NIS2 Enforcement Begins as Commission Proposes Targeted Amendments

The NIS2 Directive is now entering its enforcement phase across the EU, with national authorities in member states that have completed transposition beginning to prioritise audit schedules based on entity classifications. As of early 2026, approximately two-thirds of member states have transposed NIS2 into national law, with the remainder in advanced legislative stages — a mixed picture, given that the transposition deadline was 17 October 2024.

On 20 January 2026, the European Commission proposed targeted amendments to NIS2 as part of a broader cybersecurity package. The changes are designed to increase legal clarity and simplify compliance. Key proposals include bringing operators of submarine data transmission infrastructure within scope, removing entities involved solely in the distribution of chemicals (while retaining manufacturers and producers), and streamlining jurisdictional rules for cross-border supervision.

One notable addition is a ransomware-specific reporting requirement. Under the proposed amendments, companies reporting significant incidents linked to ransomware would be required to provide additional ransom-related details if requested — including whether a demand was received, whether a payment was made, and to whom. This reflects the growing regulatory view that ransomware is not merely a technical incident but a governance and disclosure issue.

The proposed amendments are expected to be adopted in late 2026 or early 2027, with a 12-month transposition period for member states thereafter. In the meantime, organisations classified as essential or important entities under NIS2 should be operationalising their risk management measures and incident notification procedures now, regardless of where their member state sits in the transposition timeline.

Acompli perspective: NIS2 enforcement and GDPR compliance are converging. A ransomware incident that triggers NIS2 reporting will almost certainly also require a breach assessment under the GDPR — and regulators on both sides will expect coherent, timely, and well-documented responses. Organisations that maintain integrated risk management frameworks covering both cybersecurity and data protection, with clear records of processing and mapped third-party dependencies, will be in a far stronger position when enforcement actions begin.