NIS2 Amendment 2026: What Changes to Your Cybersecurity Obligations Under the Digital Omnibus Package — Developer and CISO Guide
The European Commission published the Digital Omnibus Package proposal on January 20, 2026, containing the most substantial amendments to NIS2 Directive (EU) 2022/2555 since its adoption. The package bundles the NIS2 Amendment, the Cybersecurity Act 2 (CSA2) proposal (COM(2026)11), and adjustments to the Data Act and DORA — presenting developers and CISOs with a simultaneous compliance horizon shift across multiple regulatory frameworks.
The EDPB-EDPS issued Joint Opinion 4/2026 on March 18, 2026, broadly supporting the NIS2 Amendment while adding important conditions around ENISA's certification role. Trilogue negotiations between Parliament and Council are ongoing and expected to conclude Q3 2026, with application provisions extending into 2027 at the earliest.
The critical point for your June 30, 2026 audit preparation: the amendment does not apply yet. You must comply with the existing NIS2 Directive as it stands. But the amendment signals where enforcement is heading and which of your current preparations will map cleanly onto future obligations.
This guide covers what changes under the amendment, what stays the same, and how to structure your compliance work to be both June-30-audit-ready and amendment-future-proof.
What the Digital Omnibus Package Actually Proposes for NIS2
The Commission's stated goal in the package is reducing compliance fragmentation across cybersecurity frameworks while maintaining the security level NIS2 introduced. The three NIS2-specific changes with direct developer impact are:
1. New Small Mid-Cap Entity Category
The amendment introduces an intermediate category between "important entity" and the SME-exemption threshold. Under current NIS2, entities below 50 employees and €10M turnover are entirely exempt; entities at 50+ employees or €10M+ turnover become "important entities" subject to the full Art.21 security obligations.
The amendment creates a "Small Mid-Cap" category covering entities with fewer than 750 employees and turnover below €150M that were previously classified as "important entities." These entities would face a simplified Art.21 compliance path: abbreviated technical documentation, lighter-touch incident reporting templates, and extended timelines for implementing specific Art.21(2) sub-measures.
The amendment does not reduce the substantive security obligations — supply chain security (Art.21(2)(d)), incident handling (Art.21(2)(b)), and access control (Art.21(2)(i)) remain. It reduces the documentation burden and allows phased implementation timelines.
2. CSA2 Cybersecurity Certification as Art.21 Compliance Presumption
The most consequential change for SaaS providers is the mechanism by which Cybersecurity Act 2 (EU) 2026/11 certification creates a presumption of compliance with corresponding NIS2 Art.21 security measures.
Under the proposal, if ENISA develops a European Cybersecurity Certification Scheme (EUCS) specifically addressing Art.21 obligations — incident handling, supply chain security, encryption, access control — then entities certified under that scheme receive a rebuttable presumption that their Art.21 measures meet NIS2 requirements. NCAs would have to demonstrate the gap rather than entities having to prove compliance.
This is structurally similar to how GDPR-approved Codes of Conduct under Art.40 create compliance pathways for smaller controllers. The practical effect is that a certified SaaS provider serving essential entities could use that certification as primary compliance evidence in an NCA audit.
3. ISO 27001 Alignment via CSA2 Mapping
The amendment's CSA2 pathway addresses the ISO 27001 integration question that NIS2 left unanswered. ISO 27001:2022 covers many Art.21 sub-measures — risk analysis (Art.21(2)(a)), business continuity (Art.21(2)(c)), access control (Art.21(2)(i)), and secure development (Art.21(2)(e)). But NIS2 itself provides no mechanism for ISO 27001 certification to reduce the Art.21 audit burden.
The amendment proposes that ENISA develop EUCS schemes with explicit mapping to ISO 27001 controls. An EUCS-certified entity with ISO 27001 basis would have both certifications count toward Art.21 presumption. ENISA must publish the control mapping publicly.
The EDPB-EDPS Joint Opinion 4/2026 supported this direction but added a critical condition: any EUCS scheme that covers personal data processing must receive EDPB consultation before final adoption. This means schemes covering data protection aspects of Art.21(2)(i) (access control to personal data) or Art.21(2)(b) (incident handling involving personal data breaches) require EDPB sign-off before the presumption mechanism applies.
What Does Not Change: The June 30 Audit Still Applies to Existing NIS2
Before examining the amendment's implications, the baseline must be clear: the Digital Omnibus Amendment is not in force and will not be in force by June 30, 2026.
Trilogue conclusion is expected Q3 2026 at the earliest. After Trilogue, Parliament vote and Council adoption take a further 2–3 months. The amending regulation will then enter into force 20 days after publication in the Official Journal, followed by a transposition or application period that will almost certainly extend into 2027.
The June 30, 2026 date derives from implementation timelines established when NIS2 was transposed into national law in EU Member States (which were required to complete transposition by October 17, 2024). NCAs in most Member States have signalled that initial compliance assessments for essential and important entities will begin in H2 2026, with June 30, 2026 as the informal readiness checkpoint.
from dataclasses import dataclass, field
from enum import Enum
from datetime import date
class NIS2EntityCategory(Enum):
ESSENTIAL = "essential"
IMPORTANT = "important"
SMALL_MID_CAP = "small_mid_cap" # Proposed in amendment — not yet in force
EXEMPT = "exempt"
class NIS2CompliancePath(Enum):
FULL_ART21 = "full_art21"
SIMPLIFIED_ART21 = "simplified_art21" # Amendment Small Mid-Cap path
CSA2_PRESUMPTION = "csa2_presumption" # Amendment certification path
NOT_REQUIRED = "not_required"
@dataclass
class NIS2AmendmentEntityClassifier:
"""
Classifies a SaaS provider's NIS2 compliance obligations under:
(a) Current NIS2 Directive — applicable NOW for June 30 audit.
(b) Proposed Digital Omnibus Amendment — forward planning only.
"""
employee_count: int
annual_turnover_eur: float # millions
annual_balance_sheet_eur: float # millions
sector: str # e.g. "cloud_computing", "digital_infrastructure", "ict_service_management"
has_iso27001: bool = False
has_eucs_certification: bool = False # Not available until CSA2 enters force
def current_category(self) -> NIS2EntityCategory:
"""Classification under current NIS2 Directive (applicable NOW)."""
if self.employee_count < 50 and self.annual_turnover_eur < 10 and self.annual_balance_sheet_eur < 10:
return NIS2EntityCategory.EXEMPT
essential_sectors = {
"digital_infrastructure", # Art.3(1) Annex I
"ict_service_management", # Art.3(1) Annex I
}
important_sectors = {
"cloud_computing", # Art.3(2) Annex II
"managed_service_provider",
"managed_security_service_provider",
}
if self.sector in essential_sectors:
return NIS2EntityCategory.ESSENTIAL
if self.sector in important_sectors or (
self.employee_count >= 50 or self.annual_turnover_eur >= 10
):
return NIS2EntityCategory.IMPORTANT
return NIS2EntityCategory.EXEMPT
def proposed_category_under_amendment(self) -> NIS2EntityCategory:
"""
Classification under proposed Digital Omnibus Amendment.
NOT APPLICABLE UNTIL AMENDMENT ENTERS FORCE (earliest 2027).
"""
current = self.current_category()
if current == NIS2EntityCategory.IMPORTANT:
if self.employee_count < 750 and self.annual_turnover_eur < 150:
return NIS2EntityCategory.SMALL_MID_CAP
return current
def current_compliance_path(self) -> NIS2CompliancePath:
"""Current compliance path — applicable NOW."""
cat = self.current_category()
if cat == NIS2EntityCategory.EXEMPT:
return NIS2CompliancePath.NOT_REQUIRED
return NIS2CompliancePath.FULL_ART21
def proposed_compliance_path_under_amendment(self) -> NIS2CompliancePath:
"""
Proposed compliance path after amendment.
NOT APPLICABLE UNTIL AMENDMENT ENTERS FORCE.
"""
cat = self.proposed_category_under_amendment()
if cat == NIS2EntityCategory.EXEMPT:
return NIS2CompliancePath.NOT_REQUIRED
if cat == NIS2EntityCategory.SMALL_MID_CAP:
return NIS2CompliancePath.SIMPLIFIED_ART21
if self.has_eucs_certification:
return NIS2CompliancePath.CSA2_PRESUMPTION
return NIS2CompliancePath.FULL_ART21
def audit_readiness_june_2026(self) -> dict:
"""
Generates June 30, 2026 audit preparation status.
Based on CURRENT NIS2 only — amendment not applicable.
"""
current_path = self.current_compliance_path()
days_to_audit = (date(2026, 6, 30) - date.today()).days
return {
"current_category": self.current_category().value,
"current_compliance_path": current_path.value,
"june_2026_audit_required": current_path != NIS2CompliancePath.NOT_REQUIRED,
"days_to_june_30": days_to_audit,
"iso27001_applicable": self.has_iso27001,
"iso27001_as_legal_presumption": False, # Not available until CSA2 in force
"iso27001_as_audit_evidence": self.has_iso27001, # Useful but not binding
"amendment_will_apply_by_june_30": False, # Definitively: NO
"proposed_category_after_amendment": self.proposed_category_under_amendment().value,
"proposed_path_after_amendment": self.proposed_compliance_path_under_amendment().value,
}
Running this classifier on a typical SaaS provider scenario:
provider = NIS2AmendmentEntityClassifier(
employee_count=120,
annual_turnover_eur=18.0, # €18M
annual_balance_sheet_eur=12.0,
sector="cloud_computing",
has_iso27001=True,
has_eucs_certification=False,
)
status = provider.audit_readiness_june_2026()
# current_category: "important"
# current_compliance_path: "full_art21"
# june_2026_audit_required: True
# days_to_june_30: 65
# iso27001_as_legal_presumption: False ← certification path not yet available
# iso27001_as_audit_evidence: True ← useful but does not substitute Art.21 compliance
# amendment_will_apply_by_june_30: False
# proposed_category_after_amendment: "small_mid_cap"
# proposed_path_after_amendment: "simplified_art21"
This provider will qualify as Small Mid-Cap after the amendment, reducing documentation burden — but for June 30, the full Art.21 path applies.
The Six Art.21 Sub-Measures Most Affected by the Amendment
The NIS2 Amendment does not eliminate Art.21 obligations. It changes how compliance is demonstrated for certain sub-measures. Understanding which sub-measures are affected helps prioritise your current audit preparation.
| Art.21 Sub-Measure | Current NIS2 | Amendment Change | ISO 27001 Mapping |
|---|---|---|---|
| Art.21(2)(a) Risk analysis and IS policies | Full documentation required | Small Mid-Cap: abbreviated policy template | ISO/IEC 27001 Clause 6.1, Annex A 5.1 |
| Art.21(2)(b) Incident handling | Art.23 notification + internal procedure | EUCS certification covers if scheme includes incident handling | ISO/IEC 27001 Annex A 5.24–5.28 |
| Art.21(2)(c) Business continuity | BCP + DRP documentation | Small Mid-Cap: lighter-touch BCP | ISO/IEC 22301 (by reference via EUCS mapping) |
| Art.21(2)(d) Supply chain security | Supplier assessment + policies | No simplification — remains full obligation | ISO/IEC 27001 Annex A 5.19–5.22 |
| Art.21(2)(e) Secure development | SDL documentation | EUCS certification path available | ISO/IEC 27001 Annex A 8.25–8.32 |
| Art.21(2)(i) Access control | Policy + MFA documentation | EUCS path if scheme covers access control | ISO/IEC 27001 Annex A 5.15–5.18 |
Note on Art.21(2)(d): Supply chain security receives no simplification in the amendment for any entity category. This aligns with ENISA NCAF 2.0 findings showing supply chain as the most widespread NCA capability gap — enforcement pressure on Art.21(2)(d) is increasing, not decreasing.
What CSA2 Certification Actually Provides — And When
The CSA2 mechanism works as follows under the proposal:
Step 1 — ENISA develops a EUCS scheme with Art.21 mapping. ENISA must publish a scheme specifically addressing NIS2 Art.21 obligations, with explicit control mapping to Art.21(2) sub-measures. This requires an ENISA work programme item, public consultation, and EDPB consultation for any scheme elements touching personal data.
Step 2 — Commission adopts the scheme as an implementing act. The Commission issues an implementing regulation specifying which EUCS scheme at which assurance level creates which Art.21 presumption.
Step 3 — Entity obtains EUCS certification. An accredited conformity assessment body certifies the entity against the scheme. Certification is time-limited (typically 2–3 years) and scope-limited.
Step 4 — Presumption applies in NCA audit. The certified entity presents the certificate. The NCA can still audit, but must identify a specific gap not covered by the scheme — the burden shifts.
The realistic timeline for Step 1 through Step 4 to be available for SaaS providers:
- Trilogue conclusion CSA2: Q3 2026 (expected)
- CSA2 enters into force: Q4 2026 (after OJ publication)
- ENISA scheme development for NIS2 Art.21 mapping: 12–18 months after CSA2 in force
- First EUCS certificates issued under Art.21-mapping scheme: 2028 at earliest
For your June 30, 2026 audit and for any 2026/2027 NCA supervision action, the CSA2 presumption mechanism does not exist. Plan for EUCS as a 2028+ efficiency tool, not a current compliance shortcut.
The EDPB Joint Opinion 4/2026 and What It Means for Developer Teams
The EDPB-EDPS Joint Opinion 4/2026 of March 18, 2026 introduced two conditions that are directly relevant to SaaS providers building personal-data-processing infrastructure:
Condition 1: ENISA must consult EDPB before adopting any EUCS scheme covering personal data processing. This means cybersecurity certification schemes for Art.21(2)(b) incident handling (which routinely involves personal data breach notifications) and Art.21(2)(i) access control (which covers personal data access) require EDPB input before they create Art.21 presumption. The Joint Opinion explicitly states that a EUCS scheme cannot override GDPR accountability requirements.
Condition 2: CSA2 certification may serve as evidence of GDPR Art.32 technical measures compliance. The EDPB supported the principle that a EUCS cybersecurity certification could, if the scheme explicitly addresses personal data processing, provide evidence that the entity implemented "appropriate technical and organisational measures" under GDPR Art.32(1). This is not a formal GDPR adequacy finding — it is evidentiary weight in a DPA audit.
The practical implication for developer teams:
@dataclass
class GDPRNis2OverlapArea:
"""Identifies where Art.21 measures overlap with GDPR Art.32 and CSA2 can serve dual purpose."""
measure: str
nis2_article: str
gdpr_article: str
csa2_dual_purpose: bool # If True, future EUCS cert covers both
edpb_consultation_required: bool # EDPB must review this scheme element
OVERLAP_AREAS = [
GDPRNis2OverlapArea(
measure="Incident handling and personal data breach notification",
nis2_article="Art.21(2)(b) + Art.23",
gdpr_article="Art.32(1) + Art.33-34",
csa2_dual_purpose=True,
edpb_consultation_required=True, # Personal data breach handling
),
GDPRNis2OverlapArea(
measure="Access control and authentication for personal data systems",
nis2_article="Art.21(2)(i)",
gdpr_article="Art.32(1)(b) pseudonymisation + Art.25 DPbD",
csa2_dual_purpose=True,
edpb_consultation_required=True, # Personal data access controls
),
GDPRNis2OverlapArea(
measure="Supply chain security for sub-processors",
nis2_article="Art.21(2)(d)",
gdpr_article="Art.28(1) processor requirements",
csa2_dual_purpose=False, # GDPR Art.28 contractual — not certifiable as single standard
edpb_consultation_required=False,
),
GDPRNis2OverlapArea(
measure="Cryptography and encryption policies",
nis2_article="Art.21(2)(h)",
gdpr_article="Art.32(1)(a) encryption",
csa2_dual_purpose=True,
edpb_consultation_required=False, # Does not directly process personal data
),
GDPRNis2OverlapArea(
measure="Secure development lifecycle",
nis2_article="Art.21(2)(e)",
gdpr_article="Art.25(1) DPbD",
csa2_dual_purpose=True,
edpb_consultation_required=False,
),
]
If you are building compliance documentation now, structure your GDPR Art.32 technical measures documentation to align with Art.21 sub-measures. When EUCS schemes arrive in 2028, dual-purpose certification becomes immediately applicable to the overlap areas.
What Changes in Scope: Mapping NIS2 Annex I and II to the Amendment
NIS2 Annex I (essential entities) and Annex II (important entities) remain the same in the amendment — the sector lists are not modified. The amendment changes the within-sector classification by introducing the Small Mid-Cap threshold.
The sectors most affected by the Small Mid-Cap change are cloud computing, managed service providers, and digital marketplaces — Annex II sectors where a significant number of entities are mid-sized businesses rather than large enterprises.
Under the current NIS2, a cloud computing provider with 200 employees and €25M annual turnover is an "important entity" with the same full Art.21 obligations as a €5B platform provider. Under the amendment, that same 200-employee provider qualifies as Small Mid-Cap, accessing the simplified Art.21 path.
The amendment does not change the boundary between "essential" and "important" entities. DNS infrastructure providers, TLD registry operators, and cloud computing providers that are designated as essential under Art.3(1) (typically the largest operators in each sector) retain full Art.21 obligations with no Small Mid-Cap simplification available.
| Provider Type | Current NIS2 Category | Amendment Category | Obligation Change |
|---|---|---|---|
| DNS resolver, 50 employees, €8M turnover | Important entity | Exempt | Full exemption if below revised SME threshold |
| Cloud provider, 200 employees, €25M turnover | Important entity | Small Mid-Cap | Simplified Art.21 path |
| Cloud provider, 1,200 employees, €180M turnover | Important entity | Important entity | No change — above Small Mid-Cap threshold |
| Digital marketplace, 600 employees, €120M turnover | Important entity | Small Mid-Cap | Simplified Art.21 path |
| TLD registry, 80 employees, €30M turnover | Essential entity | Essential entity | No change — essential classification overrides Small Mid-Cap |
Cross-Border Coordination: ENISA's Enhanced Role
The NIS2 Amendment grants ENISA two new coordination powers that directly affect how multi-country incidents are handled:
Enhanced Art.14 CyCLONe powers: ENISA receives explicit authority to coordinate operational responses when a cross-border incident affects essential entities in more than two Member States. Currently, CyCLONe (Cyber Crises Liaison Organisation Network) operates on a voluntary intergovernmental basis; the amendment formalises ENISA's convening and coordination function.
Harmonised Art.23 reporting templates: ENISA is mandated to develop standardised incident reporting templates under Art.23 that all Member States must accept. Currently, NCAs use divergent reporting formats. Under the amendment, a single incident affecting infrastructure in Germany, France, and Poland requires only one report in ENISA's standardised format, which ENISA distributes to all three NCAs.
The second change has practical value for SaaS providers operating cross-EU infrastructure. A security incident today requires coordinating separate Art.23 reports to each NCA in each affected Member State — different deadlines, different required fields, different severity classification thresholds. The harmonised template reduces this to one report and one timeline.
Until the amendment enters force, you must comply with national Art.23 transposition requirements in each Member State where you are established or have designated representatives.
Preparing Now: What to Do Before June 30 Without Waiting for the Amendment
The amendment's Trilogue conclusion and entry into force will not occur before your June 30, 2026 audit checkpoint. Your current preparation priorities:
Priority 1: Art.21(2)(a) — Document Risk Analysis Under Current NIS2
Prepare an IS Risk Analysis document that covers:
- Scope statement (which systems, which data, which services are in scope)
- Threat catalogue with NIS2-relevant threats (ransomware, supply chain compromise, DDoS, insider threat)
- Impact assessment for each threat
- Existing control mapping (what controls address each threat)
- Residual risk acceptance
Do not wait for a EUCS scheme to standardise this format. NCAs will accept any structured risk analysis that demonstrates systematic treatment of Art.21(2)(a) risks. ISO 27001 risk assessment methodology (Clause 6.1) is a well-understood framework that maps cleanly.
Priority 2: Art.21(2)(d) — Supply Chain Security Assessment (No Simplification Coming)
Art.21(2)(d) supply chain security has no simplification in the amendment and represents the highest enforcement concentration area based on ENISA NCAF 2.0 findings. Complete this before anything else:
- Inventory of critical suppliers (IaaS, DNS, CDN, authentication, monitoring)
- Contractual cybersecurity requirements (supplier security clauses)
- Evidence of supplier due diligence (security questionnaires, certifications, SOC 2 reports)
- Incident notification requirements in supplier contracts
This documentation must exist for June 30. No future EUCS shortcut addresses this obligation.
Priority 3: Art.21(2)(b) — Incident Handling Procedure
Document a written incident handling procedure covering:
- Detection and logging (who receives alerts, what monitoring covers)
- Triage and severity classification (thresholds for Art.23 notification)
- Containment and recovery steps
- Art.23 notification trigger assessment (significant incidents within 24h early warning, 72h notification)
- Post-incident review process
Priority 4: Corporate Governance Documentation for Art.9
Art.9 NIS2 requires management bodies to approve cybersecurity risk management measures and oversee their implementation. Management body members must undergo cybersecurity training.
Document:
- Board/management body resolution approving the cybersecurity risk management framework
- Training records for management members (date, content, provider)
- Accountability assignment for NIS2 compliance oversight
The amendment does not change Art.9 obligations. This is a current requirement many important entities have not yet formalised.
The June 30 Documentation Minimum Set
Based on NCA guidance from Germany (BSI), France (ANSSI), and the Netherlands (NCSC-NL) published through Q1 2026, the following documentation constitutes the minimum expected for an important entity audit checkpoint:
from dataclasses import dataclass
@dataclass
class NIS2AuditDocumentationItem:
document: str
art21_reference: str
current_nis2_required: bool
amendment_simplified_for_small_mid_cap: bool
deadline: str
JUNE_30_MINIMUM_SET = [
NIS2AuditDocumentationItem(
document="IS Risk Analysis (structured, current)",
art21_reference="Art.21(2)(a)",
current_nis2_required=True,
amendment_simplified_for_small_mid_cap=True,
deadline="2026-06-30",
),
NIS2AuditDocumentationItem(
document="Information Security Policy (approved by management body)",
art21_reference="Art.21(2)(a) + Art.9",
current_nis2_required=True,
amendment_simplified_for_small_mid_cap=True,
deadline="2026-06-30",
),
NIS2AuditDocumentationItem(
document="Incident Handling Procedure (written, with Art.23 trigger matrix)",
art21_reference="Art.21(2)(b)",
current_nis2_required=True,
amendment_simplified_for_small_mid_cap=False,
deadline="2026-06-30",
),
NIS2AuditDocumentationItem(
document="Business Continuity Plan (BCP) and Disaster Recovery Procedure",
art21_reference="Art.21(2)(c)",
current_nis2_required=True,
amendment_simplified_for_small_mid_cap=True,
deadline="2026-06-30",
),
NIS2AuditDocumentationItem(
document="Critical Supplier Register with Security Assessment",
art21_reference="Art.21(2)(d)",
current_nis2_required=True,
amendment_simplified_for_small_mid_cap=False,
deadline="2026-06-30", # No simplification — highest enforcement priority
),
NIS2AuditDocumentationItem(
document="Secure Development Lifecycle (SDL) Policy",
art21_reference="Art.21(2)(e)",
current_nis2_required=True,
amendment_simplified_for_small_mid_cap=True,
deadline="2026-06-30",
),
NIS2AuditDocumentationItem(
document="Cryptography and Key Management Policy",
art21_reference="Art.21(2)(h)",
current_nis2_required=True,
amendment_simplified_for_small_mid_cap=True,
deadline="2026-06-30",
),
NIS2AuditDocumentationItem(
document="Access Control Policy with MFA evidence",
art21_reference="Art.21(2)(i)",
current_nis2_required=True,
amendment_simplified_for_small_mid_cap=True,
deadline="2026-06-30",
),
NIS2AuditDocumentationItem(
document="Management Body Training Records (cybersecurity)",
art21_reference="Art.9(4)",
current_nis2_required=True,
amendment_simplified_for_small_mid_cap=False,
deadline="2026-06-30",
),
NIS2AuditDocumentationItem(
document="NCA Registration Confirmation (if applicable)",
art21_reference="Art.3(4)",
current_nis2_required=True,
amendment_simplified_for_small_mid_cap=False,
deadline="2026-06-30",
),
]
# Items that will simplify for Small Mid-Cap after amendment
simplified_count = sum(1 for item in JUNE_30_MINIMUM_SET if item.amendment_simplified_for_small_mid_cap)
required_now = sum(1 for item in JUNE_30_MINIMUM_SET if item.current_nis2_required)
print(f"All {required_now} items required now under current NIS2.")
print(f"After amendment, {simplified_count} items simplify for Small Mid-Cap entities.")
print("Art.21(2)(d) supply chain and Art.23 incident handling: NO simplification for any category.")
How ISO 27001 Helps Today
ISO 27001 does not create a legal presumption under the current NIS2 Directive. It cannot substitute for Art.21 compliance. What it does provide:
As audit evidence: NCA auditors treat ISO 27001 certification as evidence that systematic controls exist for the covered scope. A certified entity is unlikely to have zero documentation for Art.21(2)(a), (e), (h), or (i). The certificate shows a conformity assessment body has reviewed the ISMS — useful supporting evidence.
As a documentation framework: ISO 27001's structure (Statement of Applicability, risk treatment plan, control evidence) directly maps to the NIS2 Art.21 documentation minimum set. Building your NIS2 compliance documentation within an ISO 27001 framework now creates dual-purpose documentation that will be fully reusable when the EUCS certification path arrives.
Scope limitation warning: ISO 27001 is typically scoped to part of the organisation's operations. Verify your certification scope covers the systems and services that fall under NIS2 classification. A certificate scoped to "internal IT systems only" may not cover the cloud infrastructure services that constitute your NIS2 important entity classification.
NIS2 Amendment Timeline for Planning
| Milestone | Expected Date | Applicability |
|---|---|---|
| Digital Omnibus Package published (COM(2026)) | January 20, 2026 | Reference document only |
| EDPB-EDPS Joint Opinion 4/2026 | March 18, 2026 | Signals EDPB EUCS conditions |
| Trilogue conclusion (Parliament + Council) | Q3 2026 (expected) | Still proposal at that point |
| OJ publication of amending regulation | Q4 2026 / Q1 2027 (expected) | Enters into force 20 days after publication |
| Transposition / application period | 12–18 months post-OJ (estimated) | Earliest full applicability: 2027–2028 |
| ENISA EUCS Art.21 scheme development | 12–18 months post-CSA2 in force | Earliest: 2028 |
| First EUCS certifications covering Art.21 | 2028 at earliest | Earliest: 2028 |
20-Item NIS2 Amendment Readiness Checklist
Understanding the Amendment (4 Items)
- Confirm your entity classification under current NIS2 (essential / important / exempt) — do not apply the Small Mid-Cap category yet
- Identify whether you would qualify as Small Mid-Cap under the amendment (below 750 employees AND below €150M turnover)
- Confirm that no EUCS Art.21 scheme exists yet — do not defer current compliance work pending certification path
- Check which Member States you are required to register in and verify NCA registration status
Art.21(2)(a) Risk Analysis (3 Items)
- Complete a structured IS risk analysis covering all systems in NIS2 scope
- Map identified risks to Art.21(2) sub-measures to confirm control coverage
- Obtain management body formal approval of the risk analysis and resulting policy framework
Art.21(2)(d) Supply Chain — No Simplification Planned (4 Items)
- Maintain a register of all critical suppliers (IaaS, DNS, CDN, authentication, monitoring, payment processing)
- Implement cybersecurity requirements in supplier contracts (minimum: incident notification, security standards, audit rights)
- Complete security due diligence review for each critical supplier (questionnaire response, certifications, SOC 2 Type II)
- Establish a process for supplier security incident escalation to your own Art.23 notification assessment
Art.21(2)(b) Incident Handling + Art.23 Notification (3 Items)
- Document a written incident handling procedure with defined roles
- Define an Art.23 significance assessment matrix (thresholds for early warning ≤24h, notification ≤72h, final report ≤1 month)
- Verify you have the NCA contact details for Art.23 notifications in each Member State you are registered in
Future-Proofing for the Amendment (3 Items)
- Structure your Art.21 documentation framework to align with ISO 27001 controls (enables future EUCS dual-purpose certification)
- Track Trilogue developments and flag when the amending regulation is published in the Official Journal — transition planning starts then
- Identify which Art.21 sub-measures would be simplified for your entity under the Small Mid-Cap path — prioritise the non-simplified ones (supply chain, incident handling) for deepest current investment
Art.9 Management Body (3 Items)
- Obtain a formal management body resolution approving the NIS2 cybersecurity risk management framework
- Document cybersecurity training completion records for all management body members
- Designate a named individual responsible for NIS2 compliance and NCA liaison
See Also
- NIS2 Art.13-16: Management of Cybersecurity Risks and Proportionality
- NIS2 Art.9-12: Governance, Expert Bodies, and Union Support Network
- NIS2 Art.17-21: Reporting Obligations, Chain Incidents, and Security Measures
- NIS2 Art.21(2)(d): Supply Chain Security Requirements for SaaS Providers
- ENISA NCAF 2.0 and NIS2 Article 19 Peer Reviews
- EU Cybersecurity Act 2.0: ICT Supply Chain Certification Developer Guide