate governance rather than a purely technical issue. At this stage, close monitoring of the legislative process is important. The proposal – including scope thresholds, the use of EU-level implementing acts, and the role of certification – remain subject to negotiation and may still evolve in ways that affect compliance planning and operational choices.

Organisations that follow these developments early will be better placed to adjust once the framework is finalised.