NIS 2 FAQ

General Aspects

1.1 What is the new NIS Directive (Directive 2022/2555)?

Directive (EU) No. 2022/2555 also known as the ‘NIS2 Directive’ of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity in the European Union is the EU’s cybersecurity legislation.

It updates the EU cybersecurity rules introduced in 2016 by modernising and unifying the existing legal framework. It is part of a broad package of legal instruments and initiatives at EU level, aimed at increasing the resilience of public and private actors to threats in the cyber environment.

Entering into force in 2023 with the obligation of transposition in the Member States by 18 October 2024, it was transposed in Italy by Legislative Decree No. 138 of 4 September 2024 ( legislative decree – so-called NIS Decree) published in the Official Gazette, General Series No. 230 of 1 October 2024 (see FAQ 1.2)

1.2 When did the new NIS Directive (Directive 2022/2555) come into force in Italy?

With the legislative decree (the so-called NIS Decree), published in the Gazzetta Ufficiale Serie Generale no. 230 of 1 October 2024, Italy implemented the new NIS Directive (see FAQ 1.1), transposing it into national law with effect from 16 October 2024.

1.3 What are the basic elements of the new NIS regulation?

Legislative Decree No. 138/2024 transposing the new NIS Directive (see FAQ 1.2) provides for the repeal of Legislative Decree No. 65/2018, which transposed the previous NIS Directive (Directive 2016/1148). The new NIS legislation aims to ensure an increase in the level of common cybersecurity, thanks to the harmonisation of the rules applicable to the different operators in the different Member States and the strengthening of the standard levels of security compared to those provided by the current regulations.

The main elements of the new NIS regulation are:

  1. the extension of the scope of application compared to the previous NIS regulation.
    The new regulations cover, in particular:
    • more than 80 subject types, grouped into 18 sectors, of which 11 were highly critical sectors (originally 8) and 7 critical sectors (originally none);
    • the subject’s entire ICT infrastructure (originally just networks and systems serving essential services);
  2. the identification of subjects, distinguished between essential and important:
    • foresees an automatic identification mechanism on the basis of objective criteria, including in the scope of application all entities that fall within the specific types identified by the legislation that are considered medium-sized or large enterprises (micro and small enterprises, with some exceptions, are out of scope) pursuant to Recommendation 2003/361/EC;
    • may also be exercised by the NIS Competent National Authority (see FAQ 1.4), at the proposal of the competent sector authorities (see FAQ 1.5), to include further subjects in the scope of application (so-called governmental identification);
  3. the strengthening of obligations with:
    • the obligation to implement security measures in relation to at least 10 areas, with a multi-risk and proportional approach to the risk posed to the information and network system;
    • a more structured incident reporting process;
    • a strengthening of enforcement, inspection and sanctioning powers. In particular, sanctions are aligned with the GDPR;
  4. the introduction of new instruments, such as:
    • Coordinated Vulnerability Disclosure (CVD);

crisis management, especially of a cross-border nature, with the establishment of the Cyber Crisis Liaison Organisation Network (CyCLONe) and the competent national authority for cyber crisis management.

1.4 What is the NIS Competent National Authority and what functions does it perform?

The National Cybersecurity Agency is the NIS Competent National Authority referred to in Article 8(1) of Directive (EU) 2022/2555 and performs several functions under Article 10 of the legislative decree (see FAQ 1.2) including:

    • oversees the implementation and enforcement of the decree;
    • carries out the regulatory functions and activities referred to in the decree, also by adopting guidelines, recommendations and non-binding orientation;
    • draws up and adopts the list of NIS subjects (FAQ 1.12);
    • participates in the NIS Cooperation Group, as well as in the forums and initiatives promoted at EU level for the implementation of the Directive (EU) No. 2022/2555 (FAQ 1.1);
    • defines the obligations (see FAQ 1.9) under Article 7(6) and Chapter IV (Information Security Risk Management and Incident Reporting Obligations);
    • carries out activities and exercises monitoring, supervisory and enforcement powers.

The National Cybersecurity Agency is also the NIS Single Point of Contact under the Directive (EU) No. 2022/2555 (FAQ 1.1), acting as a liaison to ensure cross-border cooperation of national authorities with the relevant authorities of other Member States, the Commission and ENISA.

In addition, the National Cyber Security Agency (with coordination functions) and the Ministry of Defence are national cyber crisis management authorities.

The National Cybersecurity Agency also operates the CSIRT Italy, National Computer Security Incident Response Team.

1.5 What are the NIS sector authorities and what functions do they perform?

In order to ensure the effective implementation of Legislative Decree No. 138/2024 (see FAQ 1.2) at sector level, NIS Sector Authorities are identified to support and cooperate with the NIS Competent Authority (see FAQ 1.4).

In particular, the NIS authorities:

    • support the functions of the competent national NIS authority with their sectoral expertise;
    • validate the list of NIS subjects for each area of competence and propose possible further governmental identifications;
    • coordinate one or more sectoral tables for the sectors (and/or sub-sectors) under their responsibility.

The NIS Sector Authorities identified by the decree for one or more sectors, sub-sectors and subject types, according to their respective special competences, are the following (as detailed in the attached table)

    • Presidency of the Council of Ministers
    • Ministry of Economy and Finance
    • Ministry of Enterprise and Made in Italy
    • Ministry of Agriculture, Food Sovereignty and Forestry
    • Ministry of the Environment and Energy Security
    • Ministry of Infrastructure and Transport
    • Ministry of University and Research
    • Ministry of Culture
    • Ministry of Health

Sector authorities

1.6 What are the obligations under the new NIS regulation and when will they come into force?

The main obligations under the decree concern:

    • registration and updating of information (Article 7);
    • administrative and management institutions (Article 23);
    • obligations regarding IT security measures (Article 24);
    • incident notification requirements (Article 25);
    • for certain types of entities, the obligations regarding the registration database of domain names (Article 29);
    • the categorisation of activities and services (Article 30).

The deadline for the fulfilment of the basic obligations under Article 25 of the decree, which will be regulated by a determination of ACN to be adopted by April 2025, commences nine months after receipt of the notice (see FAQ 3.3) of inclusion in the list of essential or important subjects to be sent by ACN.

With reference to the aforementioned obligations, going into more detail:

    • Data recording and updating (Article 7)
      Entities that identify themselves in one of the sectors/sub-sectors/types envisaged by the new NIS legislation (see FAQ 2.1) will have to register on a platform provided by ACN and communicate a set of information including, for example, their company name, address and updated contact details, the designation of a point of contact indicating its role/qualification with the entity. Where possible, entities should also select one or more of the sectors/sub-sectors in which they operate, from among those in Annexes I, II and III, and the relevant type of entity with which they identify themselves from among those in Annexes I, II, III and IV.
      The data collected will be used to constitute the list of NIS subjects, by 31 March 2025 (see FAQ 3.3), also in order to provide the relevant statistics to the EU Commission in April 2025.
    • Administrative and management bodies (Article 23)
      Precise responsibilities are identified for the subject’s governing bodies, which approve and supervise the implementation of the measures, as well as being responsible for any violations.Obligations concerning IT security measures (Article 24)
      Essential and important entities shall take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of the information and network systems they use in their activities or in the provision of their services, and to prevent or minimise the impact of incidents. These measures are based on a multi-risk approach, aimed at protecting information and network systems as well as their physical environment from incidents, and include at least the following elements:
      • risk analysis and security policies for information and network systems;
      • incident management, including the procedures and tools for making notifications;
      • business continuity, including backup management, disaster recovery where possible, and crisis management;
      • security of the supply chain, including security aspects concerning the relationship between each entity and its direct suppliers or service providers;
      • security of the acquisition, development and maintenance of information and network systems, including vulnerability management and disclosure;
      • policies and procedures to assess the effectiveness of information security risk management measures;
      • basic hygiene practices and computer security training;
      • policies and procedures regarding the use of encryption and, where appropriate, encryption;
      • security and reliability of personnel, access control policies and asset management;
      • security and reliability of personnel, access control policies and asset management;
    • Incident notification obligations (Article 25)
      Essential and important actors must notify, without undue delay, the CSIRT Italia: any incident that has a significant impact on the provision of their services.
      For the purposes of notification, interested parties shall transmit to the CSIRT Italy:
      • without undue delay, and in any case within 24 hours after they have become aware of the significant incident, a pre-notification indicating, where possible, whether the significant incident can be considered to be the result of unlawful or malicious acts or to have a transboundary impact;
      • without undue delay, and in any case within 72 hours (24 hours in the case of a trust service provider) after they have become aware of the significant incident, a notification of the incident that, where possible, updates the information already provided in the pre-notification and indicates an initial assessment of the significant incident, including its severity and impact, as well as, where available, indicators of impairment;
      • a final report within one month of the transmission of the accident notification.
    • Domain name registration database (Article 29)
      TLD registry operators and domain name registration service providers collect and maintain accurate and complete domain name registration data in a database with due diligence, in accordance with European Union data protection law.

1.7 What are the main deadlines?

    • [SOGGETTI] Registration on the ACN platform (Article 7(1), Article 42(1)(a)):
      • by 17 January 2025 for domain name system service providers, top-level domain name registry operators, domain name registration service providers, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, online search engines and social network service platforms that fall within the scope of the decree (see FAQ 2.1);
      • by 28 February 2025 for all other entities covered by the decree (see FAQ 2.1).
    • [AUTORITÀ NAZIONALE COMPETENTE NIS] By mid-April 2025:
      • establishment of the list of NIS subjects and notification of their inclusion (Article 7(2) and (3));
      • adoption of basic obligations regarding IT security measures and incident reporting.
    • [SOGGETTI] By mid-May 2025, timely transmission and update (no later than 14 days after the change) of the information of the NIS subjects (Article 7(4), (5) and (7)).
    • [SOGGETTI] By January 2026 (within 9 months of receipt of the NIS listing notification), fulfilment of the basic accident notification obligations.
    • [SOGGETTI] By October 2026 (within 18 months of receipt of the NIS listing notification), fulfilment of basic IT security obligations.

Scope

2.1 Which sectors and subjects are covered?

The Legislative Decree No. 138/2024 (NIS Decree) transposing the new NIS Directive (see FAQ 1.2) indicates in Article 3 its scope of application. In particular, it covers public and private entities of the types listed in Annexes I, II, III and IV, which are subject to national jurisdiction pursuant to Article 5.

Annex I of the decree lists the highly critical sectors.Annex II lists the other critical sectors.

Annex III lists the categories of public administrations to which the decree applies.

Annex IV lists the additional types of subjects to which the decree applies following government identification (see below).

Most public and private entities fall within the scope of application on the basis of the criteria (size and type of entity) laid down in the decree, while a limited number of further entities may be included in the scope as a result of identification by the competent national NIS authority, on the proposal of the competent sectoral authorities.

In particular, public and private entities that, according to Article 3, fulfil the following criteria fall within the scope of the NIS decree:

    • belong to the types listed in Annexes I and II and exceed the ceilings for small enterprises (i.e. they are at least medium-sized enterprises) according to Article 2(2) of the Annex to Recommendation 2003/361/EC;
    • regardless of their size (i.e. also micro and small enterprises) are:
      • identified as critical entities pursuant to Legislative Decree 134/2024 implementing Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 (ERC Directive – Resilience of Critical Entities);
      • providers of public electronic communications networks or publicly available electronic communications services (Annex I);
      • trust service providers (Annex I);
      • TLD registry operators and domain name system service providers (Annex I);
      • providers of domain name registration services (Annex II);
      • public administrations referred to in Article 1(3) of Law No 196 of 31 December 2009, included in the categories listed in Annex III;
      • enterprises associated or affiliated with an essential or important entity that fulfil at least one of the following criteria:
        • take decisions or exercise a dominant influence on decisions concerning the cybersecurity risk management measures of an important or essential entity;
        • own or operate information and network systems on which the provision of services of the important or essential entity depends;
        • perform IT security operations of the important or essential subject;
        • provide ICT or security services, including managed services, to the important or essential party.

These subjects will have to recognise themselves on the basis of the above-mentioned criteria, self-identify and make themselves known to the competent national NIS authority through the appropriate registration on the digital platform made available by ACN (Article 7(1)).

In addition, the NIS Competent National Authority (NCA), on the proposal of the sector authorities, may identify:

    • on the basis of a risk assessment:
      • entities providing local public transport services (Annex IV);
      • educational institutions carrying out research activities (Annex IV);
      • entities carrying out activities of cultural interest (Annex IV);
      • in-house companies, investee companies and publicly controlled companies, as defined in Legislative Decree No. 175 of 19 August 2016 (Annex IV);
    • additional entities, irrespective of their size, belonging to the sectors or types listed in Annexes I, II, III and IV that fulfil at least one of the following criteria:
      • the entity had already been identified as an operator of essential services pursuant to Legislative Decree No. 65 of 18 May 2018 (NIS) i.e. prior to the date of entry into force of the decree transposing NIS2;
      • the entity is the sole national provider of a service essential for the maintenance of basic social or economic activities;
      • a disruption of the service provided by the entity could have a significant impact on public safety, public security or public health;
      • a disruption of the service provided by the entity could entail a significant systemic risk, particularly for sectors where such a disruption could have a cross-border impact;
      • the entity is critical because of its particular national or regional importance for that particular sector or type of service or for other independent sectors in the territory of the State;
      • the entity is considered critical within the meaning of this decree as a systemic element of the supply chain, including digital, of one or more entities considered essential or important.

Such persons, upon completion of the identification procedure under Article 3.13, will receive a specific notification from the NIS Competent National Authority and will subsequently have to register on the ACN platform (Article 7.1) (see FAQ 1.6, 3.1 and 3.2).

2.2 Qual è la differenza tra argomenti essenziali e importanti?

Depending on the level of inherent criticality of sectors and types of actors in relation to cyber risk, pursuant to Article 6 of the legislative decree (NIS decree) transposing the new NIS Directive (see FAQ 1.2), entities are distinguished between ‘essential’ and ‘important’. This distinction is useful for the proportional application of the obligations as well as for the exercise of the inspection and sanctioning powers of the competent national NIS authority.

These are considered essential:

    • entities listed in Annex I that exceed the ceilings for medium-sized enterprises set out in Article 2(1) of the Annex to Recommendation 2003/361/EC;
    • regardless of their size, those identified as critical actors under the legislative decree transposing Directive (EU) 2022/2557;
    • providers of public electronic communications networks and providers of publicly available electronic communications services referred to in Article 3(5)(b), which are considered to be at least medium-sized enterprises within the meaning of Article 2 of the Annex to Recommendation 2003/361/EC;
    • regardless of their size, qualified trust service providers and operators of top-level domain name registries, as well as domain name system service providers referred to in Article 3(5)(c) and (d);
    • regardless of their size, the central public administrations listed in Annex III (a);
    • any subjects identified by the NIS Competent Authority. Such persons will receive a specific identification notification.

All other subjects within the Scope of the decree that are not considered essential are considered important.

Find out the areas of scope divided according to sectors, sub-sectors or types of subjects.

2.3 How do I know if I am a large, medium or small enterprise?

For the definition of medium-sized enterprises, reference should be made to the size requirements set out in Article 2(1) of the Annex to Recommendation 2003/361/EC: as well as, more specifically, to the User’s Guide to the SME Definition: (published by the European Commission in 2020).

By comparing its data with the thresholds set by the aforementioned guidelines, an enterprise can determine whether it is a micro, small or medium-sized enterprise.

Micro-enterprises are defined as enterprises with fewer than 10 employees and either an annual turnover or an annual balance sheet total not exceeding EUR 2 million.

Small enterprises are defined as enterprises with fewer than 50 employees and either an annual turnover or an annual balance sheet total not exceeding EUR 10 million.

Medium-sized enterprises are defined as enterprises with fewer than 250 employees and either an annual turnover not exceeding EUR 50 million or an annual balance sheet total not exceeding EUR 43 million.

It should be noted that both the headcount criterion and at least one of the two accounting parameters (turnover or balance sheet) must always be present, it being sufficient that at least one of the two falls within the size parameters. If both accounting parameter values are exceeded, one falls into the higher SME category. For example, if both the 50 million turnover and the 43 million annual balance sheet total are exceeded, one falls into the large enterprise category regardless of the number of employees.

The recommendation states that the calculation of the number of staff, turnover and balance sheet should take into account associated or affiliated enterprises (Article 6(2)).

If the entity considers this to be disproportionate – also taking into account its independence from its associated or affiliated undertakings in terms of the services it provides and the information and network systems it uses in the provision of those services – it may apply for an exemption under Article 3(4) of the NIS Decree, subject to the specific criteria set out in the Prime Ministerial Decree on the application of the escape clause, adopted pursuant to Article 40(1)(a) of the NIS Decree.

Registration

3.1 Who has to register on the ACN platform?

Entities that identify themselves in one of the sectors/sub-sectors/types (see FAQ 2.1) under the new NIS regulation (Legislative Decree No. 138/2024: ) and, where required, meet the size requirements expressly laid down in Article 3 thereof.

3.2 What are the deadlines for registration on the ACN platform?

Entities that identify themselves in one of the sectors/sub-sectors/types (see FAQ 2.1) under the new NIS regulation (Legislative Decree No. 138/2024: ) will have to register on ACN’s platform from 1 January to 28 February of each year following the effective date of the decree – thus already by 28 February 2025 – with the exception of domain name system service providers, top-level domain name registry operators, domain name registration service providers providers of cloud computing services, providers of data center services, providers of content delivery networks, providers of managed services, providers of managed security services, as well as providers of online marketplaces, online search engines and social networking service platforms that fall within the scope of the decree (see. FAQ 2.1), for which registration is required by 17 January 2025.

In the first application phase, in order to facilitate subjects, it will be possible to start the registration process as early as 1 December 2024.

3.3 Will I be an NIS subject after registering on ACN’s platform?

Public administrations and public or private entities that fall within the scope of Legislative Decree 138/2024 (NIS Decree) are NIS entities irrespective of registration and are therefore obliged to comply with the obligations under the relevant decree, starting with the registration itself.

The registration of a subject on the ACN platform is then subject to an analysis phase. By 31 March 2025, the Agency, as the NIS Competent Authority, will notify the subject of any inclusion in the list of essential or important subjects.

The registration, at the same time, is necessary to constitute the list of NIS subjects to be adopted by the Agency, as the NIS Competent National Authority, by 31 March 2025.In April 2025, the NIS Competent National Authority will notify the digital domicile of all registered entities whether or not they are on the list.

This process, in establishing a direct channel of communication between registered entities and the competent national NIS authority, also provides further clarity as to whether or not an entity falls within the scope of the NIS decree

3.4 What are the criteria for designating the Contact Point?

he point of contact is the legal representative or his general attorney or a delegated employee of the subject.

In the latter case, during registration, the point of contact shall upload the legal title delegating it to act on behalf of the entity in the NIS context. As a legal title, a proxy of the legal representative is sufficient, which may be ad-hoc (Suggested template) or even a more extensive pre-existing proxy.

For public administrations, it is possible to designate the employee of another public administration falling within the scope of the NIS decree as the point of contact.

Similarly, entities that are part of a group of undertakings may designate as a point of contact the employee of another undertaking that falls within the scope of the NIS Ordinance and that is part of the same group of undertakings.

The contact point is in charge of the implementation of the provisions of the NIS decree on behalf of the NIS actor, starting with the registration, and talks, on behalf of the NIS actor, with the competent national NIS authority.

3.5 What information is required for registration?

Registration consists of three steps: the census of the contact point, its association with the NIS subject and the filling in of the declaration.

  1. For the point of contact census phase, the following data will need to be verified or provided:
    1. first and last name;
    2. place and date of birth;
    3. fiscal code;
    4. citizenship;
    5. Country of residence and, where required, domicile;
    6. ordinary email address, preferably individual, as well as service, corporate, or professional one;
    7. where available, a certified e-mail address, preferably individual, as well as a service, business or professional e-mail address;
    8. telephone number, preferably individual, as well as service, business or professional;
    9. where available, an alternative telephone number, preferably individual service, business or professional.
  2. For the phase of associating the Point of Contact with the NIS subject, it will be necessary to have the tax identification number of the latter. In addition, if the Point of Contact is not the legal representative of the entity or its attorney general registered in the Commercial Register, it will be necessary to upload the legal title delegating him/her to act on behalf of the entity.
  3. For the compilation of the declaration phase, it will be necessary to have:
    1. the list of ATECO codes characterising the activities carried out and the services provided by the entity, with particular reference to the scope of the NIS decree;
    2. of the sectoral European regulations cited by the NIS decree to delimit their scope that apply to the subject;
    3. the number of employees, turnover and balance sheet of the entity. Where the entity is not an autonomous enterprise, the number of employees, turnover and balance sheet of the entity calculated in accordance with Recommendation 2003/361/EC, in particular Article 6(2) of the Annex to that Recommendation;
    4. the list of subject types set out in Annexes I, II, III and IV, to which the subject can be traced;
    5. self-assessment of the subject as essential, important or out-of-scope, based on the provisions of Articles 3 and 6 of the NIS decree.

For entities that are not autonomous enterprises (i.e. have affiliated or associated enterprises and/or are part of a group of enterprises), it will also be necessary to provide the information indicated in FAQ 3.7 during registration

3.6 For Annex III public administrations, does anything change in the registration process?

Public administrations, in line with the provisions of Law 90/2024 in relation to the cyber-security contact person, have the option to designate an employee of another public administration falling within the scope of the NIS decree as the contact point.

If the same natural person is designated as a contact point for several public administrations falling within the scope of the NIS decree, the association and registration phase will have to be repeated for each NIS subject.

3.7 For entities that are not autonomous enterprises (i.e. have affiliated or associated enterprises and/or are part of a group of enterprises), does anything change in the registration process?

With regard to the designation of the point of contact, in order not to impose any radical changes in the governance of IT security, entities that are part of a group of undertakings within the meaning of Article 1(1)(u) of Determination 38565/2024, may designate as point of contact the employee of another undertaking that falls within the scope of the NIS Ordinance and is part of the same group of undertakings.

Therefore, for example:

  1. In groups of companies in which the governance of IT security is decentralised, the entities within the group may each designate one of their employees as point of contact;
  2. In groups of companies where the governance of cybersecurity is centralised, the entities that are part of the group may all designate an employee of the group structure governing cybersecurity as the point of contact, or each designate their own employee as the point of contact who will coordinate with the group structure governing cybersecurity.

If the same natural person is designated as the contact point for all or some of the NIS subjects of the group of enterprises, the association and registration step will have to be repeated for each NIS subject.

In addition, with reference to the registration of entities that are not autonomous enterprises within the meaning of Article 1(1)(t) of Determination 38565/2024, the following additional information will be required with respect to the information set forth in FAQ 3.5:

  1. the fiscal code and company name of the group leader, if the entity belongs to a group and is not the group leader;
  2. the fiscal code and company name of all affiliated companies, within the meaning of Determination 38565/2024, Article 1, paragraph 1, letter s), which fulfil at least one of the criteria set out in Article 3, paragraph 10 of Legislative Decree 138/2024 (NIS Decree) in respect of the subject;
  3. the fiscal code and company name of all affiliated undertakings which, to the best of its knowledge, are themselves NIS entities within the meaning of Determination 38565/2024, Article 1, Paragraph 1 (s), in respect of which the entity meets at least one of the criteria set out in Article 3, Paragraph 10 of Legislative Decree 138/2024 (NIS Ordinance);
  4. the number of employees, turnover and balance sheet of the entity calculated in accordance with Recommendation 2003/361/EC, with particular regard to Article 6(2) of the Annex to that Recommendation.

Finally, with regard to this last point, should this party consider the application of Article 6(2) of the Annex to Recommendation 2003/361/EC disproportionate, it will also be necessary to provide:

  1. the number of employees, turnover and balance sheet of the entity calculated in accordance with Recommendation 2003/361/EC, without taking into account Article 6(2) of the Annex to that Recommendation;
  2. The assessment of the degree of independence (partial or no independence) of the organization’s NIS from the NIS and network systems of related enterprises. NIS activities and services mean the activities and services for which the organization falls within the scope of the NIS decree. NIS information and network systems means the information and network systems that enable NIS activities and services;
  3. the assessment of the degree of independence (partial or no independence) of the NIS organisation’s NIS activities and services from the activities and services of related enterprises;
  4. the answer (yes, partly, no) to the following questions:
    1. Do the information and network systems of the affiliated companies contribute to the organisation’s NIS?
    2. Do the activities and services of related companies contribute to the NIS activities and services of the organization?
    3. Are related companies essential in the supply chain, including digital, of the organization?

Other topics

A. What is EU-CyCLONe and what tasks does it perform?

The EU Cyber Crises Liaison Organisation Network (EU-CyCLONe) is a cooperation network for the national authorities of the Member States responsible for cyber crisis management. The network was launched in 2020 and formalized following the entry into force of NIS2.

EU-CyCLONe is composed of representatives of the Member States’ cyber crisis management authorities and, in cases where a potential or ongoing large-scale cyber security incident has or may have a significant impact on the services and activities covered by the new NIS Directive, also by the Commission. In other cases, the Commission participates in EU-CyCLONe activities as an observer.

The main tasks of EU-CyCLONe are:

    • support the coordinated management of large-scale cyber incidents and crises at operational level and ensure the regular exchange of relevant information between Member States and Union institutions, bodies, offices and agencies;
    • Increasing the level of preparedness for large-scale IT incident and crisis management;
    • Develop shared situational awareness for large-scale cyber incidents and crises;
    • Assess the consequences and impact of large-scale cyber incidents and crises and propose possible mitigation measures;
    • Coordinate the management of large-scale IT incidents and crises and support decision-making at the political level in relation to such incidents and crises;
    • discuss, at the request of an affected Member State, national plans for responding to large-scale cyber incidents and crises.

Rexilience is here

Rexilience is ready to support companies in becoming compliant and safe, ensuring compliance and protection in an evolving regulatory environment.