NIS 2 – Amending Directive
German Industry’ s Position on the European Commission’ s Proposal amending Directive (EU) 2022/2555 as regards simplification measures and alignment with the Cybersecurity Act 2
20 April 2026
Executive Summary
German industry welcomes the European Commission’s aim to significantly strengthen Europe’s cyber-resilience and to create a level playing field for essential and important entities across the European Union. Cyber and IT security are the basis for a long-term secure digital transformation of the state, economy and society. All those involved – from hardware and software manufacturers to commercial operators, private users and government agencies – must be actively and holistically involved in strengthening Europe’s cyber-resilience. German industry will continue to make its contribution to this, because a high degree of cyber-resilience is a basic prerequisite for the trouble-free functioning of highly digitalised processes in companies.
Policy Recommendations
The European Commission’s proposal for amending Directive (EU) 2022/2555 represents a constructive step towards improving the current regulatory framework. It introduces important clarifications and promotes a more consistent approach. At the same time, several issues continue to create uncertainty or impose disproportionate obligations on entities. To fully achieve its objectives, further adjustments are needed, such as introducing maximum harmonisation for incident reporting thresholds and timelines, ensuring consistent application of the main establishment principle, enhancing the proposed framework for collecting data on ransomware attacks, introducing more robust liability protection for entities, and maintaining the voluntary nature of European Cybersecurity Certification Schemes. Furthermore, it would be appreciated if the EU would streamline the requirements emanating from NIS 2, the Cyber Resilience Act (CRA) and the Resilience of Critical Entities Directive so that obligations for companies are clear and reporting to different government bodies is suspended
In addition, German industry would appreciate if the co-legislators were to adopt the following targeted changes to the proposal:
Amendment to Art. 3(1) (Essential and important entities)
German industry supports the introduction of the new category of small mid-cap enterprises and the respective higher threshold for entities falling within the scope of NIS 2. While this increases proportionality, we call for a more risk-based differentiation between essential and important entities to better reflect criticality and reduce unnecessary compliance burdens.
Amendment to Art. 7 (2) (National cybersecurity strategy)
The proposal requires Member States to address the transition to post-quantum cryptography (PQC) within their national cybersecurity strategies, considering Union timelines and relevant legal and policy requirements. German industry supports the objective of preparing for the transition to PQC, as strong cryptography is essential for trust in digital communications and services. However, existing cryptographic requirements are still being implemented. The priority should therefore be the consistent application of current rules before introducing additional obligations.
Amendment to Art. 21 (5) (Cybersecurity risk-management measures)
The proposal requires the Commission to regularly assess whether implementing acts are necessary to define specific technical, methodological, or sectoral cybersecurity risk-management requirements, particularly for cross-border sectors and entities. It explicitly mandates an open, transparent and inclusive consultation process with stakeholders and introduces maximum harmonisation by preventing Member States from adopting additional national requirements once such acts are in place. German industry welcomes the commitment to an open, transparent and inclusive consultation process. It also strongly supports the provision preventing Member States from introducing additional national requirements once implementing acts are adopted, as harmonised rules reduce implementation costs
Amendment to Art. 21 (5) ENISA and its role for cross-border companies
In the proposal for the amending directive, it is stated that ENISA will receive more power, especially regarding the steering and supervision of cross border entities. This can be quite critical. It is acceptable when ENISA merely coordinates and works toward harmonization regarding legislative and NIS 2 requirements for the affected companies. However, if the entities need to comply with both national government bodies and ENISA, this would significantly increase the regulatory burden for affected entities. The role of ENISA and the national government bodies should be clearly defined.
Amendment to Art. 24 (4–6) (Use of cybersecurity certification schemes)
The amendment calls for a pragmatic use of cybersecurity certification schemes to demonstrate compliance with NIS 2 obligations. German industry is open to certification as a compliance tool. However, the use of such schemes should remain voluntary. A voluntary approach allows organizations to choose the compliance pathway that best fits their size, sector, and risk profile, ensuring that certification is adopted where it offers clear added value. It will also avoid creating duplicative obligations for companies that already adhere to well established standards such as ISO 27001 and operate under existing assurance schemes that support compliance with the NIS 2 Directive. If Member States can make these schemes mandatory, these organizations would face additional administrative effort without a corresponding security benefit.
In detail discussion of selected Articles from the EU Commission’s proposal for a NIS 2 amending Directive
Ensuring a high level of cyber-resilience across the European Union remains of central importance considering the increasing interconnections between sectors, actors and along supply chains. At the same time, companies should be able to invest scarce financial and human resources into increasing their cyber-resilience rather than in exuberant bureaucratic requirements. Against this background, German industry welcomes the European Commission’s proposal to amend Directive (EU) 2022/2555, aimed at introducing targeted simplifications, clarifications and greater consistency within the existing NIS 2 framework. The proposed amendments have the potential to enhance legal certainty, support more coherent implementation, and reduce unnecessary regulatory complexity. At the same time, it remains essential to maintain an appropriate balance between strengthening cyber-resilience and ensuring that the resulting obligations remain proportionate and feasible for companies.
German industry would appreciate if the co-legislators would consider our remarks during the legislative process.
Amendment to Art. 2 (2) (Scope) – providers of European Digital Identity Wallets and providers of European Business Wallets
Summary of legislative proposal
Under the proposed amendment, providers of European Digital Identity Wallets and providers of European Business Wallets would be newly included regardless of size and would be categorized as essential entities.
Furthermore, unchanged by the proposed amendment, this Directive would continue to apply, regardless of size, to entities of a type listed in Annex I or II, where services are provided by providers of public electronic communications networks or publicly available electronic communication services, trust service providers and top-level domain name registries.
In addition, owners, managers and operators of strategic dual-use infrastructure are newly included, regardless of size. By contrast, DNS service providers are no longer automatically within scope regardless of their size.
BDI’s position:
German industry supports the inclusion of providers of European Digital Identity Wallets and European Business Wallets within the scope of the NIS 2 Directive, as these wallets are a central pillar of Europe’s digital trust infrastructure. However, it is crucial to ensure that the eIDAS 2 Regulation, Regulation to establish European Business Wallets, and the Directive amending the NIS 2 Directive do not result in overlapping or duplicative regulatory requirements.
Amendment to Art. 2 (2) (Scope) – submarine data transmission infrastructure
Summary of legislative proposal
The amendment expands the scope of entities covered in Annex I under digital infrastructure by adding operators of submarine data transmission infrastructure. It clarifies that operators of such infrastructure are included where they are not already covered under another entity category listed in the Annex.
BDI’s position:
German industry supports the inclusion of operators of submarine data transmission infrastructure in the scope of the NIS 2 Directive since about 99 per cent of all international data traffic is transmitted through submarine data cables. Thereby, these cables play a critical role for global connectivity and economic activities across sectors German industry highlights that submarine data transmission infrastructure is exposed not only to cyber risks but also to physical threats, including sabotage. At the same time, German industry underlines that NIS 2 should remain focused on cyber risk-management and should not be used to introduce de facto physical security or defence-related obligations for submarine cable infrastructure. The protection of submarine cables against physical threats should be addressed through appropriate maritime, security and defence frameworks, with clear allocation of responsibilities and avoidance of duplicative or overlapping regulatory requirements. In addition, any cybersecurity obligations applicable to submarine data transmission infrastructure should be proportionate and reflect the specific role of the entity concerned (e.g. owner, operator, consortium participant), as well as the inherently cross-border nature of such infrastructure. It is therefore essential that risks related to physical attacks are addressed through appropriate measures beyond the scope of NIS 2.
Amendment to Art. 2 (2) (Scope) – dual-use infrastructure
Summary of legislative proposal
Owners, managers and operators of strategic dual-use infrastructure, as defined under the relevant EU framework, are newly brought in the scope of the Directive regardless of size
BDI’s position:
German industry welcomes the inclusion of dual-use infrastructure within the scope of the amended NIS 2 Directive. Recognizing dual-use infrastructure under the framework strengthens the overall resilience of critical systems and contributes to a higher level of cybersecurity across the EU. This step is an important signal for enhancing the protection of strategically relevant infrastructure in an increasingly complex threat environment.
Amendment to Art. 3 (1) (Essential and important entities)
Summary of legislative proposal:
Under the proposed amendment, thresholds would be raised from medium-sized entities to small midcaps. Annex I and II entities, with certain exemptions, would fall under the NIS 2 Directive if they are small mid-cap size or above. Annex I entities that exceed the ceilings for small mid-cap enterprises would be classified as essential entities. Annex I entities that qualify as small mid-cap enterprises would, as a rule, be classified as important entities. Moreover, Annex II entities which fall under the scope of NIS 2 would be classified as important entities.
BDI’s position:
German industry supports raising the threshold for essential and important entities from medium sized to small mid-caps. This approach contributes to a more proportionate application of the NIS 2 framework. It helps to reduce administrative and compliance burdens for smaller and medium-sized entities, as these often lack the necessary financial resources and capabilities to fulfill the extensive obligations stipulated in the NIS 2 Directive.
At the same time, the current proposal still does not sufficiently distinguish between essential and important entities regarding the requirements they are expected to fulfil. Both categories would still be subject to largely identical measures, regardless of their actual risk profile or criticality. German industry advocates a risk-based approach that requires all companies to ensure a level of cyber-resilience adequate to their potential risk for society and within supply chains.
Amendment to Art. 3 (4) (Essential and important entities)
Summary of legislative proposal:
The amendment replaces the existing provision on the information that entities must submit to competent authorities. Entities are required to provide their name, as well as information on their sector, subsector and type of entity as referred to in Annex I or II, where applicable. The amendment specifies address requirements by distinguishing between the address of the entity, the address of its main establishment and other legal establishments in the Union, or, for entities not established in the Union, the address of the designated representative. It expands the required contact details to include email addresses, telephone numbers, the unique identifier, and digital addresses of the European Business Wallet, where applicable, as well as contact details of the designated representative. Entities must also indicate the Member States in which they provide services and submit their IP ranges.
BDI’s position:
German industry welcomes the clarification of the information requirements for essential and important entities under Article 3 (4). Clear and well-defined information obligations can increase legal certainty and make implementation easier for companies. At the same time, the collection and submission of information must be organized efficiently and must not create unnecessary administrative work.
However, the collection of entity-specific information for the purpose of establishing such a list can itself create cybersecurity risks. It is therefore important that all information submitted is managed with a high level of confidentiality. Appropriate technical and organizational measures, including effective cybersecurity safeguards, such as encryption, must be used to protect the information contained in such a list.
Amendment to Art. 7 (2) (National cybersecurity strategy)
Summary of legislative proposal:
Member States are required to address the transition to post-quantum cryptography, considering transition timelines and relevant requirements set out in applicable Union legal acts and policies.
BDI’s position:
Cryptographic methods strengthen trust in digital communication tools such as e-mails and messenger services. Therefore, German industry supports the objective of preparing the transition to post-quantum cryptography. At the same time, it should be considered that requirements on cryptography already exist and are still in the process of being implemented. It is paramount that national cybersecurity strategies are not mere statements of intention but rather are acted upon. Henceforth, the focus should be on the consistent implementation of existing rules before introducing additional requirements.
Amendment to Art. 21 (5) (Cybersecurity risk-management measures)
Summary of legislative proposal:
The amendments to Article 21 (5) require the Commission to regularly assess whether it should adopt implementing acts that set technical, methodological or sector-specific requirements for certain sectors or types of entities to improve the functioning of the internal market The Commission shall focus on the cross-border nature of sector types of entities and shall carry out open, transparent and inclusive consultation process with relevant stakeholders and Member States.
The amendment also provides that, once the Commission adopts implementing acts under Article 21(5), Member States may not introduce further national technical, methodological or sector-specific requirements covering the same cybersecurity risk-management measures for entities within the scope of those acts.
BDI’s position:
German industry welcomes the explicit commitment to an open, transparent, and inclusive consultation with relevant stakeholders. Early and structured engagement with industry is a necessary precondition for the development of practical rules that reflect technologically feasible options and consider the risk environment. It is therefore crucial that the consultation process is conducted in a genuinely transparent manner and that stakeholder input is meaningfully reflected in the preparation of implementing acts.
Moreover, the provision preventing Member States from introducing additional national technical, methodological, or sector-specific requirements once implementing acts have been adopted is particularly important. Especially those entities operating in more than one Member State benefit from harmonized cybersecurity requirements as this reduces implementation costs by reducing regulatory fragmentation.
Amendment to Art. 23 (12) and (13) (Reporting obligations)
Summary of legislative proposal:
The amendment specifies the information to be reported in relation to ransomware incidents and the circumstances under which additional details must be provided to authorities. It requires that EU Implementing Acts on incident reporting include basic information on ransomware attacks, namely whether an attack was detected, how it was carried out, and whether mitigation measures were taken. In cases of significant ransomware incidents, entities must also provide further information upon request of the CSIRT or the competent authority. This includes whether a ransom demand was received, and, if a ransom was paid, details on the amount, the means of payment and the recipient, including the use of crypto-assets and related service providers where applicable.
BDI’s position:
German industry recognizes the importance of timely and meaningful reporting of ransomware incidents. However, the reporting timelines set out in Article 23 (4) raise practical concerns. In the early phase of a ransomware incident, companies need to focus primarily on containing the incident, restoring systems and ensuring business continuity. Very short reporting deadlines, in particular the 24-hour early warning and the subsequent reporting obligations, risk diverting critical time and resources away from incident response and forensic analysis. Reporting requirements and timelines should therefore be realistic and allow companies sufficient time to assess the incident and provide accurate and reliable information. To this end, entities require an efficient reporting channel and a minimum reporting period
of at least 72 hours. A final report should only be required once the forensic analysis has been completed and the measures necessary to restore systems and ensure business continuity have been implemented. In addition, for entities to report ransomware incidents openly and comprehensively, they must be confident that doing so will not expose them to additional liability or unintended negative consequences. While Recital 11 states that complying with the obligation to report relevant information on ransomware incidents should not lead to additional obligations and that Member States should address possible risks of increased liability linked to such reporting, this safeguard is included only in a recital and not in the operative part of the directive (e.g., Article 5(8)). German industry therefore recommends that the obligation for Member States to address any increased liability resulting from ransomware reporting be included directly in the operative part of the directive. This would provide companies with the necessary legal certainty to share sensitive information.
Furthermore, under Article 5 (8), entities are required to report, among other information, what amount was paid, in what means of payment, and to which recipient or receiving end, including the crypto asset and crypto asset service provider. In practice, entities can indicate which crypto asset service provider was used, the amount transferred, and the specific crypto address involved. How-ever, they do not have insight into the actual “recipient” or “receiving end” in the sense of identifying the person or group behind that wallet. This limitation should be explicitly acknowledged in the proposed directive to avoid imposing requirements that entities are technically unable to fulfil.
Amendment to Art. 24 (4-6) (Use of cybersecurity certification schemes)
Summary of legislative proposal:
Member States may require essential and important entities to obtain a cyber posture certificate under a European cybersecurity certification scheme to demonstrate compliance with the relevant cybersecurity requirements. Where an entity holds such a certificate and the certificate demonstrates compliance with EU implementing acts or national law transposing the relevant cybersecurity obligations, competent authorities may not impose additional supervisory measures for the requirements covered by the certificate. The amendment also clarifies that holding a certificate does not remove or limit the responsibility of essential and important entities to comply with the Directive.
BDI’s position:
In general, German industry is open to using certification to demonstrate compliance with cybersecurity requirements. However, the use of such schemes should remain voluntary. A voluntary approach allows organisations to choose the compliance pathway that best fits their size, sector, and risk profile, ensuring that certification is adopted where it offers clear added value. It will also avoid creating duplicative obligations for companies that already adhere to well established standards such as ISO 27001 and operate under existing assurance schemes that support compliance with the NIS 2 Directive. If Member States can make these schemes mandatory, these organizations would face additional administrative effort without a corresponding security benefit.
Amendment to Art. 26 (1) (Jurisdiction and territoriality)
Summary of legislative proposal:
The amendment adds specific rules to determine which Member State has jurisdiction over air carriers for the purposes of the Directive. Air carriers will fall under the jurisdiction of the Member State whose competent authority granted their operating license in accordance with EU aviation rules. Where an operating license, or an equivalent authorization, has not been granted under those rules, jurisdiction is determined by the location of the air carrier’s main establishment within the Union.
BDI’s position:
Greater clarity regarding jurisdiction rules for air carriers contributes to legal certainty and reduces the risk of overlapping supervisory requirements by assigning responsibility to one single Member State.
Amendment to Art. 26 (3) (Jurisdiction and territoriality)
Summary of legislative proposal:
The amendment clarifies the jurisdictional rules applicable to essential and important entities that are not established in the Union but provide services within the Union. Such entities are required to designate a representative established in a Member State where the services are offered, with jurisdiction attributed to the Member State in which the representative is established. For entities falling under the specific category referred to in Directive (EU) 2022/2555 Article 26 (1), point (a), jurisdiction is instead attributed to the Member State where the services are provided. Where an entity fails to designate a representative in the Union, any Member State in which the entity provides services may take legal action in relation to infringements of the Directive.
BDI’s position:
The clarification of jurisdiction rules for essential and important entities that are not established in the Union but provide services within the Union is a positive development. Requiring such entities to designate a representative in the Union and linking jurisdiction to the Member State where that representative is established enhances legal certainty and clarity for all parties involved.
Amendments to Annexes I and II to Directive (EU) 2022/2555
The proposed amendment does not fundamentally restructure Annexes I and II, but introduces targeted scope-related adjustments, including new types of entities, clarifications of existing entries and specific exclusions.
Amendment to Annex I, point 1(a) (Electricity subsector)
Summary of legislative proposal:
Electricity producers whose total generation capacity does not exceed 1 MW are excluded.
BDI’s position:
German industry welcomes the exclusion of electricity producers whose total generation capacity does not exceed 1 MW. This threshold helps to ensure a proportionate application of cybersecurity requirements and avoids unnecessary regulatory burdens for small electricity producers.
Amendment to Annex I, point 2(d) (Road subsector)
Summary of legislative proposal:
Under the proposed amendment, the type of entity would change from operators of Intelligent Transport Systems (ITS), as defined in Article 4 (1) of Directive 2010/40/EU, which refers to systems in which information and communication technologies are applied in the field of road transport, including infrastructure, vehicles and users, as well as traffic and mobility management and interfaces with other modes of transport, to operators of Intelligent Transport Systems, as defined in Article 4 (5) of Directive 2010/40/EU, which refers to any provider of an ITS service, whether public or private.
BDI’s position:
German industry welcomes the shift to a more targeted definition. The previous system-based definition risked capturing a broad range of actors, including those without direct control over cybersecurityrelevant functions. The revised definition improves legal certainty and helps ensure that cybersecurity obligations are applied in a targeted and proportionate manner across the road transport sector.
Amendment to Annex II, point 3 (Manufacture and production of chemicals)
Summary of legislative proposal:
The scope of the sector “Manufacture, production and distribution of chemicals” is amended to “Manufacture and production of chemicals”. Furthermore, it clarifies that undertakings fall within the scope insofar as they are subject to the general obligation to register substances, whether on their own or in mixtures, pursuant to Article 6 of Regulation (EC) No 1907/2006 (REACH). In addition, undertakings are covered insofar as they are subject to the obligation to notify substances contained in articles pursuant to Article 7 (2) of that Regulation.
BDI’s position:
We welcome the clearer and more precise classification of the scope. The clearer definition increases legal certainty and helps ensure consistent application.
Proposals for Additional Amendments
While the Digital Omnibus and the proposal for a Directive amending the NIS 2 Directive introduces helpful measures such as the introduction of the single reporting entry point and maximum harmonization for cybersecurity risk management measures, additional key elements would also benefit from maximum harmonization and clarification.
Recommended Amendment to Art. 23 (4) (Reporting obligations)
Summary of legislative proposal:
The NIS 2 Directive establishes a 24-hour deadline for the initial notification of significant incidents. However, implementation across Member States has led to divergences. Some national authorities have introduced shorter reporting timelines, requiring entities to notify incidents before sufficient situational awareness is available. This can divert critical resources from incident response and reduce the usefulness of the information shared with CSIRTs.
Similarly, while the NIS 2 Implementing Regulation on critical entities and networks sets the thresholds for defining a “significant incident”, some Member States have not adhered to these thresholds and require that any type of incident be reported to the relevant authorities and CSIRTs This creates a risk of overreporting, which can quickly overwhelm both regulators and companies.
BDI’s position:
German industry recommends introducing maximum harmonization of reporting timelines and thresholds across all Member States to ensure legal certainty and avoid unnecessary administrative burdens. This would prevent Member States from imposing shorter deadlines or broader reporting requirements than those defined at EU level, thereby improving the efficiency and effectiveness of incident reporting for both regulated entities and supervisory authorities.
Recommended Amendment to Art. 26 (2) (Jurisdiction and territoriality)
Summary of legislative proposal:
The main establishment principle remains a cornerstone of NIS 2. It enables the one stop shop mechanism by ensuring that entities within scope interact primarily with a single competent authority in the Member State where key cybersecurity risk management decisions are taken. This principle is essential for reducing administrative burden and avoiding fragmented supervision.
BDI’s position:
Member States have adopted differing interpretations of the concept. Some apply an expanded notion of “main establishment” that goes beyond NIS 2, while others do not apply the concept at all. Different interpretations of ‘main establishment’ lead to additional complexity for companies operating crossborder as they need to register in several Member States sometimes even multiple legal entities which undermines the simplification efforts and harmonization objectives of NIS 2.
Further complexity arises for entities that simultaneously provide ICT and fall under a service category listed in Annex II. It is unclear whether legal entities concerned should rely on the main establishment principle under Article 26 (2), registering only in the Member State where cybersecurity risk management decisions are made, or whether they must register in each Member State where they have an establishment, thereby triggering multiple supervisory regimes.
To further reduce regulatory complexity, we recommend extending the main establishment principle to Annex II entities and introducing maximum harmonization so that Member States cannot diverge in their interpretation or application.
Imprint
Bundesverband der Deutschen Industrie e.V. (BDI)
Breite Straße 29, 10178 Berlin www.bdi.eu
T: +49 30 2028-0
German Lobby Register number: R000534
EU Transparency Register number: 1771817758-48
Editorial Office
Barış Bayrak
Junior Expert, Innovation, Security and Technology
T: +49 30 2028-1471
b.bayrak@bdi.eu
Steven Heckler
Senior Expert, Innovation, Security and Technology
T: +49 30 2028-1523
s.heckler@bdi.eu
BDI document number: D 2239