On 20 January 2026, the European Commission published a new cybersecurity package that includes targeted amendments to the NIS 2 Directive. The stated goal: simplify compliance with EU cybersecurity rules and risk-management requirements for companies operating across the EU. The Commission estimates this will ease the burden for approximately 28,700 organizations, including 6,200 micro and small-sized enterprises.
Why This Matters Now
Since the October 2024 transposition deadline, organizations have been grappling with overlapping requirements across NIS 2, the Cyber Resilience Act (CRA), and national transposition laws that sometimes diverge from each other. The simplification package directly addresses this friction.
The package was published alongside a proposal for a revised Cybersecurity Act (strengthening ENISA and ICT supply chain certification) and an evaluation of ENISA's effectiveness. Together, they represent the most significant adjustment to the EU cybersecurity framework since NIS 2 itself.
What the Targeted Amendments Actually Do
The Commission's proposal focuses on three areas:
- Legal clarity on scope. The amendments clarify which entities fall under NIS 2 vs. sector-specific rules, reducing the "am I in scope?" confusion that has plagued many SMBs. If you've been uncertain whether your organization counts as "essential" or "important," this is directly relevant.
- Alignment with the Cybersecurity Act. Requirements are being harmonized so that a single set of risk-management measures covers obligations under both NIS 2 and the revised Cybersecurity Act. Less duplication means fewer compliance workstreams.
- Streamlined reporting. The amendments aim to reduce double-reporting where NIS 2 and other sector-specific regulations (e.g., DORA for financial services) require similar incident notifications. One report, properly routed, rather than multiple parallel submissions.
What Doesn't Change
It's important to be clear: the simplification package does not weaken NIS 2's core requirements. The fundamentals remain:
- Risk management measures are still mandatory
- Incident reporting timelines (24h / 72h / 1 month) remain unchanged
- Management body accountability under Article 20 still applies
- Supply chain security obligations under Article 21(2)(d) are intact
- Penalties of up to €10M or 2% of global turnover are not reduced
The amendments make the path to compliance cleaner — they don't make it optional.
What SMBs Should Do Now
The targeted amendments are still in the legislative process — they need European Parliament and Council approval. Realistically, final adoption is months away. In the meantime:
- Don't pause your compliance program. The core requirements aren't changing. Every measure you implement now will still count.
- Watch for scope clarifications. If you've been on the borderline of NIS 2 applicability, the new guidance on Article 3(4) and Article 4(1)/(2) may resolve your uncertainty.
- Consolidate your reporting processes. If you operate in a sector with overlapping regulations (finance, telecoms, energy), start designing a unified incident reporting workflow now.
The Bottom Line
The simplification package is a pragmatic response to the implementation reality: compliance is hard enough without fighting regulatory ambiguity. For SMBs that have been overwhelmed by the scope of NIS 2, this is encouraging — the Commission is actively making the rules more navigable without reducing their substance. Start now, and you'll be ahead when the simplified framework takes effect.