On 20 January 2026, the European Commission published a cybersecurity package consisting of two legislative proposals: targeted amendments to the NIS2 Directive and a proposed new Cybersecurity Act regulation (CSA2). The goals are to strengthen EU cyber resilience, reduce regulatory fragmentation across member states, and better address ICT supply chain risks.
Proposed NIS2 amendments
The amendments focus on scope refinements, technical harmonization, and new reporting obligations.
Scope changes
- Submarine data transmission infrastructure operators join the directive as essential entities.
- European Digital Identity Wallet providers are classified as essential entities regardless of size.
- A new "small mid-cap" enterprise category designates these organizations as important rather than essential, lowering their compliance burden.
- Chemical distributors are removed from scope (manufacturers and producers remain).
- DNS providers become subject to size-cap rules, excluding micro and small providers.
Harmonized technical requirements
The Commission proposes a compliance ceiling: once implementing acts on Article 21 risk-management requirements are adopted, member states may not impose additional national requirements. Organizations will also be able to use European cybersecurity certification schemes to demonstrate compliance across borders, reducing the need for jurisdiction-specific documentation.
Ransomware reporting
Entities must report ransomware attack vectors and mitigation measures. Upon regulatory request, they must also disclose ransom demands, any payments made, amounts, and payment methods.
Post-quantum cryptography
Member states must include post-quantum cryptography transition plans in their national strategies. The target dates are 2030 for critical systems and 2035 for broader adoption.
The new Cybersecurity Act (CSA2)
The second part of the package — the CSA2 regulation — introduces mandatory ICT supply chain security frameworks. ENISA's mandate expands by over 75%. Cybersecurity certification shifts from a voluntary quality label to a core compliance and risk-management tool covering organizational cyber resilience, not just products and services.
What this means in practice
Slovakia transposed NIS2 through Act No. 366/2024, effective 1 January 2025. Essential entities are currently working toward their first external cybersecurity audit deadline of 31 December 2026. The proposed amendments do not affect this timeline — current requirements under Slovak law remain in force.
Once adopted (expected no earlier than late 2026 or early 2027), member states will have 12 months to transpose the changes. In practice, this means another round of amendments to national cybersecurity legislation, likely in 2027–2028.
For organizations currently implementing measures under existing law, the priority is clear: focus on current obligations. The move toward harmonized EU-level technical requirements should simplify cross-border compliance in the long run, particularly for companies operating in multiple member states.