Fabio Lauria

NIS2 Directive: opportunity or obstacle for Italian companies?

May 16, 2025
Guides
Share on social media

Introduction: a new paradigm of information security

The NIS2 Directive, which entered into force on January 17, 2023 (October 16 in Italy), represents a profound change from the previous NIS Directive. This regulatory framework aims to create a common cyber strategy for all member states of the European Union, with the main objective of increasing the security levels of digital services throughout the EU

The season of implementing the European NIS2 directive has officially begun, representing a more than significant change in the approach to information security management.

While appreciating the communication effort of the National Cybersecurity Agency (NCA), which puts the aspect of the repressive and sanctioning process in second place to the promotion of active participation, it is clear that the process of implementing the goals of the Directive cannot be resolved only in formal deference to the security management system - what is commonly referred to as "paper security" - but instead requires a substantive effort to set concrete and sustainable security goals.

The expansion of the perimeter: who is involved in NIS2

The NIS2 directive is a significant step toward greater cybersecurity and shared resilience at the European level. When it comes to regulations and directives, many companies see compliance as the end goal-something they must comply with by meeting minimum requirements. However, this should be seen as the starting point for achieving higher levels of cybersecurity.

The NIS2 Directive stems from a major overhaul of the NIS and marks another important step toward fully defining the European cyber strategy, preparing appropriate coordinated and innovative responses by member states to ensure continuity of digital services in the event of security incidents.

NIS2 significantly broadens the scope from the previous NIS Directive to include such crucial sectors as waste management, transportation, the food industry, drinking water supply and distribution, digital infrastructure, public administration, manufacturing, research and development of medicines and medical devices, and the space sector.

Legislative Decree 138/2024, which transposes the NIS2 Directive into our law, stipulates that the provisions will apply as of October 16, 2024.

The regulations will not apply to small businesses unless the entity is identified as "critical" under the RCE Directive, a provider of public electronic communications networks, a trust service provider, or falls into other specific categories considered essential.

NIS2 also applies to companies with fewer than 50 employees if they provide an essential service in a member state, if their service is crucial to public safety, security or health, or if they are part of the supply chain of an essential or important company.

The main critical issues for enterprises

1. Complexity of the layered model and classification problems

This operational complexity is reflected in the Italian legislature's choice to design a "layered" model. The first layer is the standard one, i.e., the essential or important entities that exceed the size limits for small businesses. The second layer consists of those entities that, regardless of their size or volume of business, fall into specific prescribed categories.

A significant problem concerns the actual measurement of the size aspect, due to the reference to the notion of "related enterprises" on which, in the business world, there is not always absolute clarity of vision.

The link between two or more enterprises theoretically disregards the intention to form a real formalized group, with the consequence of excluding from the group of small and medium-sized enterprises those entities that, even if individually considered, would not reach the size limits provided by the rule.

2. Economic and organizational burdens

When we descend from the ideality of the process to the concrete approach, the issue is rather different, as it clashes on an economic size of a country whose fundamental structure consists of a quantity of small and medium-sized enterprises. This poses a significant challenge in the implementation of NIS2, which may be overly burdensome for smaller realities.

Created with the aim of improving the European Union's cybersecurity, the penalties of the NIS2 Directive are purely administrative and criminal. Essential operators may be subject to administrative fines of up to 10 mln euros or 2 percent of total global turnover. Major operators, on the other hand, may be subject to penalties of up to a maximum of 7 mln euros or up to 1.4 percent of total global global turnover.

3. Responsibility of management

The Legislative Decree introduces a certainty: there will be a responsibility of management and governing bodies. The management bodies of companies will be called upon to play an active role in regulatory compliance; they will have to approve the manner of implementation of measures to manage security risks, oversee the implementation of the obligations established by the regulations, and will be held responsible for violations.

4. Incident notification and risk management

The transposition decree reinforces incident reporting requirements, stipulating that incidents that have a significant impact on service provision must be reported to CSIRT Italy without undue delay. The notification process includes tight timelines: a prenotification within 24 hours, a notification within 72 hours of the incident, and a final report within one month of the incident.

NIS2 sets out a number of main requirements that organizations must meet to ensure a high level of cybersecurity. These requirements include: risk analysis and information systems security policies, strategies for assessing the effectiveness of risk management measures, and basic digital hygiene practices and cybersecurity training.

5. Focus on the supply chain

It emerges that the legislation transposing the NIS2 Directive focuses not only on the sectors deemed to be highly critical or critical, but, in a forward-looking manner, also on their suppliers by going on to greatly expand the group of entities that are likely to be affected by the application of the Legislative Decree.

The NIS Directive 2 stipulates that obligated entities will be required to take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of information systems and networks, also considering supply chain security, including security aspects concerning the relationship between each entity and its direct suppliers or service providers.

Key deadlines to be met

The race then begins for compliance, which must be complete by October 2026. By early 2025, enterprises identified as NIS2 subjects must be operational with all planned measures, including cybersecurity management systems and management accountability. By May 2025, enterprises must update their data in the institutional platform. In January 2026, a formal requirement for timely notification of significant incidents takes effect, and by September 2026, organizations must have implemented all required security measures.

As of October 16, 2024, the new Network and Information Security (NIS) regulations are in effect. ACN is the NIS Competent Authority and single point of contact. From Dec. 1, 2024 to Feb. 28, 2025, medium and large enterprises, in some cases also small and micro enterprises, and public administrations to which the new regulations apply must register on the ACN service portal.

Conclusions: a necessary but challenging paradigm shift

The increasing interconnectedness and digitization of society has made institutions, businesses and citizens increasingly exposed to cyber threats.

The leadership of the National Cybersecurity Agency has made a public commitment to make this process sustainable, which can truly mark a turning point for the country's ability to deal with growing threats. It will be necessary to wait and see how well the productive and administrative fabric of the country will be able to correspond to what is, in full evidence, a profound cultural shift and which, as is intuitive, will be neither a walk in the park nor "cost invariant."

Therefore, complying with NIS2 is not just about bringing oneself into compliance; it can be a good opportunity to introduce a security culture as well as technical and organizational best-practices into the company that can raise the level of IT security by a great deal. However, it is important to start setting up an adaptation plan right away in order to bring the various company assets and personnel into compliance in stages with appropriate periodic training cycles.

Even if you are not among the companies required to comply with the NIS2 Directive, starting a cyber risk awareness journey is important to protect the future of your business.

NIS2 thus represents a complex but necessary challenge for Italian companies. While it imposes new obligations and responsibilities that may seem burdensome, it also provides an opportunity to rethink cybersecurity as a strategic element and not simply a cost.

Fabio Lauria

CEO & Founder | Electe

CEO of Electe, I help SMEs make data-driven decisions. I write about artificial intelligence in business.

Most popular
Sign up for the latest news

Receive weekly news and insights in your
inbox. Don't miss it!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
platform
PricesFeaturesCase studiesIntegrations
company
Who we areCareersFAQNewsletterContact us
RESOURCES
Customer PortalStatusTerms of ServicePrivacy PolicyCookie Policy
Electe S.r.l.
Via Montenapoleone 8, Milan (MI)
VAT IT12771670960
Copyright 2023 Electe © All rights reserved.
Made with ♥️