Hi everyone,
We’re currently preparing the European Pirate Party’s response to the consultation on the Commission proposal COM(2026) 13, which proposes changes to the EU cybersecurity directive (NIS2). The deadline for contributions is 15 March 2026.
The proposal is presented as a technical update to simplify the current rules, but it actually introduces several important changes to how cybersecurity is organised in the EU. For example, it expands the directive to include Digital Identity Wallet providers and Business Wallets, gives ENISA (the EU cybersecurity agency) more responsibilities, introduces plans to prepare for future quantum computing threats and creates EU-wide rules for reporting ransomware attacks.
Because this proposal affects how cybersecurity obligations are organised and supervised across the EU, it may also have consequences for privacy, transparency and digital rights. For that reason, our response will focus on a few areas that connect to our manifesto.
Privacy and Civil Liberties – Some parts of the proposal involve collecting and sharing more information about cyber incidents, including ransomware attacks. We want to examine whether these reporting requirements are proportionate and whether they could create new risks for privacy or surveillance.
Open Standards and Free Software – The proposal encourages the EU to transition to new encryption technologies designed to resist future quantum computers. We want to assess whether the framework supports open and publicly auditable cryptographic standards, or whether it could unintentionally favour proprietary solutions from a small number of vendors.
Transparency and Oversight – The proposal also expands the role of ENISA, allowing it to take part in cross-border cybersecurity risk assessments and coordination between Member States. We want to evaluate whether there are sufficient transparency and democratic oversight mechanisms for these new powers.
Public Knowledge about Cybersecurity Threats – The directive introduces new requirements for reporting ransomware attacks. One question we want to explore is whether aggregated and anonymised information about cyberattacks should be made public, so that researchers, journalists, and civil society can better understand cybersecurity risks.
We would really appreciate your input, especially in these areas:
• Experience or knowledge related to cybersecurity policies or encryption standards
• Legal perspectives on privacy, data protection, or digital rights
• Thoughts on the expanded role of ENISA and how its powers should be supervised
• Opinions on ransomware reporting requirements and whether they strike the right balance between security and privacy
• Insights on digital identity infrastructure and possible surveillance risks
• Academic research, reports, or useful resources we should reference
• Any other comments or concerns about the proposal
Our aim is to prepare a clear and well-argued submission that highlights potential risks and proposes improvements that protect privacy, transparency and open digital infrastructure.
You can review the consultation materials here:
Thanks very much for any input or suggestions!