Key data
| Regulation | Amendment to Delegated Regulation (EU) 2026/881 — complements Regulation (EU) 2024/2847 |
|---|---|
| Publication | June 9, 2026 |
| Entry into force | April 20, 2026 (date of the original amended text) |
| Affected parties | Companies and entities required to report cybersecurity incidents under EU regulations |
| Category | Data Protection / Cybersecurity |
| Year | 2026 |
| Official source | OJ:L_202690449 — EUR-Lex |
If your company is required to report cybersecurity incidents under European regulations, this change affects you right now. The Delegated Regulation (EU) 2026/881, which complements the Regulation (EU) 2024/2847, has been subject to a formal amendment published on June 9, 2026, with effect from April 20, 2026. The text adjusts formal errors in the original and clarifies the modalities and conditions under which an entity can invoke cybersecurity grounds to defer public disclosure of an incident notification.
This is not a brand new regulation, but rather an amendment that refines the already-applicable framework. But that does not make it any less relevant: any misalignment between your internal procedures and the amended text can create compliance issues when you need to manage a real incident.
What does this regulation establish?
The Regulation (EU) 2024/2847 establishes the general cybersecurity framework applicable to certain entities in the EU, including the obligation to report significant incidents. The Delegated Regulation (EU) 2026/881 complements it by setting specific rules on when and how public disclosure of those notifications can be deferred on cybersecurity grounds.
The amendment published on June 9, 2026 corrects formal errors in the original text published on April 20, 2026. The key elements regulated by this regulation are:
- Modalities for invoking cybersecurity grounds: the specific conditions are defined under which an entity can justify deferring public disclosure of an incident notification.
- Conditions for deferral: not every incident or justification is valid; the regulation delimits the scope of what is considered a legitimate cybersecurity ground.
- Notification procedures: entities must ensure that their internal protocols reflect the updated requirements following the amendment.
- Responsible parties: both cybersecurity teams and compliance officers (compliance officers, DPOs) must know and apply the amended text.
| Regulatory element | Detail |
|---|---|
| Base regulation | Regulation (EU) 2024/2847 of the European Parliament and of the Council |
| Amended delegated regulation | Delegated Regulation (EU) 2026/881 of the Commission, of December 11, 2025 |
| Subject of the amendment | Adjustment of formal errors in the original text published on April 20, 2026 |
| Matter regulated | Modalities and conditions for invoking cybersecurity grounds in deferring incident notifications |
| Publication date of the amendment | June 9, 2026 |
| Date of the original text | April 20, 2026 |
Economic and operational impact
This amendment does not introduce new direct economic burdens (there are no fees, fines, or new amounts established in the amended text). However, its operational impact is real and can translate into significant indirect costs if not managed correctly:
- Review of internal procedures: cybersecurity and compliance teams must review and, if necessary, update incident notification protocols to align with the amended text. This involves time commitment from specialized personnel.
- Risk of non-compliance: operating with procedures based on the original text with formal errors—rather than the amended text—can create compliance vulnerabilities in an audit or real incident.
- Management of breach communication: deferring public disclosure of notifications is a decision with legal, reputational, and operational implications. Incorrectly applying deferral conditions can expose the entity to liability.
- Internal training: compliance officers and cybersecurity teams must be familiar with the updated text, which may require training update sessions.
Who does it affect?
- Companies and entities required to report cybersecurity incidents under Regulation (EU) 2024/2847.
- Compliance officers who oversee incident notification protocols.
- Data Protection Officers (DPO) in entities subject to notification obligations.
- Cybersecurity teams that manage detection, response, and communication of breaches or incidents.
- Chief Information Security Officers (CISO) responsible for incident response protocols.
- Legal advisors and consultants who support entities in complying with European cybersecurity regulations.
- Entities in critical or essential sectors already within the scope of EU cybersecurity regulations.
Practical example
Imagine a digital infrastructure company that detects a significant cybersecurity incident. Under Regulation (EU) 2024/2847, it is obligated to report it. However, its security team believes that publicly disclosing the notification immediately could worsen the incident or facilitate further attacks.
To defer that public disclosure, the company must invoke cybersecurity grounds following exactly the modalities and conditions established by Delegated Regulation (EU) 2026/881—in its amended version, published on June 9, 2026—. If the company's internal procedures are based on the original text with formal errors, the justification for deferral might not meet current requirements, exposing the entity to regulatory non-compliance.
The amendment ensures that the applicable text contains the precise and formally correct conditions. That is why reviewing internal procedures against the amended text is not optional: it is the difference between a validly justified deferral and one that is not.
What should companies do now?
- Locate and read the amended text: access the official text of the amendment on EUR-Lex and compare it with the original Delegated Regulation (EU) 2026/881 to identify exactly what formal errors have been corrected.
- Review internal incident notification procedures: compare current protocols with the requirements of the amended text, especially regarding conditions for invoking cybersecurity grounds and deferring public disclosure.
- Update internal documentation: if procedures reference the original text, update them to reflect the amended version in force since April 20, 2026.
- Inform the teams involved: ensure that the cybersecurity team, DPO, compliance officer, and CISO are aware of the content of the amended text and its practical implications.
- Verify alignment with Regulation (EU) 2024/2847: confirm that notification procedures comply with both the base regulation and the amended delegated regulation.
- Consult with specialized legal counsel if there are doubts about the scope of formal changes or how they affect already-established notification procedures.
Frequently asked questions
What exactly does Delegated Regulation (EU) 2026/881 amend?
The amendment published on June 9, 2026 adjusts formal errors in the original text of Delegated Regulation (EU) 2026/881, published on April 20, 2026. This regulation complements Regulation (EU) 2024/2847 and establishes the modalities and conditions for invoking cybersecurity grounds when deferring public disclosure of incident notifications. The corrected errors are formal in nature, but the amended text is the one with legal validity.
When does this amendment enter into force and from when does it apply?
The amendment was published on June 9, 2026. However, the text it amends—Delegated Regulation (EU) 2026/881—has April 20, 2026 as its reference date, which is the date of the original text. Companies should consider the amended text as the one in force from that date.
Which companies are required to comply with this regulation?
Companies and entities required to report cybersecurity incidents under Regulation (EU) 2024/2847 of the European Parliament and of the Council. This includes especially entities in critical or essential sectors, as well as any organization subject to incident notification obligations under applicable EU cybersecurity regulations.
What happens if my company does not update its notification procedures?
Operating with procedures based on the original text with formal errors—rather than the amended text—can create compliance vulnerabilities. In the event of a real incident, if deferral of public disclosure is not justified in accordance with the conditions of the amended text, the entity may be exposed to regulatory non-compliance with the resulting liabilities. It is recommended to review and update internal procedures without delay.
Who within the company should manage compliance with this regulation?
The primary responsible parties are the compliance officer, the Data Protection Officer (DPO), and the Chief Information Security Officer (CISO). Cybersecurity teams that manage detection and communication of breaches or incidents must also be familiar with the content of the amended text and apply it in their incident response protocols.
Official source
Consult the complete regulation at official source
Disclaimer: This article is for informational purposes only and does not constitute legal advice. For specific decisions, consult a qualified professional. Source: https://eur-lex.europa.eu/./legal-content/AUTO/?uri=OJ:L_202690449