Cibersecurity: The NIS2 Directive comes into force
The new frontier of cybersecurity to protect public administrations, businesses, and supply chains. What it entails and how to adapt to the Directive imposing new cybersecurity standards
On October 1, 2024, the Italian government published the Legislative Decree transposing the NIS2 Directive in the Official Gazette. The Directive aims to strengthen the overall level of cybersecurity across EU member states by ensuring the adoption of adequate technical and organizational measures against cyber risks. This includes enhancing corporate resilience throughout the risk management process, from prevention to minimizing the impact of such incidents.
The Network and Information Security (NIS) framework has been aligned with other sector-specific European regulations such as the Digital Operational Resilience Act (DORA)—which seeks to boost cybersecurity measures in the financial sector—and the Critical Entities Resilience Directive (CER), aimed at reducing vulnerabilities in critical infrastructures such as energy, transport, and potable water against hybrid attacks, natural disasters, terrorist threats, and public health emergencies.
The new legislation emerges at an unprecedented historical moment: the COVID-19 pandemic and the Russia-Ukraine conflict have reshaped the digital world, increasing vulnerabilities and risks. NIS2 is thus a strategic and systematic response to strengthen resilience across 18 highly critical sectors, including energy, telecommunications, logistics, and waste management. Security is not just a regulatory obligation but a strategic choice and can represent a competitive advantage for companies: protecting your digital perimeter ensures stability and the ability to compete in the market.
Key Innovations of the NIS2 Directive
The Directive requires member states to adopt national cybersecurity plans and establish or designate national authorities, emergency response authorities, single points of contact, and monitoring and sanction mechanisms. A swift response to major incidents and collaboration among member states is also mandated. The Directive envisions the creation of a Computer Security Incident Response Team (CSIRT) to support member states and economic operators.
The Directive introduces the concept of supply chain security and its associated requirements, broadening the categories of entities it applies to: essential entities (highly critical sectors) and important entities within critical sectors, such as "operators of essential services" and "digital service providers."
One of the central themes is supply chain protection: every player, from suppliers to maintainers, must be secured to prevent a single weak link from compromising the entire system. Italy's National Cybersecurity Agency is already working to define flexible, risk-based measures by April 2025, offering practical guidelines to defend against increasingly sophisticated attacks.
NIS2 Directive Obligations and Deadlines
Legislative Decree 138/2024 introduces the obligations and deadlines for transposing NIS2, as detailed below:
- Companies and public administrations must assess whether they are subject to the Directive's obligations.
- From December 1, 2024, to February 28, 2025, designated points of contact must authenticate on the National Cybersecurity Agency (ACN) portal using SPID credentials. During this period, contact persons must complete a declaration through the NIS/Registration Service, ensuring the accuracy and updating of provided information. Specifically, as outlined in a DNV guide, users must: indicate whether the entity is part of a corporate group and provide the tax code of the parent company, if applicable; list linked companies and their tax codes; list the Ateco codes describing the entity’s activity; indicate relevant EU sectoral regulations; provide revenue, balance sheet, and employee data to determine the company’s category.
- By January 17, 2025, domain name system service providers, top-level domain name registry operators, domain name registration service providers, cloud computing service providers, data center service providers, content distribution network providers, managed and security service providers, as well as online marketplace providers, search engine providers, and social network platforms, must register on the platform.
- By March 31, 2025, ACN will compile a list of essential and important entities based on platform registrations.
- Between April 1 and April 15, 2025, ACN will notify entities whether they are included in the list of essential or important entities.
- By April 15, 2025, notified entities must appoint, via a specific act, a person responsible for compliance with the decree's obligations.
Entities affected by the Directive must fulfill additional obligations, including incident notification by January 1, 2026, and compliance with administrative bodies and security measures by October 1, 2026. The National Cybersecurity Agency will annually update the list of involved entities, and companies and public administrations will have the opportunity to register annually between January and February if they believe they fall under the Directive. Following the enforcement of NIS2 and the identification of involved operators, random audits and surveillance activities may be conducted to verify compliance. Non-compliance could result in sanctions for affected companies.
