Focus on

NIS2: a strategic priority for businesses

26 Jun 20254 min read
tophic image
Contents

The NIS2 Directive is one of the most significant and discussed regulatory novelties, not only for its broad scope, but also for the strategic role it recognises to cybersecurity governance. After providing an overview in the previous paragraph, it is useful to analyse more in depth the main contents of the Directive, from the categories of subjects involved, to the obligations provided and the operating deadlines already defined domestically.

Directive EU 2022/2555, better known as NIS2, entered into force on 16 January 2023 and is an evolution of the previous NIS Directive (2016/1148), aimed at strengthening and harmonising digital resilience all over the European Union. Compared with its previous version, NIS2 significantly broadens its scope of application to include a higher number of industries and impose more stringent obligations on risk management, incident notification and corporate management responsibility.

As for its scope of application, the compliance obligation mainly concerns those organisations falling under the category of medium to large enterprises, which exceed some size thresholds provided for this classification based on European Commission Recommendation 2003/361/EC. According to this definition, a medium enterprise has less than 250 employees and a yearly turnover not exceeding 50 million euros, or a financial statements result lower than 43 million euros. Smaller sized businesses, i.e. small and micro enterprises, generally with less than 50 employees and a turnover or financial statements result not exceeding 10 million euros, are - generally speaking - excluded, except for those operating in industries considered strategic or performing functions particularly relevant for national security or again for the continuity of essential services. Moreover, the new NIS2 Directive includes a total 18 industries, 11 of which considered highly critical (compared to the 8 included in the previous Directive) and 7 additional industries classified as critical. Within this framework are more than 80 categories of subjects, divided into two macro-groups: essential entities and important entities, depending on their nature and on the strategic importance of the activities performed.

 

Figure 1 – Breakdown of highly critical industries into essential and important entities.[1]

 

Figure 2 – List of critical industries.[2]


Figure 3 – Breakdown of additional types of subjects into essential and important entities.[3]

As for the operational obligations, the Directive provides for the adoption of adequate and documented risk management measures, the implementation of procedures for a timely notification of incidents, to be reported to the national authorities within 24 hours from their discovery (compared to the 72 hours provided by the previous regulation), the introduction of control mechanisms on supply chain security, which require organisations to evaluate and monitor risks related to their external suppliers and partners, particularly those managing IT services, infrastructures or confidential information, the definition of business continuity and crisis management plans, the accountability of the top management, which may be directly sanctioned in case of serious breaches.

A distinctive feature of the NIS2 Directive is the introduction of a strengthened penalty system. In particular, essential entities can be fined up to 10 million euros or for an amount up to 2% of their total worldwide average turnover (whichever the higher), whereas for important entities the maximum penalty is equal to 7 million euros or 1.4% of the turnover. Besides fines, the Directive also introduces additional forms of direct accountability for the top management. In case of significant non-compliance, managers may be subject to specific measures by the competent authority, including temporary withdrawal of decision-making functions as for security and training obligations. This implies that cybersecurity governance cannot be entirely delegated to operating or technical structures: it is up to the Board of Directors, together with the top management, to guarantee strategic monitoring and compliance with the regulation. Thus, the penalty system provided by the NIS2 Directive, is not limited to hitting the organisation as a whole, but directly involves decision makers, in the logic of an increased accountability and transparency in the management of IT risk.

As far as Italy is concerned, the NIS2 Directive was implemented with Legislative Decree no. 138/2024. THe Decree assigns to the National Cybersecurity Agency (Agenzia per la Cybersicurezza Nazionale - ACN) a pivotal role in supervision and coordination, defines the methods of identification of the obliged entities and establishes the reference digital platform for the management of communications and notifications. The main operational deadlines for Italian entities are:

 

With the NIS2 Directive, the European Union is making a qualitative leap in building a solid, integrated and prevention-oriented cybersecurity system. For the companies involved, this is a complex but necessary challenge, requiring investments, skills and a structured approach. But above all, it is a concrete opportunity to strengthen their resilience, stakeholder trust and competitiveness in the market.


 
[1] Source: Agenzia per la Cybersicurezza Nazionale (ACN) (National Cybersecurity Agency), Ambito di applicazione NIS2, n.d.
[2] Ibid.
[3] Ibid.

TAGS  
pdf

Cyber Insights: security, compliance, third parties

Download the PDF [641 kb]