- Why this revision is necessary
- Clarifying the scope
- Small mid‑caps: proportionality becomes operational
- Certification as a compliance lever
- Supply chain, ransomware, post‑quantum: more substance, less friction
- ENISA: from observer to facilitator
- A more mature NIS2, not a weaker one
NIS2 and Cybersecurity Act 2: Towards More Sustainable European Compliance
The European Commission has presented a proposal to revise the NIS2 Directive, marking an important shift: not a relaxation of obligations, but a simplification designed to make security more applicable, sustainable, and aligned with the new European regulatory ecosystem.
Together with the Cybersecurity Act 2, this revision represents a real step forward: the pursuit of better rules.
Why this revision is necessary
The revision addresses four key issues that emerged during the implementation of NIS2: the definition of the scope, the proportionality of obligations, the supervision of cross‑border entities, and the fragmentation of reporting.
The goal is to reduce regulatory friction while keeping the directive’s core pillars intact: risk management, incident reporting, management accountability, and supply chain security.
Clarifying the scope
Annexes I and II are refined, not expanded.
More precise criteria are introduced for sectors such as:
energy production (excluding operators <1 MW)
hydrogen
healthcare
chemicals (aligned with REACH)
submarine data transmission infrastructure
The result is greater alignment with actual systemic risk.
Small mid‑caps: proportionality becomes operational
The new category of small mid‑cap enterprises is formally integrated into the NIS2 framework.
These are critical entities, but classified as important rather than essential, with:
reduced administrative burdens
lighter supervision
obligations calibrated to organizational capacity
Compliance must be sustainable to be effective.
Certification as a compliance lever
The Cybersecurity Act 2 introduces a significant change: European certification becomes evidence of conformity with NIS2 obligations.
Organizations obtaining a “cyber posture” certification will be able to avoid duplicate audits for already covered areas. This marks a shift toward compliance based on technical evidence rather than redundant documentation.
Supply chain, ransomware, post‑quantum: more substance, less friction
The revision introduces targeted measures in three crucial areas: supply chain security, with new European guidelines designed to harmonize supplier questionnaires and prevent indiscriminate transfer of obligations; ransomware management, through harmonized data collection on attacks based on a key principle—notifications must not create additional liabilities for those who cooperate; and post‑quantum cryptography, which for the first time is accompanied by official milestones (2030 for critical cases and 2035 for medium‑ to low‑risk cases), turning the post‑quantum migration into a true strategic planning exercise.
ENISA: from observer to facilitator
ENISA does not take on an enforcement role, but becomes the key enabler of European cooperation: it will manage a unified registry of NIS2 entities, coordinate cross‑border risk analysis, and support the creation of joint supervisory teams among Member States. This is a crucial step to avoid divergent national approaches and ensure more coherent and harmonized supervision across the Union.
A more mature NIS2, not a weaker one
The revision strengthens the directive: it makes NIS2 clearer, more coherent, and more sustainable for the organizations required to implement it, reaffirming a fundamental principle coming from Brussels: security does not depend on the quantity of obligations, but on the quality of measures and the ability to keep them effective over time.
A significant signal for the beginning of 2026, as European cybersecurity finally enters a phase of maturity.
For more information, write to info@almec.net
