NIS2 enforcement 2026: critical infrastructure, government, and defence can't wait

 

TL;DR

• The EU Commission's January 2026 amendments simplify NIS2 for ~28,700 companies, including 6,200 SMEs, with several EU member states already commencing supervisory and enforcement activity in early 2026.
• Fines for essential entities can reach €10M or 2% of total worldwide annual turnover, whichever is higher, with potential management accountability measures for senior leadership in serious cases.
• Critical infrastructure operators across sectors such as energy, transport, healthcare, digital infrastructure, and public administration face some of the strictest obligations under NIS2. Defence contractors and supply chain providers may also fall within scope.
• As of May 2026, 21 of 27 EU member states have transposed NIS2 into national law. Germany’s NIS2 Implementation Act entered into force on 6 December 2025.
• If you haven't baselined your cyber resilience, you're already behind the first wave of enforcement. Book a free GRC maturity assessment and find out exactly where you stand.

The European Commission made headlines on 20 January 2026 by proposing targeted amendments to simplify NIS2 compliance for approximately 28,700 companies. For organisations that have been watching the directive with dread, the announcement sounded like a reprieve. It isn't. The amendments reduce paperwork friction; they don't reduce enforcement. In the same quarter the Commission published its simplification proposals, regulators across the EU were already moving into active supervisory and enforcement phases under NIS2. Both things are true at once: compliance is getting easier to navigate, and the consequences of failing to navigate it are getting harder to ignore.

Why critical infrastructure, government, and defence bear the
greatest risk

NIS2 was designed with a single overriding purpose: strengthen the cybersecurity and operational resilience of the sectors that keep nations functioning. Energy grids, water networks, rail and aviation systems, hospitals, public administration entities, and many organisations supporting critical government and defence supply chains are now subject to heightened cybersecurity obligations under the directive's essential and important entity classifications. These are also the organisations facing the highest levels of regulatory scrutiny in 2026.

Essential entities face the highest tier of obligation under NIS2:

• 24-hour early-warning incident notification

• Mandatory security audits

• Board-level accountability for cyber risk governance

• Documented evidence that security measures are continuously reviewed and improved

   

A breach that exposes the absence of documented incident response processes, reporting procedures, or risk management measures is no longer treated solely as an operational failure — it can also become a regulatory issue, with potential management accountability measures in some EU member states for serious or repeated non-compliance. That's a meaningful shift from how cyber accountability has historically worked in these sectors.

Government agencies carry a distinct burden. Public sector bodies operating across multiple EU member states must contend with national transpositions that differ in material ways. Compliance in Germany, with its December 2025 implementation, looks different from compliance in France or the Netherlands. Central and local government entities that have historically relied on informal good-faith efforts to demonstrate security maturity will find that regulators in 2026 are asking for evidence of assurance.

Defence supply chains represent perhaps the most exposed category of all. Tier 2 and Tier 3 suppliers to defence primes are increasingly pulled into NIS2-aligned obligations through contractual requirements and supply chain risk management expectations — even when the supplier itself believed it was too small or too tangential to fall directly within NIS2 scope. With the UK's own Network and Information Systems (NIS) Regulations and the forthcoming Cyber Security and Resilience Bill converging with many of NIS2's objectives and operational expectations, the compliance surface for UK-based defence suppliers working with EU primes is widening every quarter. The question is no longer just whether you're formally in scope. It's whether you can prove you've acted like you were.

The execution gap that decides audit outcomes

Understanding NIS2 has never been the real challenge. Most compliance officers in essential entities can recite the ten minimum security measures required under Article 21. The gap that regulators are now exposing is the distance between knowing what's required and being able to prove it on demand.

Controls that exist on paper but lack documented evidence don't survive scrutiny. Policies that haven't been reviewed since 2023 don't satisfy the directive's continuous improvement requirement. Incident response plans that have never been tested don't constitute operational readiness. And in a sector where regulators have explicitly signalled enforcement intent, that distinction has real consequences.

The organisations that will navigate 2026 well are not necessarily the ones with the largest security budgets. They are the ones that have done the unglamorous work: mapping controls to the directive, assigning clear ownership, collecting and storing evidence systematically, and building risk management processes that generate audit artefacts as a byproduct of normal operations rather than as a last-minute scramble before assessment.

What the NIS2 simplification amendments actually change

The Commission's proposed amendments are genuine and worth welcoming. They clarify entity classification, streamline reporting obligations for smaller organisations, and reduce ambiguity around certain supply chain and third-party risk obligations.

For a 50-person managed security services provider that found itself unexpectedly in scope, these changes matter. For essential entities in critical infrastructure and government, however, the amendments change very little in practice. The core obligations: incident reporting, audit readiness, supply chain security, and governance accountability, remain intact and are being actively enforced.

The simplification signal tells us that the Commission is confident enough in the framework to begin refining it. That is not the posture of a regulator preparing to retreat.

How 6clicks helps essential entities become audit-ready

6clicks is built for the environments that matter most in NIS2 enforcement: air-gapped networks, legacy infrastructure, hybrid deployments, and government-grade sovereign hosting. Where many Governance, Risk, and Compliance (GRC) platforms require organisations to move sensitive compliance data into public cloud environments, 6clicks deploys on your terms.

For critical infrastructure operators, government agencies, and defence supply chains, that distinction is decisive. 6clicks provides pre-built NIS2 framework mappings, automated and manual evidence collection, vendor risk management for supply chain assurance, and real-time dashboards that give boards the visibility they need to meet accountability obligations under the directive.

It's GRC that works where others can't. Always audit-ready.

Join our free executive webinar on AI governance in controlled environments: The next compliance challenge

📅 May 20, 2026, Wednesday

🕙 10AM to 10:30AM BST

🎟️ Complimentary (priority registration for senior compliance, risk, governance, and security leaders)

What you will learn in 30 minutes:

• What the EU AI Act changes for governance and evidence in restricted environments
• Where AI governance commonly fails in hybrid, legacy, OT, and air-gapped systems
• How to build defensible evidence custody (chain-of-accountability) across environments
• How a sovereign infrastructure approach supports governance where other platforms cannot reach