A PYMNTS Company

NIS2’s Extended Scope Takes a Deep Dive: Unpacking the EU Commission’s Proposed Expansion to Submarine Data Transmission Infrastructure

By  |  March 31, 2026

By: Mike Conradi, Nicholas De Lacy-Brown, Christian Keogh, Henry Kilding & Lola Stirling (DLA Piper – Technology’s Legal Edge)

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    In this piece for DLA Piper’s Technology’s Legal Edge blog, authors Mike Conradi, Nicholas De Lacy-Brown, Christian Keogh, Henry Kilding & Lola Stirling discuss how proposed 2026 amendments to the EU’s NIS2 Directive signal not a reduction, but a potential expansion of cybersecurity obligations—particularly through the inclusion of Submarine Data Transmission Infrastructure (SDTI) as a “sector of high criticality.” This would bring many SDTI operators into scope as “essential entities,” subjecting them to heightened regulatory scrutiny, stricter oversight, and increased accountability.

    The proposed changes aim to close existing gaps by explicitly capturing all entities involved in submarine cable infrastructure, including those not previously covered under categories like telecom or cloud providers. The definition of SDTI is broad, extending beyond subsea cables to include landing stations and terrestrial connections, reflecting the critical role this infrastructure plays in Europe’s digital resilience and the growing geopolitical and cybersecurity risks associated with it.

    The expansion could significantly impact a wide range of stakeholders, including hyperscalers and consortium-based operators that co-own or lease portions of cable systems. The proposal clarifies that all operators within such systems may fall under NIS2, raising complex jurisdictional and structural questions—particularly around territorial scope and how responsibilities are allocated among multiple parties in shared infrastructure arrangements.

    If adopted, the rules would impose substantial compliance burdens, including mandatory cybersecurity measures, strict incident reporting timelines, and direct accountability for management bodies, with potential financial penalties and personal liability. The authors note that consortium governance structures will need to adapt quickly to clarify responsibility for compliance, while also emphasizing that the legislative process may extend into 2027 and beyond, leaving companies time—but also uncertainty—to prepare for implementation…

    CONTINUE READING…