NIS2 in 2026: Cybersecurity Act 2 Arrives as Countries Race to Transpose
2026 is shaping up to be the year NIS2 gets real. Two major developments are reshaping the European cybersecurity landscape: the Cybersecurity Act 2 (CSA-2) proposal and the uneven pace of NIS2 transposition across EU member states. If you’re in scope for NIS2, this is the update you need.
Cybersecurity Act 2: What’s New
On January 20, 2026, the European Commission proposed the Cybersecurity Act 2 as part of a broader cybersecurity package. CSA-2 isn’t a replacement for NIS2 — it’s an amplifier.
Key Changes
-
NIS2 simplification — CSA-2 aims to strengthen, operationalize, and simplify NIS2 compliance. The Commission acknowledged that 28,700 companies face NIS2 obligations, including 6,200 micro and small enterprises, and proposed targeted amendments to reduce complexity.
-
Supply chain security redefined — CSA-2 explicitly addresses supply chain incidents caused by both criminal and state actors. Cybersecurity is now formally treated as part of hybrid conflict — a direct response to the geopolitical reality facing European organizations.
-
ENISA’s expanded role — The European Union Agency for Cybersecurity gets new powers and responsibilities, including a reformed European cybersecurity certification framework.
-
Non-technical risk — For the first time, critical sector regulations explicitly address non-technical risks (social engineering, insider threats, geopolitical dependencies) alongside traditional cyber threats.
What It Means for You
CSA-2 won’t change your NIS2 obligations overnight — it’s a proposal that needs to go through the legislative process. But it signals the direction: simpler rules, tougher enforcement, broader scope. Organizations that are already working on NIS2 compliance are well-positioned. Those that aren’t should consider CSA-2 as additional motivation to start.
NIS2 Transposition: Who’s Ready, Who’s Not
The deadline for EU member states to transpose NIS2 into national law was October 17, 2024. As of early 2026, the picture is mixed:
Countries That Have Transposed
Germany stands out as the most significant recent transposition. The NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) creates increased cybersecurity obligations across German businesses. Key points:
- Expanded scope: Thousands of additional German companies now fall under cybersecurity regulation
- BSI authority expanded: Germany’s Federal Office for Information Security gains new supervisory powers
- Supply chain obligations: German companies must assess and manage cybersecurity risks from their suppliers
- Management liability: Board members face personal accountability for cybersecurity measures
Other countries including Belgium, Croatia, Hungary, and Latvia have also completed transposition.
Countries Still Working
Several major EU economies are still in the process, creating uncertainty for organizations operating across borders. The European Commission has initiated infringement proceedings against countries that missed the October 2024 deadline.
2026: The First Operational Year
With transposition advancing and CSA-2 on the horizon, 2026 brings the first real operational deadlines:
| Milestone | Impact |
|---|---|
| Q1 2026 | Italy’s annual NIS2 registration window (Jan 1 - Feb 28) |
| Q1-Q2 2026 | First compliance audits begin in countries that transposed early |
| Throughout 2026 | Remaining member states expected to complete transposition |
| 2026-2027 | NIS2 audits become standard practice across the EU |
What Organizations Should Do Now
1. Check Your Country’s Status
NIS2 obligations become enforceable through national law. Check whether your member state has transposed NIS2 and what specific requirements apply. The ECSO NIS2 Transposition Tracker is a useful resource.
2. Don’t Wait for Perfect Legislation
If your country hasn’t transposed yet, don’t use that as an excuse to delay. NIS2’s requirements are clear in the directive itself. Start building your cybersecurity risk management framework, incident response capabilities, and supply chain assessments now.
3. Prepare for Audits
2026 will see the first NIS2 audits in transposed countries. Auditors will look for: documented risk management measures, incident response procedures (24h/72h/1month), supply chain security assessments, management accountability evidence, and business continuity plans.
4. Watch CSA-2 Closely
The Cybersecurity Act 2 will simplify some NIS2 requirements but may also expand scope in certain areas. Track its progress through the legislative process and plan for adjustments.
Our Take
NIS2 is no longer theoretical. With Germany’s transposition, the first audits approaching, and CSA-2 adding momentum, 2026 is the year cybersecurity compliance becomes operational reality across Europe. Organizations that prepared are proving their readiness. Those that didn’t are running out of time.
Assess your NIS2 readiness with a free compliance evaluation on Metrica.uno — covering all ten minimum security measures.
Ready to assess your compliance?
Start your free assessment today and find out where you stand with GDPR, NIS2, DORA, ISO 27001, and more.
Written by
Metrica.uno Team
Content Team
Metrica.uno Team is part of the Metrica.uno team, helping organizations navigate AI compliance with practical insights and guidance.
Related Articles
DORA's First Real Test: Register of Information Due March 2026
Financial institutions across the EU must submit their DORA Register of Information by March 20, 2026. Here's what's required and how to prepare.
EU AI Act Update: Digital Omnibus Proposes Delaying High-Risk Deadlines to 2027
The EU Digital Omnibus proposal would push most AI Act high-risk enforcement from August 2026 to late 2027. Here's what it means for your compliance timeline.
Cyber Resilience Act (CRA) Explained: Who It Affects, Requirements & Penalties
Everything you need to know about the CRA: who it applies to, security requirements for digital products, SBOM obligations, and consequences of non-compliance.