Directive 2022/2555 or NIS 2 is a European Union legislative act that came into force on the 17th of January 2023, and which, by replacing the previous NIS 1 Directive, profoundly changes the conditions of its applicability. Italy already implemented the NIS 2 Directive with the publication in the Official Journal of Legislative Decree no. 138/2024 (the "Decree").
The NIS 2, as well as the Decree, embeds in the EU legal framework for data protection and privacy, first and foremost the EU General Data Protection Regulation 2016/679 (GDPR), as well as the DORA Regulation, the CER Directive, the Cyber Resilience Act and, at national level, the National Cyber Security Perimeter (Perimetro di Sicurezza Nazionale Cibernetica).
NIS 2 aims to strengthen cybersecurity measures, especially in critical sectors that could seriously jeopardise entire nations such as energy, transport and financial services.
Time schedule of NIS 2 fulfilments
The Decree outlines a timeline for the compliance obligations that organisations subject to NIS 2 will have to fulfil within the next months and years:
By 31/12/2024: organisations must carry out a self-assessment to establish whether the Decree is applicable to them.
Between 01/01 and 28/02/2025: organisations that reckon to fall within the scope of NIS 2 will have to register on a digital platform which the Italian National Cybersecurity Agency (ACN) will make available, and designate a contact person.
By 17/01/2025: providers of certain digital services will have to formalize their registration on the platform (domain name system service, top-level domain name registries, domain name registration services, cloud computing, data centres, content delivery networks, managed services, managed security services, online marketplaces, online search engines and social networks).
As of 01/01/2026: organisations will have to fulfill their obligation to report incidents to the CSIRT.
As of 01/10/2026: organisations will have to make themselves compliant with the new cybersecurity standards set out by the Decree which require the board to include IT security within the corporate strategy.
Sector requirement
The NIS 2 Directive introduces – compared to the outdated categories of Operators of Essential Services (OES) and Digital Service Provides (DSP) in NIS 1 – new categories of impacted entities: the Essential Entities and the Important Entities.
Essential Entities include public and private organisations operating in the following sectors, which are considered to be highly critical:
energy production and distribution (electricity, district heating/cooling, oil, gas, hydrogen);
supply and distribution of drinking water;
waste water;
healthcare services;
transport of passengers and freight (by air, rail, water or road);
banking and financial services;
digital infrastructures (data centre, cloud computing, DNS, TLD, etc.);
ICT service management;
public administration;
aerospace services.
Important Entities include public and private organisations operating in the following sectors, which are considered 'other critical sectors':
postal and courier services;
waste management;
production, processing and distribution of food;
manufacturing, production and distribution of chemicals;
manufacturing of medical and diagnostic devices;
manufacturing of computers, electronic and optical products;
manufacturing of machinery and equipment n.e.c. (not elsewhere classified);
manufacturing of means of transport;
digital providers (online marketplaces, online search engines, social networking services platforms);
research organisations.
Size requirement
NIS 2 applies to entities in the sectors listed above only if they are medium-sized or large enterprises. Organisations with fewer than 50 employees and an annual turnover of less than EUR 10 million are excluded from the application of NIS 2.
Exceptions to the size requirement for specific sectors and entities
The Decree also identifies further sectors to which NIS 2 applies, by way of derogation from the above-mentioned size requirement, such as, for example:
providers of public electronic communications networks or of publicly available electronic communications services;
top-level domain name registries and domain name system service providers;
qualified trust service providers.
Finally, the new standards will apply also to certain sub-threshold companies, which will be identified in greater detail by a subsequent act of the ACN. Among the latter, the Decree mentions, for example, the following types of entities:
defined as 'critical' under the CER Directive;
that represent a critical element of the supply chain of Essential or Important Entities;
that are affiliated to Essential or Important Entities, if involved in the IT security of such Entities;
that perform services, the interruption of which could generate a significant systemic risk;
that operate in local public transport, research or activities of cultural interest;
that are established as in-house company or publicly held/controlled company.
In summary, to determine the applicability of the new provisions, in addition to size and sector, there are other decisive factors to be considered. For example, also the fact whether an entity belongs to a relevant supply chain or corporate group, as well as its critical importance, need to be considered for this purpose.
How to comply with NIS 2.
STEP 1
Self-assessment on the applicability of NIS2
Given the various applicability criteria set out by the Decree, each organisation will have to carry out an appropriate self-assessment to determine whether it is impacted by the Decree.
STEP 2
Registration on the ACN digital platform
Once the applicability of the Decree has been established, organisations will have to register on the digital registration platform that will be made available by ACN. In particular, they will have to communicate their activities/services as well as other characterising elements. Within 90 days after registration, they will receive a response on whether they qualify as Essential or Important Entities.
STEP 3
Risk Analysis
To make its entity compliant with NIS 2 and thus resilient to cyber security threats, the organisation must adopt a proactive and risk-based approach and identify the specific cyber risks it faces. This assessment shall consider cyber risks related to the security of IT systems and networks used by the entity throughout the entire service delivery chain. In addition, also risks related to incidents, including human factor risks as well as those related to business continuity, need to be taken into account.
STEP 4
Governance
After the risk assessment and gap analysis referred to in Step 3, it will be necessary to define a governance model for the prevention and management of cyber incidents, within which the following aspects are to be considered:
policies for the involvement of the board in the IT security management;
risk assessments and security policies for IT systems;
policies and procedures to evaluate the effectiveness of security measures;
policies and procedures for the use of cryptography and, where appropriate, encryption;
a plan for security incident management;
procedures to ensure security in the procurement, development and operation of systems;
policies for the management and reporting of vulnerabilities;
policies for Business Continuity management;
access and security procedures for those who have access to the data;
overview of all relevant resources to ensure that they are used and managed appropriately;
a plan for pre/post security incident business operations management;
a plan to ensure access to IT systems and their operational functions during and after a security incident;
procedures to assess the overall security level of all suppliers.
STEP 5
Training
Finally, the organisation will have to provide training activities for employees and board member. Thus the organisation guarantees higher cyber-risk-awareness and spreads knowledge of the policies and procedures for the management of cyber risks and incidents.
The role of the board
The Decree – in assigning the board the tasks of approving IT security measures as well as supervising their implementation – makes board members accountable for noncompliance with the new cyber-security requirements.
Fines
The administrative fines provided for in the Decree for non-complying with the obligations entrusted to the board, as well as those relating to IT safety measures, are as follows:
Essential Entities: up to a maximum of EUR 10 million or 2% of the company's total worldwide annual turnover, whichever is higher.
Important Entities: up to a maximum of EUR 7 million or 1.4% of the company's total worldwide annual turnover, whichever is higher.
The administrative fines established for failure to register, communicate or update information on the ACN digital platform are as follows:
Essential Subjects: up to a maximum of 0.1% of worldwide annual turnover.
Major Parties: up to a maximum of 0.07% of worldwide annual turnover.
In addition, the Decree provides:
corrective measures such as binding instructions and orders (e.g. on the implementation of mandatory security measures or the implementation of audit recommendations);
sanctions aimed not only at companies, but also at natural persons holding management positions, including a temporary ban from management functions;
the obligation for organisations affected by violations to publish the respective information on their channels;
temporary suspension of certifications or authorisations.
In light of the above, NIS 2 compliance requires strategic planning, which involves not only the fulfillment of bureaucratic requirements, but also the creation of a IT security system that effectively protects against increasingly widespread cyber threats. In conclusion, the need to translate the new provisions into concrete and continuous actions represents an opportunity for companies to enhance their cyber protection and ensure business continuity in an increasingly interconnected and vulnerable environment.
Author: Dr. Jakob Kathrein
Contact: Avv. Eduardo Guarente e.guarente@bergsmore.com