On January 20, 2026, the European Commission unveiled a landmark proposal to amend the NIS2 Directive, part of a broader cybersecurity package designed to address Europe’s escalating exposure to sophisticated cyber and hybrid threats. The timing is critical. With many Member States still finalising their transposition of NIS2 into national law, the Commission’s clarifications and targeted amendments arrive as a strategic response to both regulatory fragmentation and the mounting burden of compliance costs that threaten SME participation in the EU’s digital ecosystem.
The headline figures are striking: these amendments will ease compliance for 28,700 companies across the EU, including 6,200 micro and small-sized enterprises. For compliance officers and security teams managing resources across multiple jurisdictions, the proposed changes signal a fundamental shift toward proportionate, harmonised rules that lower administrative overhead without compromising security standards.
Before examining the specifics, it is worth understanding why these amendments matter. The original NIS2 Directive, adopted in December 2022, substantially expanded EU cybersecurity requirements by covering 18 critical sectors and imposing tight incident reporting timelines (24-hour early warnings, 72-hour notifications, and 1-month final reports). While the directive effectively strengthened resilience across essential infrastructure, its implementation revealed challenges for many SMEs, including unclear jurisdictional boundaries, additional requirements imposed by national authorities, and duplicate reporting demands under GDPR, DORA, and other sector regulations.
By early 2026, with many Member States still struggling with full transposition of NIS2 into national law amid ongoing infringement procedures, and cyber incidents continuing to escalate, the Commission recognised that regulatory clarity and simplification had become prerequisites for effective, proportionate compliance. The January 20 package addresses this head-on.
The most immediately impactful change for SMEs is the introduction of a new small mid-cap entity category. This classification targets organisations with fewer than 750 employees and either up to €150 million in turnover or up to €129 million in total assets. These entities, previously at risk of being classified as "essential" under strict size criteria, will now generally be designated as "important" entities instead.
This distinction matters considerably. Under NIS2, essential entities face more stringent obligations, including proactive, ongoing, and ad hoc regulatory supervision. Important entities, by contrast, are subject to monitoring only on evidence or signs of non-compliance, a more proportionate, risk-based oversight model. For the companies falling into this new small mid-cap bracket, the reclassification translates directly into lower compliance costs: reduced reporting frequency, lighter supervisory burdens, and an alignment of obligations with organisational capacity and risk profile.
The Commission's impact assessment suggests this reclassification alone could reduce compliance costs for affected organisations, bring meaningful savings for resource-constrained SMEs without substantive weakening of security standards. Because compliance obligations for important entities remain robust (risk management, incident reporting, business continuity), the cost reduction stems from proportionate implementation rather than a weakening of substance.
A persistent source of friction under NIS2 has been jurisdictional ambiguity, particularly for cross-border service providers. The amended text introduces several concrete clarifications that narrow the scope and reduce regulatory exposure for smaller entities in specific sectors.
DNS service providers, for instance, previously fell within the NIS2 scope regardless of size. Under the amendments, DNS providers are now subject to NIS2 only if they meet standard size thresholds (i.e., medium-sized or large), removing automatic inclusion of small DNS operators. Similarly, the definition of chemical sector coverage has been narrowed: distribution activities have been removed, with only manufacturing and production now falling within scope. Energy producers are covered only if generation capacity exceeds 1 megawatt, another clarification that removes smaller, lower-risk entities from mandatory compliance.
These adjustments may seem incremental, but they address a critical compliance challenge: jurisdictional uncertainty. When organisations find it difficult to assess if they are in or out of scope, or if they are essential or important, the administrative costs of compliance increase significantly. Teams must invest in external legal guidance, conduct lengthy internal assessments, and maintain dual-track compliance postures pending clarification. The January 2026 amendments resolve much of this uncertainty through clearer definitions and a narrowed scope, enabling organisations to make confident compliance decisions without extensive legal overhead.
For cross-border entities operating in multiple EU jurisdictions, clearer jurisdictional rules also reduce the risk of conflicting national interpretations. This harmonisation, part of the broader shift toward a "Digital Rulebook" for the EU, represents a foundational step toward proportionate, consistent compliance across borders.
National authorities will also gain explicit power to request additional information about ransomware incidents from reporting entities, enabling post-incident investigation and threat intelligence sharing across the EU.
This represents a significant expansion of incident reporting obligations, but one that serves a critical public interest function. By aggregating ransomware data across the EU, national authorities and ENISA can develop evidence-based understanding of threat actor behaviour, payment infrastructure, and effective countermeasures, insights that ultimately strengthen collective defence. For compliance teams, the new requirements mean integrating ransomware-specific data collection into incident response playbooks and ensuring forensic evidence preservation practices align with regulatory expectations.
The EU's move also signals a shift in thinking about ransomware from a purely operational problem to a strategic, intelligence-driven challenge requiring coordinated response, a framing already adopted by the U.S. Treasury and increasingly reflected in EU sanctions and law enforcement activity targeting ransomware ecosystems.
One of the most complex aspects of cybersecurity compliance is the coordination challenge between the NIS 2 Directive and the diverse landscape of the European Union’s digital policies. Organisations often face a "regulatory maze" where a single incident may trigger overlapping obligations under different regimes, leading to redundant administrative burdens and fragmented reporting.
The January 2026 amendments address this directly by aligning NIS 2 with the Digital Omnibus proposal. This empowers ENISA to operate a unified Single Entry Point (SEP) for incident reporting, designed to consolidate notifications across NIS 2 and other relevant EU legal acts. Under this framework, entities can utilise a central platform to fulfil reporting duties, which ENISA will maintain to ensure incident information flows seamlessly to the relevant national authorities without duplicative friction.
What this means in practice: simplification is transitioning from a policy goal to a structural mandate. For example, the proposal introduces "cyber posture" certification, allowing entities to demonstrate compliance with risk-management requirements through a single European certification scheme. This synergy not only facilitates NIS 2 compliance but may also streamline obligations under the GDPR. Furthermore, ENISA’s role expands into proactive mutual assistance, where it will conduct annual cross-border risk assessments and recommend joint examination teams to supervise entities with significant cross-border footprints.
This is not merely a convenience. For the newly defined category of "small mid-cap enterprises", which are now classified as "important entities" to reduce their regulatory and supervisory load, these changes are transformative. By consolidating reporting streams and harmonising requirements, the Commission aims to cut administrative costs by 25% overall and by 35% for SMEs. It reduces the burden of "heterogeneous questionnaires" in the supply chain and ensures that high-quality incident data, including ransomware attack vectors, is available to bolster Union-wide resilience.
A subtler, but equally important, outcome of the amendments is increased harmonisation of security and reporting requirements across Member States. NIS 2 was framed as a "minimum harmonisation" directive, meaning Member States retain discretion to impose additional ("gold-plated") obligations beyond the baseline. Belgium's requirement for coordinated vulnerability disclosure policies, for instance, goes beyond NIS2's generic requirements. When interpreted strictly, this flexibility creates compliance complexity for organisations operating across borders: the same organisation faces different rules in Belgium than in France or Germany.
The amendments signal the Commission's intent to use technical guidance and ENISA recommendations to narrow this variance. By standardising ransomware reporting formats, clarifying jurisdictional scope, and expanding ENISA's authority to develop harmonised technical and organisational security measures, the Commission is working to create a more coherent baseline across the EU.
For SMEs, harmonisation reduces the need for jurisdiction-by-jurisdiction compliance customisation. A single security architecture and incident response process can serve all EU operations, rather than requiring parallel tracks for different national implementations. This is not automatic; it will depend on how ENISA exercises its new coordinating authority and how closely Member States align their national guidance, but the structural shift is clear.
The Commission's January 20 package was framed explicitly as a response to escalating cyber threats. Europe faces daily cyber and hybrid attacks on essential services and democratic institutions, carried out by sophisticated state and criminal groups. Recent campaigns targeting critical infrastructure, energy, transport, and healthcare have underscored the urgency of coordinated EU defence.
Within this context, the NIS2 amendments serve a dual purpose: (1) clarifying rules to enable faster, more widespread adoption, and (2) empowering ENISA to operate as a true coordinating authority capable of aggregating threat intelligence, supporting incident response, and harmonising practices across Member States.
The ransomware data collection regime, for instance, is not merely about compliance reporting; it is about building an EU-wide intelligence picture of ransomware-as-a-service ecosystems, payment flows, and attribution clues that will inform law enforcement and sanctions policy. The small mid-cap category removes compliance friction that might otherwise prevent mid-market organisations (where many SMEs sit) from meeting basic security standards. The Single Entry Point consolidates incident data to ensure no incident falls through the cracks due to regulatory fragmentation.
In other words, the amendments reflect a maturation in the EU's approach to cybersecurity regulation: moving from aspirational directives with ambiguous scope and overlapping requirements toward operationalised frameworks that balance compliance burden with concrete security outcomes.
The proposed amendments will proceed through the ordinary legislative procedure, with the European Parliament and Council negotiating the final text throughout 2026. Once adopted, Member States will have 12 months to transpose the amended provisions into national law.
For SMEs, the practical implication is immediate: begin assessing how the small mid-cap category and clarified jurisdictional rules affect your organisation's classification. If you are a mid-sized entity currently struggling with essential entity obligations, the amendments may bring significant relief. If you operate in sectors with now-narrowed scope definitions (DNS, chemicals, energy), review whether your organisation remains in scope. If you manage cross-border incident response, familiarise yourself with ENISA's Single Entry Point roadmap; the agency will publish technical guidance and implementation schedules throughout 2026–2027.
The January 2026 proposal is more than a legal update; it is a roadmap for more proportionate and intelligence-driven cybersecurity in Europe. For SMEs and compliance teams, these are the essential changes to track:
The European Commission aims to reduce the administrative burden of NIS2 by 25% overall, with a targeted 35% reduction for SMEs. The introduction of the "small mid-cap" category (entities with fewer than 750 employees and either up to €150 million in turnover or up to €129 million in total assets) is the primary driver. These organisations will now be classified as "important" rather than "essential," shifting them from proactive to reactive supervision without lowering security standards.
One of the most transformative updates is the Single Entry Point (SEP) maintained by ENISA. This platform is designed to consolidate incident notifications across NIS2 and other Union legal acts. By reducing the need for "duplicate notifications," the SEP ensures that high-quality data reaches national authorities and CSIRTs through a single, frictionless digital interface.