European cybersecurity regulation is entering a decisive phase, compelling companies to shift from preparation to active compliance. As the Network and Information Systems 2 (NIS2) Directive is implemented across a growing number of Member States, cybersecurity compliance obligations are now coming into effect for in-scope organizations, requiring immediate attention and operational readiness.

In parallel, new product-security obligations under the Cyber Resilience Act (CRA) will begin to apply from September 2026 (with full requirements following in December 2027), alongside sector-specific resilience frameworks, such as the Digital Operational Resilience Act (DORA). Meanwhile, the United Kingdom is undergoing cybersecurity and digital resilience reforms. Together, these developments create an increasingly complex and fragmented regulatory landscape for companies operating in Europe. For legal counsel, cybersecurity is no longer a purely technical or ancillary compliance matter; it has become a core governance, risk, and liability issue with direct implications for board oversight, management accountability, and business continuity – one that demands proactive engagement now.

Furthermore, at least for NIS2, in 2026 regulators are expected to move from preparatory work on legislative implementation to active supervision, audits, and enforcement. Against this backdrop, legal teams and chief information security officers (CISOs) must work closely to ensure their companies achieve compliance, which often requires coordinating multijurisdictional compliance efforts and embedding cybersecurity requirements into corporate governance, product design, supply-chain management, and incident-response frameworks.

Set out below are the eight key European cyber priorities that legal counsel and CISOs should have on their radar in 2026, together with practical considerations on why they matter and how companies can prepare.

1. Track and influence NIS2 transposition across the EU

Why it is relevant for you: The EU is raising the bar through landmark legislation, most notably the NIS2 Directive. These rules affect a wide range of businesses that are required to implement enhanced security measures and incident reporting, including food producers, digital infrastructure providers, information and communications technology (ICT) service providers, machinery manufacturers, medical device manufacturers, telco companies, online marketplaces, telco providers, and critical infrastructure operators. The risks of noncompliance are significant, including substantial fines, personal liability of the management team, operational restrictions, and reputational damage. National laws implementing NIS2 differ (see our NIS2 Monitoring Tracker), creating fragmented obligations and compliance risk across jurisdictions in which you operate.

What your organization should focus on now: Track individual jurisdictions, draft consultation responses, and advise on regulatory engagement strategies.

2. Implement the German NIS2 regime (now in force) where applicable to your organization

Why it is relevant for you: Germany’s rules for implementing the NIS2 Directive have recently come into force, imposing immediate cybersecurity obligations (see our article ‘Germany’s NIS2 Law: One step away from taking effect’), bringing with it the risk of fines and personal management liability in case of noncompliance.

What your organization should focus on now: Complete NIS2 readiness assessments, prepare mandatory registrations, develop compliance documentation, implement the required security measures, and update the incident-response processes.

3. Continue preparing for compliance with NIS2’s incident-reporting obligations, cybersecurity measures, and audit requirements across all relevant EU Member States (potentially all 27)

Why it is relevant for you: As additional countries adopt NIS2, companies may need to determine whether they are required to register locally, conduct readiness assessments, update incident-reporting processes, and develop the necessary compliance documentation. In addition, regulators are likely to begin audits and checks in 2026, particularly in the event of an incident; gaps in your cyber-risk management, supply-chain controls, or incident procedures could lead to enforcement. Finally, regulators are increasingly holding senior management personally accountable. It is therefore more important than ever to foster a security-conscious culture through structured training and active leadership engagement.

What your organization should focus on now: Build required policies and processes, design multi-regime reporting workflows considering the new cybersecurity requirements, prepare for audits, update risk-management frameworks, deliver tailored cyber and privacy trainings, conduct table-top exercises for leadership and operational teams, run executive briefings on regulatory expectations, develop governance playbooks, and enhance board-level reporting frameworks.

4. Prepare for the CRA

Why it is relevant for you: The CRA applies to virtually all digital products sold or used in the EU; noncompliance could block product launches or even lead to product withdrawal from the market. Examples of products in scope include smart-home devices, wearables, software applications, software-as-a-service tools, Internet of Things devices, industrial control systems, routers and switches, and cybersecurity tools.

Because the CRA imposes stringent security-by-design and documentation requirements, it is important to anticipate compliance early, not only to prepare the necessary technical documentation but also because meeting CRA obligations may require reengineering or strengthening the security architecture of products.

What your organization should focus on now: Assess CRA scope, classify products, create vulnerability and incident-handling processes, and create technical documentation.

5. Align with DORA’s financial-sector requirements

Why it is relevant for you: If you are a financial entity or a technology provider servicing one, you may fall under stringent resilience, oversight, and reporting obligations.

What your organization should focus on now: Build DORA-compliant ICT risk frameworks, develop resilience-testing strategies, update third-party management, and prepare incident-reporting playbooks.

6. Understand exposure under CER

Why it is relevant for you: The Critical Entities Resilience Directive (CER) expands cybersecurity obligations for operators of essential services (e.g., data centre providers), often overlapping with NIS2. Member States are still transposing CER into national law (the same 17 October 2024 deadline applied as for NIS2), after which national authorities began preparations for identifying the critical entities. By 17 July 2026, each Member State must formally identify the critical entities.

Entities that are in principle very likely to be designated as critical should begin preparing now. Early readiness reduces operational and legal risk and ensures a smoother compliance process once national measures enter into force.

What your organization should focus on now: Assess whether CER applies, support risk and resilience assessments, and design integrated CER–NIS2 compliance programs.

7. Monitor the EU Digital Omnibus (simplification package)

Why it is relevant for you: Although framed as “simplification”, the proposals will change the European legislation across five core areas (see our article ‘EU proposes sweeping reforms to the GDPR, cookie rules, Data Act, and breach reporting’)

• Cybersecurity incident reporting (NIS2 and related laws)
• Data protection (General Data Protection Regulation (GDPR))
• ePrivacy (ePrivacy Directive and updated GDPR rules)
• Data use and governance (Data Act and related frameworks)
• AI regulation (AI Act)

What your organization should focus on now: Assess the impact of the proposed amendments and engagement with stakeholders and monitor the legislative process. If passed, prepare for changes, including:

• Centralised incident-reporting channel (Single Entry Point)
• Higher GDPR breach-notification thresholds
• New legal bases for processing sensitive data, especially in AI contexts
• Unified approach to Data Protection Impact Assessments
• Streamlined transparency and research and development obligations
• Machine-readable consent mechanisms to reduce cookie-banner fatigue

8. Monitor the UK’s Cyber Security and Resilience (Network and Information Systems) Bill

Why it is relevant for you: The UK is undertaking a significant restructuring of its current cybersecurity regime. If passed, the bill will expand the scope to include inter alia data centres and managed service providers, introduce a new critical suppliers’ category, create detailed customer-notification duties, and establish a two-stage reporting model that differs from NIS2. As the bill continues through Parliament, requirements may still change, making early monitoring essential.

What your organization should focus on now: Monitor legislative developments, compare the bill with NIS2, map how the bill may affect your UK operations and supply chain, assess whether you could be designated a critical supplier, and evaluate the proposed amendments, as well as any changes your company may need to make to existing documentation, standard procedures, and operational practices.