With the introduction of the NIS2 Directive in Italy, companies must prepare for a series of new and stringent cybersecurity measures. This step is essential to respond to the growing digital threats in an increasingly interconnected world, and reflects the need to improve the resilience of critical infrastructure and information networks on a national and European scale.
The European context: why NIS2?
Regulatory evolution to meet new cybersecurity challenges
The NIS2 Directive, officially transposed by Legislative Decree No. 138/2024, represents the evolution of the previous NIS1 Directive, strengthening the already existing regulatory framework. The main reason for this regulatory evolution is the increasing complexity of cyber threats and the growing dependence of modern societies on digital infrastructures and computer networks.
NIS2 applies to a wider range of sectors than NIS1, including not only operators of essential services such as energy, transport and financial infrastructure, but also digital service providers, public administrations, water management and the health sector. This reflects the increasing importance of protecting every sector that provides services that are fundamental to daily life and the economy.
Transposition in Italy
As of 18 October 2024, all Italian companies operating in critical sectors will have to comply with this new legislation. The Agency for National Cybersecurity (ACN) has been designated as the body responsible for supervising and enforcing the standards in Italy. By 31 March 2025, the ACN will complete the identification and official notification of companies subject to the directive, obliging them to comply with new security measures
The legislative decree imposes specific obligations on subjects qualified as essential or important, which vary according to the size of the company, the sector it belongs to, and the degree of risk exposure. These actors will have to register on a dedicated platform of the ACN and provide up-to-date information on their activities and the security measures implemented. The aim is to create a database that allows authorities to effectively monitor and manage the cyber threat landscape.
Obligations and responsibilities for companies
NIS2 introduces stringent obligations for Italian companies, and failure to comply with them can result in very severe penalties. Let us look in detail at some of the main obligations.
Risk management: Every company must adopt an IT risk management policy. This means that appropriate technical and organisational measures must be implemented to mitigate the risks posed to the security of networks and systems. These measures must be proportionate to the size of the company and the level of risk to which it is exposed.
Incident reporting: One of the key aspects of NIS2 is the obligation to promptly notify any incident that has a significant impact on the continuity of services. Companies will have to send a pre-notification within 24 hours of discovering the incident and provide a full report within 72 hours. This process ensures that the authorities can intervene quickly and that there is greater transparency in incident management.
Regular security assessments: Companies must conduct regular penetration tests and vulnerability assessments to identify and address any weaknesses in their IT systems. These tests should be performed at least every six months to ensure that systems remain secure and up-to-date against the latest threats.
Supply chain security: In addition to protecting their own systems, companies must assess the risks associated with external suppliers and the supply chain. This means that any partner or supplier that manages or has access to the company’s data must adhere to the same security standards.
Ongoing training: Employees, especially managers, must receive ongoing training in cybersecurity. This obligation ensures that staff are prepared to prevent and respond to cyber attacks, reducing the risk of behaviour that could expose the company to threats.
Sectors involved and distinction between essential and important actors
The NIS Directive2 makes a distinction between essential and important actors. The former include critical sectors such as energy, transport, financial infrastructure, health, and water management, while the latter include sectors such as digital services, food production, and waste management. This classification determines the intensity of the obligations with which companies must comply.
Major players are subject to stricter rules and more frequent controls, as their failure would have significant repercussions on the community. However, important players must also take appropriate measures, as their impairment could still cause serious economic and social damage.
Sanctions for non-compliance
Non-compliance with the obligations under NIS2 carries heavy penalties. For essential actors, fines can be up to EUR 10 million or 2 per cent of annual worldwide turnover, whichever is higher. For major players, penalties can be as high as EUR 7 million or 1.4 per cent of turnover.
In addition to economic sanctions, the decree also provides for other coercive measures, such as the temporary suspension of certificates or authorisations in the event of non-compliance. In addition, members of boards of directors may be declared unfit to hold management positions until the violations are resolved.
How to prepare for NIS2
For companies, complying with NIS2 requires strategic planning and ongoing commitment. In addition to implementing mandatory security measures, it is crucial to establish internal processes for ongoing monitoring and review. Organisations should carefully map their technology infrastructure and vendor relationships to identify any vulnerabilities and strengthen security systems.
Rexilience is here
Rexilience is at the side of companies to support them in complying with this regulation. We offer vulnerability assessment, penetration testing and cyber risk management consulting services. Thanks to our experience, we help companies implement advanced solutions for the protection of their critical infrastructure, ensuring compliance with NIS2 and reducing the risk of penalties.
With NIS2 coming into force, cyber security is no longer just a technological priority, but a responsibility that involves the entire corporate structure. The future of security depends on proactive protection and an integrated approach to cyber risk management.