As of Oct. 16, 2024, the Network and Information Security (NIS) decree, which aims to strengthen the cybersecurity of companies and public administrations throughout Europe, came into effect.
Let’s find out together what the main changes are, who is involved, and what obligations arise for Italian companies.
What is the NIS2 Directive and why it is an evolution of cyber security
NIS legislation has a clear goal: to raise cybersecurity standards by promoting effective cooperation among member states and ensuring that digital infrastructures are ready to deal with increasingly sophisticated threats.
Compared to the past, the new version broadens the scope to include more sectors and categories of companies considered essential or strategic.
Now, the enterprises and administrations involved must adopt security measures that cover all dimensions of cyber security: confidentiality, integrity and availability of data.
In addition, the legislation introduces a more timely notification system for reporting incidents so as to facilitate a rapid and coordinated response.
A new element is also the coordinated disclosure of vulnerabilities, which allows emerging threats to be addressed in a shared way.
Which companies need to adapt: the critical and highly critical sectors
The new NIS regulation expands its scope. now encompassing 18 total sectors from the previous 8 and distinguishing between highly critical and critical sectors, greatly expanding its scope:
- Highly critical sectors (already in place and updated): energy, transportation, banking, financial market infrastructure, health sector, drinking water, wastewater, digital infrastructure.
- Highly critical new sectors: space, ICT service management (b2b), waste management
- New critical sectors: postal and courier services, manufacturing, chemical production and distribution, food production, industrial manufacturing, digital service providers, research.
This expansion reflects the need for more extensive cybersecurity, covering more than 80 types of public and private entities.
The new obligations for the security of computer systems and networks
As of Dec. 1, 2024, all stakeholders must register on the portal of the National Cybersecurity Agency (NCA), which serves as the lead enforcement authority. This registration phase is only the first step in a security strengthening journey that will continue in the months to come.
Obligations on incident reporting and safety measures will be phased in and defined through the decisions of the Director General of ACN, based on sector consultations. Full regulations are expected by the first quarter of 2025.
There will also be a differentiated implementation period: companies will have 9 months to comply with notification requirements and 18 months to adopt security measures, starting from the date when the list of NIS subjects is consolidated, set for April 2025. From that time, a coordinated path to strengthen cybersecurity at the national level will begin.
Risk management and impact analysis
Risk management is one of the central elements of the new regulations, which focus on the adoption of a proactive approach: not only protection of networks, but also the ability to react quickly in the event of a crisis.
Another key aspect is corporate responsibility, which becomes even more stringent. Companies must meet clear reporting requirements and adopt security measures for the entire supply chain.
Failure to comply can result in significant penalties, while ACN oversight ensures constant monitoring for compliance.
Is your company among those involved?