EUFORYa
Track EU Parliament activity with clear, human-friendly updates.
Track EU Parliament activity with clear, human-friendly updates.
New Cybersecurity Rules to Cut Paperwork and Costs for Small Businesses
Published January 20, 2026
Goal: Simplify EU cyber rules
The EU Directive simplifies and unifies cyber‑security rules, cuts paperwork and costs for companies, sets shared safety standards, and gives the EU stronger tools to stop cyber attacks.
Summary of the Directive (EU) 2026/13
The European Parliament and the Council propose a new Directive that amends Directive (EU) 2022/2555 (NIS 2) to make cybersecurity rules simpler, clearer and easier to follow. The changes are part of a larger package that also includes a new Cybersecurity Act (the “Cybersecurity Act 2”) and other EU measures such as the Digital Omnibus and the Digital Networks Act.
Why the change is needed
- Cyber‑attacks on critical infrastructure are growing, especially from state‑backed actors using advanced technologies like artificial intelligence.
- The current NIS 2 rules are seen as too complex and fragmented, making it hard for businesses and national authorities to understand and comply.
- The EU wants to keep its internal market functioning while protecting the economy and democratic values.
Key simplifications and new rules
| What changes | What it means |
|---|---|
| New “small‑mid‑cap” category | Companies that are larger than small‑mid‑cap (defined in the 2025 Commission Recommendation EU 2025/1099) are treated as “important” entities, reducing the amount of paperwork they must submit. |
| Scope clarifications | Clearer rules for healthcare providers, electricity producers, hydrogen operators, chemical manufacturers, and other sectors. |
| DNS providers | Small and micro DNS service providers are no longer covered by NIS 2, easing their compliance burden. |
| Maximum harmonisation | The EU will set common technical and methodological rules for risk‑management measures, so all member states use the same standards. |
| Certification scheme | Entities can obtain a “cyber‑posture” certificate under a European cybersecurity certification framework (part of the Cybersecurity Act 2). A valid certificate can replace many individual compliance checks. |
| ENISA’s new role | The European Union Agency for Cybersecurity will help supervise cross‑border entities, maintain a registry of important entities, and provide risk‑assessment reports. |
| Supply‑chain security guidelines | The Directive will give clear, consistent instructions on what information suppliers must provide, reducing duplication and administrative costs. |
| Ransomware reporting | Mandatory, harmonised data collection on ransomware incidents (whether a ransom was paid, how much, to whom, etc.) will be shared with CSIRTs and national authorities. |
| Post‑quantum cryptography | Member states must adopt a national policy to move to quantum‑safe cryptography by 2030 for critical uses and by 2035 for lower‑risk uses. |
| Cost savings | The overall aim is to cut administrative costs by 25 % overall and by 35 % for small and medium‑sized enterprises. |
Legal basis and implementation
- The Directive is based on Article 114 of the Treaty on the Functioning of the European Union (TFEU), which allows the EU to harmonise rules that affect the internal market.
- Member states must adopt the required measures within 12 months after the Directive enters into force.
- The Directive will become law 20 days after it is published in the Official Journal of the European Union.
Other important points
- The Directive aligns with other EU policies such as the Digital Omnibus, the Digital Networks Act, and the Digital Identity Wallets regulation.
- It supports the EU’s broader strategy to strengthen resilience, reduce dependencies, and keep the EU competitive.
- The European Data Protection Supervisor and the European Data Protection Board have reviewed the proposal and confirmed that it respects fundamental rights.
In short, the Directive aims to make cybersecurity rules simpler, more consistent, and easier to prove compliance with, while giving the EU a stronger, coordinated response to cyber threats.
Licensing: The summaries on this page are available under Creative Commons Attribution 4.0 (CC BY 4.0).
The source
