With the introduction of the NIS2 Directive in Italy, companies must prepare for a series of new and stringent cybersecurity measures. This step is essential to respond to the growing digital threats in an increasingly interconnected world, and reflects the need to improve the resilience of critical infrastructure and information networks on a national and European scale.
The European context: why NIS2?
Regulatory evolution to meet new cybersecurity challenges
The NIS2 Directive, officially transposed by Legislative Decree No. 138/2024, represents the evolution of the previous NIS1 Directive, strengthening the already existing regulatory framework. The main reason for this regulatory evolution is the increasing complexity of cyber threats and the growing dependence of modern societies on digital infrastructures and computer networks.
NIS2 applies to a wider range of sectors than NIS1, including not only operators of essential services such as energy, transport and financial infrastructure, but also digital service providers, public administrations, water management and the health sector. This reflects the increasing importance of protecting every sector that provides services that are fundamental to daily life and the economy.
Transposition in Italy
As of 18 October 2024, all Italian companies operating in critical sectors will have to comply with this new regulation. The National Cybersecurity Agency (ACN) has been designated as the body responsible for the supervision and enforcement of the regulations in Italy.
By 31 March 2025, the ACN will complete the identification and official notification of companies subject to the directive, obliging them to comply with the new security measures.
The legislative decree imposes specific obligations on essential and important actors, modulated according to:
- Company size
- Sector to which it belongs
- Degree of exposure to risk
Stakeholders will have to:
- Register on ACN’s dedicated platform.
- Provide up-to-date information on security activities and measures.
The aim is to create a database that enables authorities to effectively monitor and manage the cyber threat landscape.
Obligations and responsibilities for companies
NIS2 introduces stringent obligations for Italian companies, and failure to comply with them can result in very severe penalties. Let us look in detail at some of the main obligations.
Risk management: Companies must adopt an IT risk management policy with technical and organisational measures proportionate to the size and level of risk.
Incident reporting: Early notification of significant incidents is mandatory: pre-notification within 24 hours and full report within 72 hours to ensure prompt action and transparency.
Regular security assessments: Penetration tests and vulnerability assessments must be performed at least every six months to keep systems secure and up-to-date.
Supply chain security: Companies must assess supplier risks, ensuring that they meet the same security standards..
Ongoing training: Employees, especially managers, must receive continuous training to prevent and respond to cyber attacks.
Sectors involved and distinction between essential and important actors
The NIS2 directive distinguishes between essential actors and important actors, establishing differentiated obligations:
Essential actors:
- Energy
- Transport
- Financial Infrastructure
- Healthcare
- Water management
Important actors:
- Digital services
- Food production
- Waste Management
Major players are subject to stricter rules and more frequent controls, as their failure would have significant repercussions on the community. However, important players must also take appropriate measures, as their impairment could still cause serious economic and social damage.
Sanctions for non-compliance
Non-compliance with NIS2 obligations carries severe penalties:
Essential actors:
- Up to €10 million or 2% of annual worldwide turnover (whichever is higher).
Important actors:
- Up to €7 million or 1.4% of annual worldwide turnover (whichever is higher).
Other coercive measures:
- Temporary suspension of certificates or authorizations in case of non-compliance.
- Declaration of unsuitability for members of boards of directors until violations are resolved.
How to prepare for NIS2
For companies, NIS2 compliance requires strategic planning, continuous monitoring and accurate mapping of infrastructure and suppliers to identify vulnerabilities and strengthen security.
NIS 2 - FAQ
For further information on frequently asked questions related to the NIS 2 directive, please visit our dedicated page. To learn more, click here.
Rexilience offers SG-NIS2
the NIS2 Management System, to achieve and maintain regulatory compliance over time.
Rexilience is at the side of companies to support them in complying with this regulation. We offer services of:
- Vulnerability assessment
- Penetration testing
- IT risk management advisory
Thanks to our experience, we help companies implement advanced solutions for the protection of their critical infrastructures, ensuring compliance with NIS2 and avoiding the risk of sanctions.
With the coming into force of NIS2, cyber security is no longer just a technological priority, but a responsibility that involves the entire corporate structure. The future of security depends on proactive protection and an integrated approach to cyber risk management.
