NIS 2 Directive, the complete guide: applications, sanctions, and implementation in Italy

nis 2

NIS stands for Network and Information System.

NIS 1 (EU Directive 2016/1148) was the first regulatory tool created with the aim of defining a cybersecurity system among the different EU member states. However, its implementation has been heterogeneous to date due to the level of discretion given to the member states.

The NIS 2 Directive (EU Directive 2022/2555) enriches and expands the scope compared to the previous one, widening the area of action and introducing a series of activities and obligations for the recipients, with the goal of creating a common level of cybersecurity across all EU member states.

With the goal of creating a common level of cybersecurity across all EU member states, the NIS2 Directive is based on three pillars:

  • security systems and infrastructures

  • incident management

  • business continuity management.

It applies to EU member states (and their local cybersecurity agencies) as well as essential/important operators in many sectors.

The Directive came into force on January 17, 2023, but member states were required to publish the regulatory acts for its transposition no later than October 17, 2024.

Italy transposed this Directive through Legislative Decree No. 138 of 04/09/2024, published in the Official Gazette on 01/10/2024.

NIS 2 Directive: Who it applies to

The new NIS 2 Directive applies to two categories of sectors: highly critical sectors and critical sectors.

Among the highly critical sectors (essential entities), we find: energy, transportation, banking and financial markets, healthcare, drinking water, wastewater, digital infrastructures, ICT service management, public administration, space.

Among the critical sectors (important entities), we find: postal service providers (including courier services); waste management; manufacturing, production, and distribution of chemicals; food production, processing, and distribution; manufacturing; digital service providers; research.

Compared to the NIS 1 Directive, NIS 2 expands the scope, clarifying the levels of criticality and adding specific parameters to identify the obligated entities, including business size, revenue, and annual balance sheets, to distinguish medium and large enterprises.

All medium and large European companies operating in the sectors listed above are required to comply with the NIS 2 Directive's requirements.

What the Directive Provides

The NIS 2 Directive requires each EU Member State to develop a National Cybersecurity Strategy within three months of the adoption of the regulation. This strategy must include:

  • Cybersecurity objectives and priorities for the "highly critical" and "critical" sectors;

  • A governance framework with defined roles and responsibilities for stakeholders at the national level;

  • A strategic framework for coordination between national authorities and those specified by the NIS 2 Directive of the EU;

  • A project to increase the overall level of awareness among citizens regarding Cybersecurity.

Additionally, Member States must ensure that essential and important entities notify any significant incidents to their CSIRT or the competent authority within 24 hours of detecting the incident. In Italy, the role of the national competent authority for NIS 2 has been assigned to the National Cybersecurity Agency (ACN), which also serves as the single point of contact and the National Response Team (CSIRT Italy) for cybersecurity.

Requirements of the NIS 2 Directive

The NIS 2 Directive's requirements are divided into five main areas:

  1. Risk Management: Companies must adopt a risk analysis and management system, implement security measures to protect IT systems, and regularly monitor the effectiveness of these measures.

  2. Operational Continuity: The goal is to ensure the continuity of business activities, even in the case of incidents or emergencies, minimizing disruptions.

  3. Incident Management: Companies must have processes to identify, manage, and report incidents promptly, along with a crisis response and management plan.

  4. Governance: Organizations must adopt models for effective Cybersecurity governance, including leadership accountability and training programs for all employees.

  5. Supply Chain Security: Ensuring the security of the entire supply chain and relationships with suppliers is essential to mitigate risks throughout the chain.

These requirements are essential to help businesses achieve compliance with the NIS 2 Directive, promoting the adoption of advanced cybersecurity practices. By following these guidelines, companies can strengthen both the security of their systems and the overall resilience of critical infrastructures, thus protecting essential services from threats and vulnerabilities.

Implementing these measures not only facilitates regulatory compliance but also contributes to creating a safer and more stable digital environment for all stakeholders, from the public to the private sector.

Use of Cybersecurity Certification Schemes

Article 27 of the Italian implementing decree — which transposes the NIS 2 Directive — establishes that the National Cybersecurity Agency (ACN) may require essential and important entities to adopt specific Certification measures to ensure high-security standards. These measures include:

  • The use of certified ICT products and services within the European cybersecurity certification schemes, ensuring compliance with shared European requirements;

  • The use of qualified eIDAS trusted services to guarantee the reliability of digital services and electronic transactions;

  • Certification according to recognized cybersecurity schemes, both nationally and internationally, to standardize security measures.

These certification requirements are designed to strengthen the protection of critical infrastructures and essential services, contributing to creating a safer and more reliable digital environment.

Deadlines

The NIS 2 Directive came into force on January 17, 2023. In Italy, the Directive was transposed through Legislative Decree No. 138 of September 4, 2024, published in the Official Gazette on October 1, 2024.

The provisions outlined in the Directive and the implementing decree will be applicable from October 16, 2024.

Sanctions

The NIS 2 Directive introduces changes in the conditions for imposing administrative monetary penalties, which apply to entities that fail to comply with the regulations. The penalty system follows a logic similar to other European regulations. Fines for non-compliance can go up to:

  • 10,000,000 EUR or up to 2% of global annual turnover for entities classified as essential;

  • 7,000,000 EUR or up to 1.4% of global annual turnover for entities considered important.

These sanctions are designed to encourage the rapid implementation of the obligations set out in the Directive, ensuring high cybersecurity standards and the protection of critical infrastructures.

How to Comply with the NIS 2 Directive

Kiwa offers a range of services designed to support businesses in complying with the NIS 2 Directive, ensuring full compliance and strengthening cybersecurity:

  • Compliance Assessment: A thorough analysis to verify the adequacy of the current Cybersecurity governance model against the requirements of the NIS 2 Directive. During the assessment, various aspects will be examined, such as the adequacy of contracts with suppliers, the effectiveness of Demand Management and Incident Management processes, the presence of a Business Impact Analysis (BIA), and the ability of the information system to support the requirements of the BIA.

  • Specialized Training: We offer intercompany courses and in-house training for staff on Cybersecurity management and the new obligations required by NIS 2. Specifically:

    • ISO/IEC 27001 International Standard for Information Security Management

    • Specialized module for ISO/IEC 27001 SGSI Auditors/Lead Auditors

    • Introduction to NIS 2 ‘Network and Information Systems Directive 2’

    • ISO Certification: Third-party audits for obtaining ISO/IEC 27001:2022 certification for information security management systems, ISO/IEC 22301 certification for business continuity, or ISO 28001 certification for supply chain security.

    • eIDAS Certification: Third-party audits for obtaining certification as a qualified trust service provider, in accordance with the eIDAS regulation, to ensure the security of digital transactions.

Conclusions

The introduction of the NIS 2 Directive marks a significant step in strengthening cybersecurity across Europe, establishing stricter obligations to protect critical infrastructures and ensure the continuity of essential services. With the expansion of its scope, the Directive aims to ensure a uniform level of protection across Member States, reducing the risks related to cybersecurity threats. It is essential that businesses, especially those in highly critical sectors, comply with the new regulations promptly, not only to avoid penalties but also to enhance their incident management capabilities and improve overall digital resilience.