2026-01-20

EU cybersecurity package proposes targeted NIS2 simplification while strengthening ENISA

Source: https://digital-strategy.ec.europa.eu/en/faqs/cybersecurity-package-questions-answers

EU cybersecurity package proposes targeted NIS2 simplification while strengthening ENISA

The European Commission proposed a new cybersecurity package on 20 January 2026 to strengthen EU cyber resilience while simplifying parts of the existing cybersecurity rulebook. The package includes targeted amendments to the NIS2 Directive and related measures concerning ENISA, the EU Agency for Cybersecurity.

The Commission presents the changes as a way to improve legal clarity, simplify compliance with cybersecurity risk-management requirements and reduce unnecessary administrative burden for companies operating in the EU. The package also reinforces ENISA’s role in areas such as operational cooperation, situational awareness, standards, certification and support for ransomware-related mitigation.

Organisations covered by NIS2 should not treat the proposal as a rollback of cybersecurity obligations. Instead, it points to a more implementation-focused phase in which scope, reporting, coordination and supervisory expectations may become more predictable. Cybersecurity, legal, risk and compliance teams should monitor the legislative process and assess whether proposed simplifications affect internal NIS2 implementation plans.

Why it matters

NIS2 applies to a broad range of essential and important entities across sectors such as energy, transport, health, digital infrastructure, ICT service management and public administration. Clarifications to the framework may affect how organisations classify themselves, structure risk-management measures and interact with competent authorities.

What to watch

The proposal still needs to move through the EU legislative process. Organisations should monitor the final text, related ENISA guidance and national implementation updates, especially where incident reporting, supply-chain security and supervisory coordination are affected.