European Cybersecurity Regulatory Update: NIS2 and Beyond

As we move into 2026, the EU cybersecurity regulatory landscape continues to evolve rapidly. With NIS2 transposition gaining momentum across Member States and significant regulatory reforms on the horizon, organisations must stay ahead of compliance requirements. This update outlines key developments and practical steps to ensure your business remains compliant in an increasingly scrutinised regulatory environment.

(i) National Implementation Status

NIS2 transposition is accelerating across the EU. Germany, Portugal and Austria have recently adopted national implementing legislation, whilst Spain, France and Poland are nearing completion of their transposition processes. Outside the EU, the UK and Serbia have enacted cybersecurity and resilience legislation that closely aligns with NIS2 and CER requirements.

We recommend monitoring our Bird & Bird NIS2 Directive implementation tracker (available here) to track EU developments. 

Completion of national transpositions will support multinational companies map compliance requirements across Member States, tailor their compliance programmes accordingly, and implement the one-stop-shop mechanism for digital services (including cloud, managed ICT and online marketplace services). 

(ii) Digital Omnibus Package and Cybersecurity Act Revision

The European Commission's Digital Omnibus package proposes to streamline incident reporting through a 'report once, share many' approach. This would establish a single incident covering the NIS2 Directive, GDPR, eIDAS, DORA and CER Directive, whilst repealing the incident reporting rules under the ePrivacy Directive. The single incident reporting point is expected to apply 18 months after the Digital Omnibus is adopted.

Further changes to the cybersecurity regulatory framework are expected through a separate proposal to revise the Cybersecurity Act, which establishes the EU’s cybersecurity certification framework for products and services. The proposal is scheduled for publication on 14 January 2026.

(iii) Recommended Next Steps

We recommend that clients prioritise cybersecurity compliance. Key compliance actions include:

• Conducting gap analyses to identify compliance requirements
• Conducting registrations and establishing governance structures
• Implementing documentation processes to demonstrate compliance to supervisory authorities.

Regulatory scrutiny and enforcement activity are expected to increase in 2026 as national implementation progresses.

Our upcoming Cyber Guide will provide a comprehensive overview of key cybersecurity requirements to help businesses stay compliant. Subscribe now to receive it as soon as it’s published: link.

Access our Cyber Hub here to explore all of our cybersecurity resources.