2026 compliance guide for critical underwater infrastructure
2026 is the year where Underwater Security stops being a side project and becomes a board level, audit ready resilience capability. With NIS2 and CER already in force, plus the upcoming Digital Networks Act shaping expectations for subsea communications infrastructure, operators need a practical way to turn legal obligations into continuous operations.
Key 2026 compliance moments you should plan around:
- CER national risk strategy due: 17 January 2026
- CER critical entities designated: by 17 July 2026
- NIS2 in practice: 2026 is enforcement and evidence season
Note: This article is informational and is not legal advice. Always confirm applicability and timelines with your legal and compliance teams.
Why 2026 is the Underwater Security year
Critical underwater infrastructure such as submarine power cables, subsea telecom cables, pipelines, offshore wind export cables, port approaches, and landing points sit at the intersection of physical risk and cyber risk. That is exactly where NIS2 and CER overlap in practice.
In many countries, 2026 is when regulatory intent becomes operational reality: supervision, inspections, evidence requests, and investment decisions tied to resilience plans. Underwater Security teams need a defensible, repeatable way to show that risks are identified, mitigations are active, and incidents can be detected and reported with confidence.
Directive status snapshot for 2026
The table below summarizes what each instrument is, where it stands heading into 2026, and what it means for Underwater Security programs.
| Instrument | What it regulates | Status heading into 2026 | 2026 dates and enforcement moments | Why it matters for Underwater Security |
|---|---|---|---|---|
| NIS2 (Directive (EU) 2022/2555) | Cybersecurity risk management and incident reporting obligations for critical sectors, including digital infrastructure and energy. | In force. Many member states have already transposed, others are still finalizing national laws and enforcement mechanisms. | In 2026, a growing number of countries shift from draft legislation to active supervision, audits, and enforcement. Operators will be asked to demonstrate practical risk management and evidence of controls, including for cyber physical threats. | Subsea cables, offshore wind, interconnectors, pipelines, ports and coastal approaches are part of a modern cyber physical risk surface. Underwater Security monitoring becomes a compliance enabler, not only a security upgrade. |
| CER (Directive (EU) 2022/2557) | Physical resilience of critical entities, including risk assessments, resilience measures, incident reporting, and business continuity. | In force. National transposition is ongoing, with major national obligations and designation processes accelerating. | 17 Jan 2026: national risk strategies due. 17 Jul 2026: critical entities must be identified and designated. After designation, operators must execute risk assessments and resilience plans on defined timelines. | 2026 is the year physical Underwater Security becomes explicitly tied to resilience planning. Continuous seabed monitoring and early warning support the risk assessment and incident response expectations for critical underwater infrastructure. |
| DNA (Digital Networks Act) | Planned modernization of telecommunications rules. Expected to introduce security and resilience expectations for networks, likely including subsea cables and communications infrastructure. | Not yet in force. Expected at EU level in late 2025, with practical implications anticipated during 2026 planning cycles. | In 2026, telecom and cable owners will prepare for new expectations on security, resilience, and potentially standardization for subsea communications infrastructure. | For underwater cable corridors, Underwater Security monitoring supports early detection, incident evidence, and resilience operations that telecom operators may need to operationalize under updated rules. |
NIS2 in 2026: cybersecurity compliance expands into cyber physical reality
NIS2 drives structured cybersecurity risk management and fast incident reporting for operators in critical sectors. For Underwater Security teams, the practical shift is that subsea infrastructure is increasingly treated as part of the wider risk surface, not an isolated physical asset.
What NIS2 demands in practice
- Risk management that can be explained and evidenced across critical services and their dependencies.
- Fast incident reporting readiness with clear internal thresholds and roles.
- Proof of controls that stand up to audits, including supply chain and operational resilience measures.
Why Underwater Security is directly relevant
Subsea cables and offshore energy connections are prime examples of cyber physical dependencies. A physical disruption can become a digital outage, and a digital incident can create operational exposure offshore. In 2026, resilience programs increasingly need to connect cyber reporting and physical incident evidence into a single story.
How OptiBarrier fits an NIS2 style operating model
OptiBarrier is a seabed hydrophone network designed for persistent, real time underwater domain awareness and over the horizon detection, enabling early detection and tracking of surface and subsurface activity. Its architecture uses passive fiber optic hydrophones linked to shore based interrogation, supporting continuous covert operation.
- Real time detection and tracking: supports fast escalation and response workflows.
- Over the horizon monitoring: helps build a response window by monitoring approach corridors, not only the asset location.
- Passive operation: avoids emissions and supports covert Underwater Security monitoring.
CER in 2026: physical resilience becomes a calendar, not a concept
CER is the directive that turns physical protection of critical entities into defined obligations. 2026 is important because it contains two major milestones that shape national strategies and the identification of the entities that must comply.
What takes effect in 2026 under CER
- National risk strategies due by 17 January 2026, setting expectations and priorities for resilience.
- Critical entities identified and designated by 17 July 2026, clarifying who must meet the requirements.
- Follow on compliance execution, where designated entities must perform risk assessments and implement resilience measures on the required timelines.
Why seabed monitoring is a CER aligned capability
CER pushes operators to take measures that reduce impact from a broad set of threats, including sabotage and natural events. For Underwater Security, this typically translates into:
- Monitoring the physical environment around critical underwater infrastructure
- Detecting anomalies early enough to respond
- Maintaining evidence quality data for investigations and reporting
- Supporting business continuity by reducing downtime and uncertainty
Digital Networks Act in 2026: preparing for a new layer of subsea cable expectations
The Digital Networks Act is expected to modernize telecommunications laws and is anticipated to include new rules and standards for the security and resilience of underwater cables and communications infrastructure. Underwater Security teams in telecom and cable operations should treat 2026 as a readiness year: define corridor level monitoring requirements, incident evidence flows, and operational response playbooks.
Turning regulation into operations: an Underwater Security control map
Directives do not buy equipment, people do. The way to make 2026 compliance real is to translate NIS2 and CER requirements into concrete, testable Underwater Security capabilities.
| Compliance expectation | Directive driver | What Underwater Security teams must be able to show | How OptiBarrier supports the outcome |
|---|---|---|---|
| Risk assessment and resilience planning | CER, plus risk management under NIS2 | A documented view of threats, vulnerabilities, and mitigations for critical underwater infrastructure such as subsea cables, pipelines, offshore wind export cables, port approaches, and landing points. | Persistent seabed monitoring data can support threat models and validate assumptions about traffic patterns, acoustic activity, and anomaly baselines. |
| Early detection and timely response | CER resilience measures, NIS2 operational continuity | Capability to detect and respond to incidents fast enough to reduce impact, including suspicious activity and accidental damage such as anchor dragging. | Real time underwater domain awareness with over the horizon detection helps extend response time by monitoring approach corridors instead of only the asset itself. |
| Incident reporting readiness and evidence | NIS2 reporting timelines, CER incident notification | Clear incident timelines and evidence packages that support notifications, investigations, and post incident reporting across cyber and physical teams. | Continuous passive monitoring creates a time stamped, high quality data stream that can be exported for incident reconstruction and compliance evidence workflows. |
| 24/7 continuous surveillance requirement | National implementation measures and sector guidance, especially where continuous surveillance is mandated | Monitoring that remains operational in different sea states, with low maintenance burden and minimal detectability risk. | Fully passive seabed sensors with no wet end electronics support covert, continuous operations with high availability. |
| Integration with command and control | CER oversight and coordinated response expectations | Operational workflows that connect detection to response, including alerting and situational awareness across stakeholders. | Digital output and partner software integration support detection, classification, and operator displays that can plug into existing response playbooks. |
Country by country transposition status: where the pressure lands in 2026
NIS2 and CER set EU level direction, but procurement urgency and enforcement intensity often depend on national transposition status. The table below is designed for Underwater Security teams and commercial teams planning 2026 engagement.
For external tracking, some teams also reference the ECSO tracker. Internally, use our transposition snapshots as a practical planning input and validate details with local counsel for go to market decisions.
| Country | NIS2 Status (Cybersecurity) | CER Status (Critical Entities) |
| Belgium | ✅ Transposed In force: 18/10/2024 Act: Law establishing a framework for the cybersecurity of networks and information systems. | ⏳ Not yet transposed Deadline passed (17/10/2024). |
| Bulgaria | ⏳ Not yet transposed Status: In final legislative stage as of June 2025. | ⏳ Not yet transposed Status: Infringement proceedings opened. |
| Croatia | ✅ Transposed In force: 15/02/2024 Act: Cybersecurity Act | ⏳ Not yet transposed Status: New Critical Infrastructure Act in preparation to align with CER. |
| Cyprus | ⏳ Not yet transposed Status: Infringement proceedings opened. | ⏳ Not yet transposed |
| Denmark | ✅ Transposed In force: 01/07/2025 Act: Act on measures to ensure a high level of cybersecurity. | ✅ Transposed In force: 01/07/2025 Act: Act on the resilience of critical entities (CER Act). |
| Estonia | ⏳ Not yet transposed Expected: 01/07/2025 Act: Draft law to amend existing Cybersecurity Act. | ⏳ Not yet transposed Expected: Q3 2025 Act: Draft law to amend existing Emergency Act. |
| Finland | ✅ Transposed In force: 08/04/2025 Act: Cybersecurity Act. | ✅ Transposed In force: 01/07/2025 Act: Act on the Protection of Infrastructure Critical to Society. |
| France | ⏳ Not yet transposed Status: Draft law adopted by Senate, awaiting National Assembly. | ⏳ Not yet transposed Status: Public consultation on draft law launched 07/03/2025. |
| Germany | ⏳ Not yet transposed Expected: Q2 2026 Status: Draft law published. | ⏳ Not yet transposed Deadline passed (17/10/2024). |
| Greece | ✅ Transposed Published: 28/11/2024 Act: NIS2 Transposition Law. | ⏳ Not yet transposed Deadline passed (17/10/2024). |
| Ireland | ✅ Transposed In force: 16/10/2024 Act: EU (Measures for a High Common Level of Cybersecurity) Regulations 2024. | ✅ Transposed In force: 17/10/2024 Act: EU (Resilience of Critical Entities) Regulations 2024. |
| Italy | ✅ Transposed In force: 01/09/2024 Act: NIS2 implementing decree. | ⏳ Not yet transposed Deadline passed (17/10/2024). |
| Latvia | ✅ Transposed In force: 18/10/2024 Act: NIS2 transposition amendments. | ⏳ Not yet transposed Deadline passed (17/10/2024). |
| Lithuania | ⏳ Not yet transposed Expected: 2026 Status: Bill expected Q4 2025. | ⏳ Not yet transposed Deadline passed (17/10/2024). |
| Malta | ✅ Transposed In force: 08/04/2025 Act: Legal Notice 71 of 2025. | ⏳ Not yet transposed |
| Netherlands | ⏳ Not yet transposed Expected: 01/01/2025 Status: Draft legislation proposed. | ⏳ Not yet transposed Deadline passed (17/10/2024). |
| Norway | ⏳ Not yet transposed Expected: 01/07/2026 Note: Non-EU EEA Member. | ⏳ Not yet transposed To be addressed with NIS2 transposition. |
| Poland | ⏳ Not yet transposed Act: Amendment to National Cybersecurity System Act (KSC-2). Status: Urgent processing. | ⏳ Not yet transposed To be addressed with NIS2 transposition. |
| Portugal | ⏳ Not yet transposed Expected: Q2 2026 Status: Draft law published. | ⏳ Not yet transposed Deadline passed (17/10/2024). |
| Romania | ✅ Transposed In force: 31/12/2024 Act: GEO 155 (Amended by Law 124/2025). | ⏳ Not yet transposed Deadline passed (17/10/2024). |
| Slovenia | ✅ Transposed In force: 19/06/2025 Act: Information Security Act. | ⏳ Not yet transposed Deadline passed (17/10/2024). |
| Spain | ⏳ Not yet transposed Status: Infringement proceedings initiated. | ⏳ Not yet transposed Status: Infringement proceedings initiated. |
| Sweden | ⏳ Not yet transposed Expected: 2026 Status: Bill expected Q4 2025. | ⏳ Not yet transposed Deadline passed (17/10/2024). |
How to build a 2026 Underwater Security compliance program with OptiBarrier
In 2026, the fastest path to confidence is to build an Underwater Security program that can answer three questions at any time:
- Do we know what is happening around our critical underwater infrastructure right now across cables, pipelines, offshore wind connections, and port approaches?
- Can we prove what happened with time aligned evidence that supports incident reporting and investigations?
- Can we respond early enough to reduce service disruption, repair cost, and safety risk?
OptiBarrier supports these outcomes through persistent, passive monitoring, high sensitivity sensing, and real time detection workflows that can feed operational response. In the OptiBarrier case study, the system is described as deployable beyond 100 km and capable of building wide area situational awareness with a network of sensing nodes. That architecture matches how many operators think about corridor level Underwater Security rather than point protection.
Speak to our Underwater Security specialists
If you are planning for 2026 NIS2 and CER obligations, or preparing for new subsea cable resilience expectations, we can help you translate regulation into a practical Underwater Security monitoring architecture.
Explore OptiBarrier seabed monitoringTalk to an Underwater Security specialist
