NIS2 Cybersecurity Reform Proposed: New Obligations for EU Critical Infrastructure
Apr 17, 2026AuditOverview
Twenty-two of the EU's 27 member states have now transposed the NIS2 Directive into national law. As this rollout continues, the European Commission has put forward a set of proposed amendments that would place additional obligations on entities operating within its scope. Given that enforcement activity is anticipated to ramp up through 2026, businesses with operations across the EU need to be aware of the evolving requirements and take steps to get ahead of them.
Three Notable Changes in the Commission's Draft
The proposal, published in January 2026, introduces the following amendments:
Diverging National Implementations
Despite broad progress in transposing NIS2, how individual member states have approached implementation varies considerably, producing an uneven regulatory environment for organizations that operate in several EU jurisdictions simultaneously.
As an illustration, countries such as Belgium and Italy have applied the "main establishment" principle, meaning that NIS2 compliance duties fall primarily on entities whose headquarters are located in those jurisdictions. Other member states take a different approach, requiring any company offering services within their borders to register with the relevant national cybersecurity authority, irrespective of where the organization is headquartered.
Incident reporting timelines also diverge. Cyprus mandates that an initial notification be filed within six hours of an incident being identified, a stricter window than in most other jurisdictions. Germany grants its supervisory authority the power to direct affected entities to inform impacted individuals without delay after an incident occurs. Meanwhile, Slovakia's rules go further than most, requiring entities to report not only confirmed incidents but also significant cyber threats. These inconsistencies add to the operational and administrative burden faced by cross-border organizations.
Steps Organizations Should Consider
As the first wave of NIS2 enforcement draws closer, organizations are advised to take the following actions:
- Ensure that senior leadership, including board-level governance bodies, is kept up to date on the organization's compliance standing, given that personal accountability for individual executives may arise in cases of non-compliance.
- Direct compliance resources toward the areas of greatest operational risk, with particular attention to core systems and the documentation of incident response procedures.
- Identify and maintain a clear picture of the relevant supervisory authorities in every jurisdiction where the business operates.
- Draw on guidance issued by ENISA and relevant national bodies, and adopt a forward-looking compliance posture that anticipates requirements rather than waiting for every member state to complete formal transposition.
As the remaining member states complete their NIS2 transposition processes, the emphasis across the EU is expected to move from implementation toward enforcement. Businesses should sustain their compliance efforts and monitor any further developments arising from the Commission's proposed amendments. DEKRA will continue to track these changes and share relevant updates as the situation evolves.
