NIS2's extended scope takes a deep dive: Unpacking the EU Commission's proposed expansion to Submarine Data Transmission Infrastructure

NIS2, the EU's second Network and Information Systems Directive, is not going anywhere. While the swathe of organisations newly in scope of the EU's hallmark cybersecurity directive may have hoped that the EU's recent announcements on regulatory simplification (including the Digital Omnibus) might have reduced their compliance burden, in some cases the EU is actually proposing to expand the scope of NIS2 further.

In a set of proposed targeted amendments to the NIS2 Directive announced on 20 January 2026 (the "Proposal"), the European Commission has suggested a significant change to the organisations in scope of NIS2 that will be of particular note for entities that are operators of Submarine Data Transmission Infrastructure (SDTI). Under the Proposal, operators of SDTI would fall under the scope of NIS2 as a "sector of High Criticality" and as such, presuming they meet the relevant size criterion, will be "essential entities" triggering higher levels of regulatory supervision, proactive audits, and accountability requirements (including personal liability considerations) all of which could require careful mapping, particularly in complex consortia models.

Building on our recent analysis of the Proposal, this article takes a closer look at the specific changes suggested to bring SDTI squarely into scope, and why SDTI stakeholders should track this closely over the coming months. To note, whilst some organisations operating infrastructure in this space may have already been in scope of NIS2 as providers of public electronic communications networks and services or cloud computing service providers, the Commission is now proposing to specifically target the SDTI sector more broadly. This development reflects the Commission's intention to harmonise cybersecurity obligations across critical infrastructure and address growing geopolitical and cyber-related risks which it sees as particularly pertinent to undersea communications systems.

What is the change?

As noted by the Commission in their proposals, SDTI has historically been operated by entities already falling within NIS2's scope (including public electronic communications networks / services or cloud service providers). However, not all SDTI operators fall neatly into these categories, and some entities may operate or lease SDTI without being captured by NIS2. For example:

• operators of non-public electronic communications networks; and
• entities leasing or co-operating portions of infrastructure to public network providers.

The proposed inclusion of a specific new category of SDTI within the scope of NIS2 therefore seeks to capture all types of entities operating in submarine data transmission, recognising the increasing risks to submarine data transmission infrastructure and their resulting high criticality.

It is not surprising then that under the proposed amendments to NIS2, SDTI is defined broadly. It includes not only the subsea cables themselves but any infrastructure essential to their operation, such as landing stations and the terrestrial portions of the network (i.e. the "fronthaul" between the beach manhole and the landing station segments).

The expanded definition recognises the complex and distributed architecture of SDTI and the essential role it plays in the resilience of the EU's digital ecosystem. Harmonising the oversight of SDTI operators' cybersecurity compliance under NIS2 is intended to bolster the resilience, redundancy planning and security of Europe's digital backbone.

Who could be brought into scope?

In the last several years, the submarine cable industry has seen rapid transformation and convergence, with "big tech" hyperscalers establishing and owning many of the major new submarine cable routes for their own internal capacity requirements, rather than being owned and operated by traditional telecom companies. On our reading of the amends, such large players in the industry would now appear to be caught under NIS2 in respect of any such use.

Another feature of the sector is the use of consortium-based arrangements for construction and operation of submarine cable systems. Here, each consortium member will own and operate an agreed number of fibre pairs on the cable system for their own purposes. Prior to the Commission's Proposal, there was some uncertainty as to whether the use of one fibre pair on a cable as a public electronic communications network/ provision of a public electronic communications service would cause the full system to be subject to NIS2, especially in relation to shared infrastructure (such as repeaters, branching units, SLTE equipment and cable landing infrastructure). The Commission's Proposal simplifiers matters, as it makes it clear that all submarine cable system operators which will be caught. This is potentially a significant change for consortia cables.

Crucially, NIS2 applies to specific entities not to corporate groups as a whole. A corporate group that owns or co-owns cable infrastructure may therefore have a single SDTI-related entity that falls into scope and that entity must independently meet Annex I obligations.

There are however a number of questions which arise from the proposed amends which have not yet been unpacked by the Commission. For example, it is unclear how the territorial reach of NIS2 will apply to SDTIs and whether it will be a requirement for the relevant cable to physically land in the EU in order for it to be caught under NIS2, or whether a non-EU landing cable might be caught if the "customer" entity is EU. This might be the case where an organisation buys capacity on a US to UK cable, with terrestrial fibre up to a point, and then capacity on a UK to EU cable. It is currently unclear whether such arrangements would be covered, and it is likely that current jurisdictional rules applying under Article 26 of NIS2 may require specific amends in anticipation of this and similar scenarios.

Enhanced Compliance Burden

If the proposals to include SDTI in the scope of NIS2 are realised, operators will face:

• mandatory implementation of "appropriate and proportionate" cybersecurity measures including supply chain security requirements.
• Three-stage notification obligations upon the occurrence of a "significant incident" (where an "incident" is defined as an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems, and the "significance" is based on availability of the service and impact – we do not therefore consider this would include incidents entailing physical damage to the cable), with an early-warning notification required within 24 hours, a follow up within 72 hours and a comprehensive report within 1 month of the organisation's becoming aware of the incident.
• Management-body accountability, including duties to approve and oversee cybersecurity measures and to receive mandatory cybersecurity training. Supervisory authorities are able to suspend management functions pending breach resolution and management bodies may be subject to personal liability for non-compliance.

Since the majority of SDTI providers are likely to surpass thresholds for small and medium-sized entities (which are made up of entities which employ fewer than 250 persons and have an annual turnover not exceeding EUR50 million/ balance sheet EUR43 million), they are likely to be classified as "essential" rather than important entities, and be subject to the additional burden or pro-active enforcement measures, including unplanned audits, temporary suspension of cybersecurity certifications and management functions and financial penalties of up to €10 million or 2% of global annual turnover, whichever is higher.

Governance Issues for Consortia

As stated above, Submarine cable systems are frequently owned and operated by consortia and fibre-pairs might be allocated on a long-term basis (by contracts known as "IRUs") to third parties. This raises structural questions regarding which entity is responsible for NIS2 compliance, for example:

• Who is the operator?
• Which party must ensure cybersecurity controls are implemented across shared infrastructure?
• Which party should be deemed responsible for compliance with NIS2, or would a model of joint responsibility be required?
• Who must meet the 24-hour incident reporting clock?
• How should responsibilities be allocated contractually, especially where cable management is outsourced to a landing-party operator or a third-party system supplier?

In the absence of clear EU-wide guidance, these issues will need to be addressed contractually within relevant agreements such as joint build agreements, Construction & Maintenance Agreements (C&MAs) or landing party agreements.

When is the Proposal likely to become law?

Given the significant delays already seen in NIS2 implementation, and the fact that the Proposal will have to go through trilogue, it is likely that the Proposal (whether or not unamended) will not become law until the very end of 2026, or more realistically, sometime in 2027, and then with an additional 12 months on top of that for its transposition into Member State laws. Accordingly, SDTI entities should anticipate varying timelines, supervisory expectations and registration requirements across Member States once the change is adopted.

What to do now?

To get ahead of the Proposal coming into force (if it were to be in its current form), STDI stakeholders may want to consider the following actions:

1. run a targeted applicability assessment to identify SDTI entities that may newly fall within scope of NIS2;
2. perform a gap analysis against NIS2's core requirements, focusing on incident reporting readiness and cybersecurity risk management measures;
3. map consortia and landing-party contracts, inserting clear NIS2 cybersecurity responsibility, and flow-downs, audit and notification provisions; and
4. identify current cybersecurity governance arrangements, testing their alignment to the management body requirements, and personal liability, under NIS2.

For more information on NIS2, and cyber security governance generally, please reach out to your DLA Piper contact.