In a digital landscape where cyberattacks are becoming increasingly sophisticated and targeted, cybersecurity is crucial for businesses and public administrations.
To establish a common standard of cybersecurity across all Member States, the European Union has introduced the NIS2 Directive (Network and Information Security 2), thereby strengthening the regulatory framework to address the urgent and critical need for cybersecurity today.
Italy, in particular, has transposed and implemented the requirements of the NIS2 Directive into its national law through Legislative Decree No 138/2024, which was published in the Official Gazette on 1 October 2024 and entered into force on 16 October 2024.
WHAT DOES THE NIS2 DIRECTIVE INTRODUCE?
NIS2 aims to enhance the cyber resilience of organisations providing services that are essential or critical to the economy and society, whilst promoting a coordinated and harmonised EU-wide response in the event of a cyber crisis.
It requires Member States to strengthen their cybersecurity capabilities, whilst introducing risk management measures and reporting obligations for entities across a wider range of sectors, and establishing rules for cooperation, information sharing, supervision and the enforcement of information security measures.
The main changes in NIS2 are:
- the extension to entire economic sectors (such as manufacturing and waste management) and to almost all medium-sized and large enterprises operating within them;
- the explicit requirement to manage cyber risk posed by suppliers (supply chain);
- the approval and oversight of security measures by the company’s management body (Board of Directors or Executive Management), which must also receive appropriate training in this area: cybersecurity thus becomes a management priority, not merely an IT one;
- a list of more detailed and mandatory security measures, including the use of multi-factor authentication (MFA), the implementation of encryption, and robust business continuity plans;
- stricter penalties for non-compliance (up to 2% of global annual turnover for the most serious breaches).
WHO IS IT PARTICULARLY INTENDED FOR?
NIS2 applies to a wider range of sectors and supply chains, classifying organisations into two broad categories based on the sector in which they operate and their significance:
Significant Entities (SE): these are medium-sized and large enterprises operating in Other Critical Sectors (≥ 50 employees or turnover > €10 million), including manufacturing and digital service providers (e.g. online marketplaces, search engines).
Essential Entities (EE): these are organisations operating in sectors deemed to be of high criticality and which generally exceed the threshold for large enterprises (≥ 250 employees or turnover > €50 million), including energy, transport, banking and finance, healthcare, digital infrastructure (data centres, cloud computing, DNS services), public administration (central and regional), and water.
Compliance with NIS2 means choosing the path of secure innovation, protecting your business and its operational continuity in a market that is increasingly exposed to cyber risks.
HOW SHOULD COMPANIES ADAPT?
To comply with NIS2, organisations must implement technical and organisational measures:
- Risk management: developing and implementing policies for risk analysis and IT system security; introducing a specific security approach for the supply chain;
drawing up Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs) to ensure the restoration of operations in the event of a major incident; using encryption and multi-factor authentication (MFA) to protect data and access. - Incident reporting: establish clear procedures for the prevention, detection and response to incidents; notify the competent authority, providing an initial report within 24 hours and a full report within 72 hours of the identification of a significant incident.
- Governance and training: management must receive training and play an active role in overseeing the cybersecurity strategy; implement robust cyber hygiene practices and ongoing training programmes for all employees.
Failure to comply with these risk management and reporting obligations may result in the imposition of the penalties provided for in the Directive (up to 2% of total annual turnover).
Penalties are determined on the basis of the seriousness of the breach, its duration, the nature of the incident and the level of cooperation with the competent authority.
WHO IS RESPONSIBLE FOR ENFORCING THE NIS2?
In Italy, the competent authority responsible for overseeing the correct implementation of NIS2 is the National Cybersecurity Agency (ACN).
The ACN is tasked with coordinating the implementation of the Directive, monitoring compliance with obligations and imposing penalties in the event of breaches.
The ACN carries out its supervisory role through inspections, security audits and requests for specific information. For Essential Entities (EE), controls are proactive; for Important Entities (EI), they are reactive (for example, following a significant incident).
At European Union level, ENISA (the European Union Agency for Cybersecurity) is the centre of expertise for cybersecurity. Its main role is not direct enforcement (which is the responsibility of national authorities such as the ACN), but to support the EU and its Member States in achieving a high, common level of cybersecurity across Europe.
On 27 June 2025, ENISA published the “Technical Guide to the Implementation of Implementing Regulation (EU) 2024/2690”, which sets out in practical terms the security measures that organisations must adopt. This guide is also specifically designed for providers of essential digital services (cloud, data centres, DNS, CDN, marketplaces, social networks) and software companies.
It is not legally binding, but beyond compliance, its main aim is to promote a proactive safety culture.
Organisations that choose to implement these measures can reduce operational and reputational risk, boost the confidence of customers and partners, and be prepared to manage and respond to any future attacks. ENISA also supplements the Guide with a mapping of the roles and skills required under the European ECSF framework. Key roles include the IT risk manager.
You can view and download the guide on ENISA’s official website: enisa.europa.eu via this link
NEXEEVA: KEEPING YOUR BUSINESS SAFE
Compliance with NIS2 is not just a matter of compliance, but a strategic choice.
It means protecting your assets, customer data and corporate reputation, thereby building a more robust and reliable business.
This is an excellent example of how technological innovation and expert advice can turn a regulatory requirement into a competitive advantage and provide genuine protection for data and corporate information.
Nexeeva helps businesses overcome technical and regulatory complexities with bespoke, cutting-edge solutions.
Contact us to find out more and get your cybersecurity project off the ground