European Union: European Commission submitted proposal for Directive amending Directive (EU) 2022/2555 as regards simplification measures and alignment with the Proposal for the Cybersecurity Act 2 including cybersecurity regulation

On 20 January 2026, the European Commission submitted a proposal for a Directive amending Directive (EU) 2022/2555 as regards simplification measures and alignment with the Proposal for the Cybersecurity Act 2, including cybersecurity regulation. The proposed Directive would make a number of changes to Directive (EU) 2022/2555 (the NIS 2 Directive) by clarifying its scope and definitions. Specifically, the proposed amendment would remove the provision bringing domain name system service providers under the scope of NIS 2 and explicitly include providers of European Digital Identity Wallets and providers of European Business Wallets within its scope. The amendments would also update the criteria for Annex 1 type entities to be considered essential entities so that entities would have to exceed the ceilings for small mid-cap enterprises to be considered essential. Further, the proposal would reinforce cybersecurity risk-management measures, incident and ransomware reporting obligations, supply chain security requirements, and supervision of cross-border entities. It would introduce harmonised mechanisms for collecting information on ransomware incidents and provides for the adoption of implementing acts specifying technical and methodological cybersecurity requirements.