Regulatory Radar — April 2026: NIS2 transposition lands across the bloc

April 2026 was the month NIS2 stopped being a transposition discussion and became an operational deadline — in Belgium first, with the Netherlands and Germany not far behind. The EDPB also closed two long-running files, and CISA issued one of the few advisories this year that specifically names a state-aligned actor against ICS.

Six items, all traceable to primary regulator or institutional sources. Press-only material has been excluded.

1. Belgium — first NIS2 conformity assessment deadline reaches essential entities

18 April 2026 — Belgian Centre for Cybersecurity (CCB)

Essential entities operating in Belgium reached the first binding NIS2 conformity assessment deadline on 18 April. Under the Belgian transposition, essential entities must complete a formal conformity assessment carried out by a BELAC-accredited Conformity Assessment Body, or demonstrate equivalence via the CCB's own CyberFundamentals framework or ISO 27001 certification. Failure to demonstrate compliance triggers the administrative-measures regime and the financial penalties set out in the Belgian NIS2 transposition.

Why it matters: Belgium is the first member state where the obligation moves from "we are working on it" to "show your evidence." Multinationals with Belgian establishments — particularly in finance, energy, transport, and digital infrastructure — should have a Belgian-localised attestation pack ready, distinct from the group-level ISMS narrative.

Source: CCB — NIS2 18 April 2026 deadline: what essential entities must have in place

2. Netherlands — Tweede Kamer approves the Cyberbeveiligingswet

15 April 2026 — Dutch Government

The Dutch House of Representatives approved both the Cyberbeveiligingswet (Cbw) and the Wet weerbaarheid kritieke entiteiten (Wwke) — the NIS2 and CER transposition bills — clearing the parliamentary path. The bills now move to the Eerste Kamer, with the government targeting simultaneous entry into force in Q2 2026.

Why it matters: the Netherlands is, alongside Belgium, the jurisdiction Orizon's clients ask about most often given the concentration of EU-headquartered SaaS and critical-services providers. Once the Eerste Kamer signs off, Dutch essential and important entities should expect rapid notification of competent-authority designations and reporting templates from the National Cyber Security Centre (NCSC-NL).

Source: Rijksoverheid — Tweede Kamer stemt in met wetsvoorstellen Cyberbeveiligingswet en Wet weerbaarheid kritieke entiteiten

3. Germany — KRITIS Umbrella Act expands critical-infrastructure scope to ~30,000 entities

Early April 2026 (Federal Law Gazette publication after 6 March 2026 Bundesrat approval) — German Federal Government

The KRITIS-Dachgesetz (KRITIS Umbrella Act) entered into force, expanding the German critical-infrastructure regime from roughly 2,000 operators to over 30,000 entities across ten sectors — energy, transport, healthcare, water, finance, food, ICT, public administration, municipal waste, and space. Newly in-scope operators must register with the Federal Office of Civil Protection and Disaster Assistance (BBK) within three months of classification (with an outer date of 17 July 2026 for the initial wave), conduct risk analyses every four years, develop resilience plans, and report significant security incidents within 24 hours.

Why it matters: organisations that have historically tracked only the BSI's IT-security side of KRITIS now have a parallel physical-resilience regime to satisfy. The fifteenfold expansion of in-scope entities also means a substantial number of mid-sized operators are encountering federal-level security obligations for the first time.

Source: German Federal Government — Cabinet KRITIS Umbrella Law

4. EDPB — Guidelines 1/2026 on personal data for scientific research adopted

16 April 2026 (118th EDPB plenary, 15–16 April) — European Data Protection Board

The EDPB adopted Guidelines 1/2026 on the processing of personal data for scientific research purposes. Three points stand out for compliance teams:

• A six-factor working definition of "scientific research" — methodical approach, ethical standards, verifiability, autonomy, declared objectives, potential contribution to knowledge.
• Confirmation that further processing for research purposes is presumed compatible with the original collection purpose, removing a long-standing source of friction in legitimate-interest assessments.
• Clarification that broad consent is permissible when the specific research purposes cannot be fully known at collection, subject to safeguards.

The guidelines are open for public consultation until 25 June 2026.

Why it matters: organisations that operate health-data, AI-model-training, or applied-research programmes have been waiting on a consolidated EDPB position for years. Even at consultation stage, the document is the clearest signal yet on what supervisory authorities expect for research-purpose framing.

Sources: EDPB news release · Guidelines 1/2026 (PDF)

5. EDPB & EDPS — Joint Opinion 4/2026 on Cybersecurity Act 2 and NIS2 amendments

18 March 2026 (published in the April working window) — EDPB and EDPS

The EDPB and the European Data Protection Supervisor jointly endorsed the European Commission's Cybersecurity Act 2 (CSA2) proposals and the related NIS2 amendments, with three notable positions:

• Strong support for an enhanced ENISA mandate and faster uptake of cybersecurity certification schemes.
• A call for the designation of providers of European Digital Identity Wallets and Business Wallets as essential entities under NIS2.
• A request that ENISA must consult the EDPB before adopting any cybersecurity certification scheme touching the security of personal data.

Why it matters: this is the data-protection community's official sign-off on the Commission's direction of travel. Vendors building toward EUDI Wallet integration and certification-based assurance have a clearer signal that the EDPB views these as in-scope for both data-protection and cybersecurity oversight, not one or the other.

Source: EDPB-EDPS Joint Opinion 4/2026

6. CISA — Joint advisory on Iranian-affiliated APT activity against US critical infrastructure

7 April 2026 — Advisory AA26-097A — CISA, EPA, FBI, NSA

CISA, with the EPA, FBI, and NSA, issued a joint advisory assessing that Iranian-affiliated APT actors are conducting disruptive attacks against US critical infrastructure — water and wastewater systems, energy, and government facilities — since at least March 2026. The advisory documents specific TTPs against programmable logic controllers (PLC) including configuration wiping, sensor tampering, and HMI disruption, and publishes IOCs covering the activity.

Why it matters for European readers: CISA advisories on water-sector ICS routinely get re-issued in substance by ENISA and member-state CSIRTs. Operators of in-scope water and energy entities under NIS2 should treat the AA26-097A IOCs and TTPs as priority detection content, regardless of jurisdiction. The PLC tampering profile is also directly relevant to organisations preparing CRA Article 14 incident reporting workflows for industrial-product portfolios.

Source: CISA Advisory AA26-097A · PDF

What we did not include

A few items appeared in press coverage during April but did not survive primary-source verification or did not happen substantively in April:

• DORA RTS/ITS — no new Level 2 instruments were published in April; the technical standards package was finalised in 2024–2025.
• Cyber Resilience Act — implementation page exists on the Commission site, but a specific 23 April update could not be retrieved at primary source. Article 14 reporting obligations still trigger on 11 September 2026.
• AI Act milestones — the August 2026 general application date is unchanged; harmonised standards remain in CEN/CENELEC public enquiry rather than published.
• High-profile GDPR fines — no major decisions from CNIL, ICO, BaFin, or other Tier-1 authorities were published in April 2026 within the scope we track.

What to do this month

• NIS2 essential entities with Belgian operations: confirm a BELAC-accredited assessment, CyberFundamentals attestation, or ISO 27001 certificate is in place and dated.
• Multinationals with Dutch operations: monitor Eerste Kamer scheduling and prepare for NCSC-NL competent-authority notifications.
• German KRITIS-adjacent operators: check whether expanded sector definitions pull your entity in scope; if so, the BBK registration clock starts at the classification notice.
• Research-data programmes: review draft activities against EDPB Guidelines 1/2026 and consider responding to the consultation by 25 June.
• Water and energy operators in NIS2 scope: ingest AA26-097A IOCs and TTPs into detection content; document the assessment for your incident-response playbook.