In recent years, the growing dependence on digital technologies has made cybersecurity a top priority for companies and government institutions. In response to this need, the European Union introduced the NIS Directive in 2016, aimed at strengthening the security of networks and information systems. However, the rapid evolution of cyber threats made further legislative intervention necessary, leading to the adoption of the NIS2 Directive. The Italian Government approved the implementing decrees of the NIS2 Directive this summer, which then came into force last October. This is an important regulation because it imposes new obligations on companies, but not only that. It is a strategic piece to strengthen digital security. So, what is there to know about NIS2? What does it entail and why is it essential for security and competitiveness in the digital market? Let's try to answer these questions in our article.

What is the NIS2 directive?

The NIS2 Directive is a significant update to the previous NIS (Network and Information Security) Directive, aiming to address the new challenges posed by evolving cyber threats. Adopted by the European Union in 2022 and implemented in Italy on 17 October 2024, NIS2 aims to further strengthen the resilience of critical infrastructures and ensure a high common level of security of network and information systems across the EU.

What do companies need to know?

1. Expansion of the scope of application

NIS2 significantly expands the scope of the original directive. It no longer covers just a few sectors such as energy, transport, healthcare and digital infrastructure, but also extends the coverage to:

•Postal and courier services

•Waste management

•Food production

•Chemicals

•Manufacture of medical devices

•Space and research

This means that many more companies will be subject to safety requirements and incident reporting obligations.

2. More stringent safety requirements

The directive requires companies to adopt appropriate technical and organizational measures to manage risks to the security of network and information systems. This includes:

•Risk assessment: Identify and regularly assess security risks.

•Vulnerability Management: Implement processes to manage known vulnerabilities.

•Security in the supply chain: Ensure that suppliers and partners meet appropriate safety standards.

•Business Continuity Plans: Prepare plans to ensure continuity of services in the event of incidents.

3. Accident reporting obligations

Companies are required to notify significant incidents to the relevant authorities within 24 hours of initial detection. This early notification is crucial to mitigate the impact of incidents and coordinate an effective response at national and European levels.

4. More severe sanctions

NIS2 introduces higher administrative penalties for companies that fail to comply with the requirements, with fines of up to 2% of annual global turnover or €10 million, whichever is greater.

What it means for companies

•Adaptation of security policies

Companies need to review and update their security policies to comply with new requirements. This may include implementing new security technologies, training staff, and adopting recognized international standards.

•Supply Chain Management

As the directive emphasizes safety throughout the supply chain, companies must ensure that their suppliers and partners also comply with safety requirements.

•Investment in human resources

You may need to hire or train specialized cybersecurity personnel to manage new obligations and ensure ongoing compliance.

•Monitoring and reporting processes

Organizations must establish effective processes for continuous threat monitoring and timely reporting of incidents to the appropriate authorities.

Why the NIS2 Directive is Important

1. Increase in Cyber ​​Threats

Cyber ​​attacks are becoming more sophisticated and frequent, with the potential for devastating impacts on business operations and reputation. NIS2 helps organizations strengthen their defenses against these threats.

2. Critical Infrastructure Protection

Ensuring the safety of critical infrastructure is essential to the functioning of society and the economy. An incident in a key sector can have significant knock-on effects.

3. Harmonization at European level

The directive promotes a harmonised approach to cybersecurity across the EU, facilitating cross-border cooperation and sharing information on threats.

4. Competitiveness on the market

Companies that demonstrate a strong commitment to cybersecurity can gain a competitive advantage by increasing the trust of customers and business partners.

Recommended actions for companies

• Initial assessment

Conduct a detailed analysis to determine how NIS2 applies to your organization and what changes are needed.

• Compliance Plan

Develop a strategic plan to achieve compliance, including timelines and required resources.

• Training and awareness

Educate staff on the importance of cybersecurity and new processes implemented.

• Collaboration with experts

Consider working with consultants or specialized cybersecurity service providers to support the implementation of requirements.

Conclusion

The NIS2 directive is a significant step towards strengthening cybersecurity in Europe. For companies, this brings new responsibilities, but also the opportunity to improve their defenses against cyber threats and increase customer and partner trust. Ignoring these requirements is not a viable option, given the potential financial and reputational impact.

Taking proactive steps to comply with NIS2 will not only help you avoid fines, but will also help create a more secure and resilient digital environment. In an increasingly interconnected world, cybersecurity is critical to the long-term sustainability and success of any business.

Companies should therefore consider NIS2 compliance as a strategic investment, which can bring significant benefits beyond simple regulatory compliance. Preparing now means being ready for future challenges and positioning yourself as a leader in an increasingly competitive digital market.

For further information, please consult the this page on the website of Enisa, the European Agency for Cybersecurity