Last June, the draft legislative decree was approved, which in turn was approved by Parliament in October 2024, which implements EU Directive 2022/2555, known as NIS 2 (“Network and Information Security Directive”), in our country. The framework, which the European Union has conceived to address new cybersecurity challenges, requires that organizations comply starting from 17 October 2024.

What is the NIS2 Directive?

The Directive represents an important advancement in the European Union’s cybersecurity strategy, overcoming the provisions of the previous NIS Directive. The new directive was, in fact, designed to strengthen the cybersecurity of “essential” and “important” entities within the Union, responding to the growing and increasingly sophisticated digital threats.

In this regard, NIS2 introduces more stringent security protocols, requires increased breach reporting and establishes stronger governance frameworks, extending its application to a greater number of sectors than the previous Directive.

In order to create a single and robust defence mechanism against digital threats, the Directive provides for specific measures such as the identification of critical entities, risk assessment, the adoption of appropriate security measures and collaboration between national authorities.

The associated legislative decree integrates a cyber crisis management framework at national level and confirms the National Cybersecurity Agency (ACN) as the Competent National Authority. The Directive also establishes the criteria for identifying public and private entities required to comply with cybersecurity standards, classifying them into “essential” and “important” categories based on their economic and social relevance. These criteria outline the obligations in terms of cybersecurity risk management, helping to consolidate the resilience of the European digital single market.

Structural differences between NIS and NIS2

The main differences between the two directives highlight the intent to strengthen cybersecurity across the European Union. While NIS1 applied only to “operators of essential services” (OES) and “digital service providers” (DSPs) in specific sectors, NIS 2 significantly expands its scope, including a much broader range of entities classified as “essential” and “important” across 15 different sectors, including energy, transport, banking, healthcare, digital infrastructure.

More stringent requirements and enforcement

NIS2 introduces more detailed and harmonized security requirements that covered entities must implement. These requirements include risk assessments, the drafting of incident response plans, and the identification of supply chain security measures. It gives national authorities the power to impose much more severe penalties for non-compliance. Fines can be up to €10 million or 2% of the company’s global annual turnover. Furthermore, authorities have the power to issue binding instructions and temporarily suspend services in case of serious violations.