The European Commission's January 2026 cybersecurity package broadens the compliance burden under the NIS2 Directive, introducing new supply chain risk provisions and a proposed Cybersecurity Act 2 (CSA2) that directly affect operational technology (OT) vendors and industrial manufacturers operating across the EU.
Background
NIS2 came into force in January 2023, with member states required to transpose it into national law by 17 October 2024, after which it replaced its predecessor directive. An estimated 160,000 or more entities now fall in scope-up from roughly 10,000 under NIS1-making NIS2 compliance an operational priority well beyond traditional critical infrastructure sectors. In addition to energy, transport, healthcare, finance, and water management, the rules apply to critical product manufacturing, waste management, postal services, and public administration.
In Q2 2025, global cyberattacks rose approximately 21% compared to the same period the prior year, with Europe recording the highest region-level increase. According to ENISA, critical suppliers harbored 38% of identified supply chain vulnerabilities within NIS2-covered environments in 2024.
Details
On 20 January 2026, the European Commission announced a cybersecurity package composed of two parts: a proposal to replace the existing Cybersecurity Act 2019 with Cybersecurity Act 2 (CSA2), and a proposal to simplify NIS2 and align it with the proposed CSA2.
The proposed ICT supply chain framework under CSA2 targets non-technical risks in sectors of high criticality. Following a risk assessment, the Commission would gain authority to designate third countries as posing cybersecurity concerns, identify high-risk suppliers by reference to their relationship with such countries, and specify key ICT assets used in manufacturing or service provision by NIS2-covered entities. For businesses, this means new supply chain governance obligations and potential fines of up to 7% of total worldwide annual turnover for infringements, with high-risk suppliers potentially excluded from critical domains.
The January 2026 proposal aims to clarify NIS2's scope, harmonize technical measures, introduce certification-based compliance pathways, and strengthen cross-border supervision through an expanded role for ENISA. Businesses would be able to certify their broader cybersecurity posture as well as ICT products, services, and managed security services, using such certification to demonstrate legal compliance-including a presumption of compliance with NIS2.
For OT vendors and industrial suppliers, supply chain obligations under the existing NIS2 framework are already in effect in jurisdictions that have completed transposition. The requirement for in-scope entities to adopt measures ensuring the security of their immediate supply chain is one of the lesser-discussed aspects of the Directive, yet it could involve renegotiating supplier contracts, enhanced due diligence, and potentially replacing suppliers whose cybersecurity standards fall short. NIS2 requires procurement and vendor management processes to evolve, embedding security standards into contracts and requests for quotation (RFQs).
On incident reporting, IT service providers and supply chain partners must comply with NIS2's strict incident reporting requirements, including initial reporting within 24 hours and full incident disclosure within 72 hours. Meeting the 24/72-hour reporting window is practically impossible using only manual audits, particularly as legacy OT systems were built for availability rather than logging or alerting.
Article 20 of NIS2 introduces a governance requirement with no precedent in NIS1: management bodies of essential and important entities must approve cybersecurity risk-management measures, oversee their implementation, and can be held personally liable for infringements. According to a 2025 PwC survey, only 38% of boards across EU member states reported having received formal cybersecurity training, indicating a significant compliance gap.
Outlook
NIS2 enforcement is not uniform across all EU member states. While the directive entered into force in 2023, national transposition and supervisory activation have progressed at different speeds, making 2026 the point at which a critical mass of member states shifts from legal adoption to active enforcement. In May 2025, the EU Commission issued formal "reasoned opinions"-legal warnings giving non-compliant member states a final chance to align with the Directive before referral to the Court of Justice of the European Union (CJEU).
The January 2026 amendments would also introduce a new "small mid-cap" enterprise category to lower compliance costs and strengthen ENISA's coordinating role, with member states having one year to transpose the amended provisions once adopted. From September 2026, the Cyber Resilience Act (CRA) begins to apply, imposing mandatory reporting of actively exploited vulnerabilities and serious cybersecurity incidents for products with digital elements. OT vendors supplying into EU industrial environments should expect an overlapping compliance landscape requiring coordinated action across NIS2, CSA2, and the CRA simultaneously.
