The Barcelona Cybersecurity Congress returns to the Fira Gran Via on 3–5 November 2026 for its seventh edition, co-located for the first time with the Smart City Expo World Congress rather than the IOT Solutions World Congress it previously shared a hall with. Organisers are targeting more than 6,000 visitors, 150 sessions, and 95 exhibiting organisations — a scaled-up footprint that reflects how much the EU cybersecurity agenda has shifted in the eighteen months since the NIS2 transposition deadline expired on 17 October 2024.
That shift is the story BCC26 will have to tell. In the reporting window that ENISA used for its ENISA Threat Landscape 2025 report — 1 July 2024 to 30 June 2025 — the agency curated 4,875 incidents, documented an explosion in DDoS-heavy hacktivism, and flagged the convergence of cybercriminal, hacktivist, and state-aligned activity as the defining feature of the European threat environment. In parallel, the European Commission spent the first quarter of 2026 proposing what it is marketing as “Cybersecurity Act 2.0” — targeted amendments to NIS2, a revised Cybersecurity Act, and further alignment between NIS2, DORA, and the Cyber Resilience Act. This article maps what Barcelona delegates will be reading about on the plane: the regulatory state of play, the threats driving it, and the gap between both.
Where NIS2 Actually Stands in April 2026
NIS2 (Directive 2022/2555) expanded the EU cybersecurity baseline from roughly 10,000–15,000 entities under NIS1 to an estimated 160,000 entities across 18 sectors, with size-based automatic scope triggers replacing member-state designation. Member states were required to transpose it into national law by 17 October 2024, with national measures applying from 18 October 2024. That deadline is now eighteen months in the past, and implementation remains uneven.
As of March 2026, 22 of 27 EU member states have adopted national implementing legislation. France, Ireland, Luxembourg, the Netherlands, and Spain remain in the legislative process. The Commission has not been patient about it — on 7 May 2025 it sent reasoned opinions to 19 member states for failing to notify full transposition, and infringement proceedings have continued through early 2026.
Where transposition is done, enforcement is active. Germany’s NIS2 implementation law was published on 5 December 2025; covered entities had to register by 6 March 2026, though only about a third of them had done so by that date. Belgium set the first hard conformity assessment deadline at 18 April 2026, requiring essential entities to submit verified documentation through one of three pathways: the Centre for Cybersecurity Belgium’s CyberFundamentals (CyFun®) framework at Basic or Important level, ISO/IEC 27001 certification with scope and Statement of Applicability, or direct CCB inspection. Self-declarations were not accepted.
What Barcelona delegates from cross-border organisations will want to hear about is the fragmentation underneath the shared directive. Reporting thresholds and timelines diverge: Cyprus requires early warnings within six hours of detection, well under NIS2’s 24-hour floor. Germany’s implementation exposes individual managers to fines up to €500,000 and temporary bans from management roles for serious negligence. Hungary has rejected the “main establishment” principle adopted by Belgium, Croatia, Greece, Italy, and Slovakia — service providers operating there must register locally regardless of where their EU headquarters sits.
And the directive itself is already being rewritten. On 20 January 2026, the Commission proposed targeted NIS2 amendments that would bring operators of submarine data transmission infrastructure into scope, remove entities involved in chemicals distribution (while keeping manufacturers), adjust size thresholds for essential-entity status, and add ransomware-specific reporting details — including whether a ransom was demanded, whether it was paid, and to whom. The Commission frames this as simplification aimed at easing compliance for 28,700 companies including 6,200 micro and small-sized enterprises. In practice, the proposal pulls enforcement in one direction (more specificity on ransomware) while trimming scope in another.
NIS2 is the headline, but it isn’t working alone. The Digital Operational Resilience Act (DORA, Regulation 2022/2554) has applied directly to EU financial entities since 17 January 2025 and takes precedence over NIS2 for banks, investment firms, insurers, and their critical ICT third-party providers. Where NIS2 governs the network and information systems of obligated entities, the Cyber Resilience Act targets the products themselves — hardware and software with digital elements placed on the EU market. Vulnerability reporting obligations under the CRA begin to bite in September 2026, with full product-requirement application on 11 December 2027. Germany issued a first draft implementing law in early 2026 to designate the competent authority.
The Critical Entities Resilience Directive (CER, Directive 2022/2557) completes the quartet, addressing the physical resilience of essential service providers to threats such as sabotage, terrorism, and natural disasters. Germany’s national CER implementation — the KRITIS-Dach-Gesetz — entered force on 17 March 2026, with first registration obligations for affected entities applying by 17 July 2026.
On 20 January 2026, the Commission bundled the NIS2 amendments with a proposed revision of the EU Cybersecurity Act into what industry is calling Cybersecurity Act 2.0. The package targets three levers: tightening NIS2 scope around submarine cables and adjusting entity thresholds; overhauling the European cybersecurity certification frameworks (including the long-delayed EUCC, EUCS cloud, and 5G schemes); and expanding ENISA’s role in centralised incident reporting. No fixed adoption timeline exists, but current industry expectations point to finalisation in early 2027 — meaning BCC26 will happen in the thick of trilogue negotiations, which will almost certainly dominate the regulatory track sessions.
The consequence for any organisation operating across more than one EU member state is mapping work. NIS2, CER, and DORA each apply to entities; CRA and the Machinery Regulation (applying 20 January 2027) apply to products. A medium-sized industrial manufacturer with a connected-device line can land inside all of them simultaneously, with different competent authorities, different reporting windows, and — at least until Cybersecurity Act 2.0 reduces divergence — different incident thresholds.
What the Threat Landscape Actually Looks Like
The regulation exists because the threat environment got worse. The ENISA Threat Landscape 2025 — the agency’s flagship annual assessment, published October 2025 and revised to v1.2 in January 2026 — is the single document delegates should read before flying into Barcelona. Its conclusions frame what every vendor booth and every government keynote will be responding to.
The headline numbers: ENISA analysts collected and analysed 4,875 incidents, mainly based on information from open sources as well as anonymised information shared by EU Member States and members of the ENISA Cyber Partnership Programme. DDoS attacks were the dominant incident type, accounting for 77% of reported incidents. Public administration networks absorbed 38% of that pressure, primarily from hacktivists and state-nexus groups.
Those DDoS volumes are mostly noise — symbolic, short-lived, and non-disruptive. But the rest of the report is not. Social engineering tactics remain the primary entry point for threat actors, with phishing (including vishing, malspam, and malvertising) accounting for about 60% of observed cases. Exploitation of vulnerabilities (21.3%) remains a prevalent intrusion vector, followed by botnets (9.9%). And the phishing channel is no longer manual: AI has become a defining element, with AI-supported phishing campaigns reportedly representing more than 80% of observed social engineering activity worldwide by early 2025.
Ransomware tells the story Barcelona delegates will care about most. A total of 82 ransomware variants were reportedly deployed against EU member state organisations, with Akira emerging as the most frequently deployed (11.6%), followed by SafePay (10.1%) and Qilin (7.5%). Manufacturing absorbed 14.9% of ransomware claims. The ransomware ecosystem continues to fragment: as law enforcement takes down top-tier operations, mid-tier RaaS programmes proliferate, each with slightly different affiliate structures and leak-site tempos.
Two incidents from the reporting window define the operational stakes. In September 2025, a ransomware attack on Collins Aerospace’s MUSE check-in and boarding software cascaded into disruption at Heathrow, Brussels, and Berlin airports — long queues, delays, cancellations, and a real-world demonstration of how a single third-party software dependency can take down European aviation for a weekend. In June 2025, a hacktivist group ENISA identifies as Z-PENTEST-ALLIANCE — allegedly linked to the Russia-nexus Sandworm intrusion set — compromised an Italian smart building automation company and posted videos of operators tampering with OT systems. Italy was the most frequently targeted EU member state, followed by Czechia, France, and Spain.
Convergence: The Thread Running Through Every BCC26 Track
ENISA’s central editorial choice for the 2025 landscape was framing. The report describes a “continuous and diversified pressure environment” where the old taxonomic distinctions between cybercriminal, hacktivist, and state-aligned threat actors are breaking down. Hacktivists adopt ransomware for funding, as FunkSec did in late 2024 with its FunkLocker payload — political branding layered on financial extortion. Criminal RaaS crews lease tooling to groups whose command structures touch state intelligence services. State actors purchase access from criminal brokers rather than burning their own operators on initial intrusion.
This convergence is the through-line EU policymakers are responding to. NIS2’s supply chain security requirements, the CRA’s vendor obligations, and DORA’s third-party ICT provider register all target the same structural problem: a defender organised around entity boundaries cannot see attacks organised around ecosystems. Supply chain risks constitute 10.6% of all threats in ENISA’s distribution, and that number understates the cascading effect — the Collins Aerospace incident hit three flag-carrier airports through a single software vendor dependency.
Mobile and identity are where the next round of pressure builds. Mobile devices represented 42% of observed threats in the reporting window, with Android especially exposed to remote access trojans used for both financial theft and espionage. And Microsoft’s Digital Defense Report 2025 — which Barcelona delegates should expect to see cited repeatedly — documents a shift away from malware-first intrusion toward credential, token, and trusted-relationship abuse. Identity is the new perimeter; in many organisations, it is the only perimeter left.
The Barcelona Programme, Read Against This Backdrop
Programme details for BCC26 continue to be published, but the shape of the agenda is already legible from the call for papers and the organiser’s stated pillars: AI and cybersecurity, critical infrastructure and OT, cloud and identity, regulatory compliance, and threat intelligence. Co-location with Smart City Expo World Congress is not decorative — it reflects the ENISA finding that transport, public administration, and digital infrastructure are now the top-targeted sectors, and that smart-city deployments sit at the intersection of all three.
Expect four topics to dominate session rooms. First, the NIS2 amendment proposal — specifically the ransomware reporting additions and the submarine cable inclusion, both of which will have been in trilogue for several months by November. Second, the first wave of enforcement actions under fully transposed national laws, which will produce case studies rather than the hypotheticals that dominated BCC25. Third, the operational side of AI-assisted attack and defence, where vendors will compete to show something more concrete than the LLM-red-teaming demos that filled 2025 agendas. Fourth, OT and critical infrastructure — because ENISA’s 18.2% OT threat share and the Z-PENTEST-ALLIANCE psychological-warfare tactics have elevated industrial cybersecurity from a niche track to a main-stage concern.
The Hacking Village, which returns as an exhibit-floor fixture, is where the gap between regulation and operation becomes visible. Rules tell organisations what to defend; capture-the-flag environments show whether anyone in the building can actually do it.
Frequently Asked Questions
Does DORA override NIS2 for financial institutions? Yes, for the aspects DORA covers. The Commission’s September 2023 guidelines on the relationship between the two instruments establish that DORA, as lex specialis for the financial sector, takes precedence over NIS2 on overlapping obligations. Financial entities still need to map both frameworks because DORA does not address every NIS2 concern — supply chain obligations beyond ICT third parties, for example, remain NIS2 territory.
When does the Cyber Resilience Act actually bite? Vulnerability handling and reporting obligations begin to apply in September 2026. Full product conformity requirements — the CE-marking regime for products with digital elements — apply from 11 December 2027. Manufacturers placing connected products on the EU market after that date without conformity assessment face market withdrawal orders.
What happens to organisations in member states that still haven’t transposed NIS2? Direct effect doctrine means that clear, unconditional NIS2 provisions can be invoked against the state in national courts even without transposition. For private entities, the practical exposure runs through contractual requirements from NIS2-regulated customers and through the Commission’s active infringement proceedings, which will eventually force national law into place. Compliance teams should not wait for transposition to begin implementation work.
Is ISO 27001 enough for NIS2 compliance? Not by itself, though Belgium accepts it as an evidentiary pathway under its CyFun® framework. Most member states treat ISO 27001 as a strong baseline that significantly reduces the compliance gap, but organisations must still demonstrate implementation of all Article 21 measures — including supply chain security, incident reporting processes, and management-level cybersecurity training — which ISO 27001 addresses indirectly rather than prescriptively.
What Delegates Should Take Home
BCC26 arrives at a specific inflection point. The legal framework is largely built — NIS2, DORA, CER, CRA, and the proposed Cybersecurity Act 2.0 form a stack that covers entities, products, and physical resilience. The threat environment is documented to a level of granularity the sector lacked three years ago, thanks to ENISA’s maturing threat-landscape methodology. What remains unsettled is execution: whether transposition completes across all 27 member states without further infringement action, whether enforcement produces deterrent effects in the first supervisory cycles, and whether defenders close the identity-abuse and supply-chain gaps that the 2025 data exposes.
For security leaders flying into Barcelona, the productive attitude is less “what is new” than “what is now operational.” The novelty curve has moved from policy design to compliance execution, and from theoretical threats to recurring incident patterns. The vendors and regulators on the Fira Gran Via floor will be selling answers to specific, documented problems — and the best use of three days in Hall 2 is matching those answers against the gaps in your own programme.
