With the introduction of the NIS2 Directive in Italy, companies must prepare for a series of new and stringent cybersecurity measures. This step is essential to respond to the growing digital threats in an increasingly interconnected world, and reflects the need to improve the resilience of critical infrastructure and information networks on a national and European scale.
The European context: why NIS2?
Regulatory evolution to meet new cybersecurity challenges
The NIS2 Directive, officially transposed by Legislative Decree No. 138/2024, represents the evolution of the previous NIS1 Directive, strengthening the already existing regulatory framework. The main reason for this regulatory evolution is the increasing complexity of cyber threats and the growing dependence of modern societies on digital infrastructures and computer networks.
NIS2 applies to a wider range of sectors than NIS1, including not only operators of essential services such as energy, transport and financial infrastructure, but also digital service providers, public administrations, water management and the health sector. This reflects the increasing importance of protecting every sector that provides services that are fundamental to daily life and the economy.
Transposition in Italy
As of 18 October 2024, all Italian companies operating in critical sectors will have to comply with this new regulation. The National Cybersecurity Agency (ACN) has been designated as the body responsible for the supervision and enforcement of the regulations in Italy.
By 31 March 2025, the ACN will complete the identification and official notification of companies subject to the directive, obliging them to comply with the new security measures.
The legislative decree imposes specific obligations on essential and important actors, modulated according to:
- Company size
- Sector to which it belongs
- Degree of exposure to risk
Stakeholders will have to:
- Register on ACN’s dedicated platform.
- Provide up-to-date information on security activities and measures.
The aim is to create a database that enables authorities to effectively monitor and manage the cyber threat landscape.
Obligations and responsibilities for companies
NIS2 introduces stringent obligations for Italian companies, and failure to comply with them can result in very severe penalties. Let us look in detail at some of the main obligations.
a. Risk management
Companies must adopt an IT risk management policy with technical and organizational measures proportionate to the size and level of risk.
b. Incident reporting
Early notification of significant incidents is mandatory: pre-notification within 24 hours and full report within 72 hours to ensure prompt action and transparency.
c. Regular security assessments
Penetration tests and vulnerability assessments must be performed at least every six months to keep systems secure and up-to-date.
d. Supply chain security
Companies must assess supplier risks, ensuring that they meet the same security standards.
e. Ongoing training
Employees, especially managers, must receive continuous training to prevent and respond to cyber attacks.
Sectors involved and distinction between essential and important actors
The NIS2 directive distinguishes between essential actors and important actors, establishing differentiated obligations.
Essential actors
- Energy
- Transport
- Financial Infrastructure
- Healthcare
- Water management
Important actors
- Digital services
- Food production
- Waste Management
Major players are subject to stricter rules and more frequent controls, as their failure would have significant repercussions on the community. However, important players must also take appropriate measures, as their impairment could still cause serious economic and social damage.
Sanctions for non-compliance
Non-compliance with NIS2 obligations carries severe penalties.
Essential actors
- Up to €10 million or 2% of annual worldwide turnover (whichever is higher).
Important actors
- Up to €7 million or 1.4% of annual worldwide turnover (whichever is higher).
Other coercive measures
- Temporary suspension of certificates or authorizations in case of non-compliance.
- Declaration of unsuitability for members of boards of directors until violations are resolved.
How to prepare for NIS2
For companies, NIS2 compliance requires strategic planning, continuous monitoring and accurate mapping of infrastructure and suppliers to identify vulnerabilities and strengthen security.