Scope

DL No. 138, which implements Directive (EU) 2022/2555, known as NIS 2 (Network and Information Security Directive 2), was officially published in the Official Gazette on Oct. 1/10/2024 and will come into force on Oct. 16, 2024.

The main purpose of the Standard is to strengthen the cyber resilience and security of networks and information systems in the European Union. It aims to create a high and uniform level of cybersecurity in all member states.

There are several changes from the previous Directive (NIS of 2016), as NIS2 introduces more stringent requirements, expands the scope to more sectors and organizations (including SMEs), and provides stricter penalties for non-compliance than the previous Directive.

The white paper, jointly produced by the Cyber 4.0 Competence Center and TIM Enterprise, provides an overview of the Directive, highlighting the practical implications for Italian companies, with a focus on SMEs.

To whom it will be applied

NIS2 applies to two main categories of organizations: “Essential” and “Important”: Essential organizations are those operating in sectors considered critical, such as energy, transportation, health care, and digital infrastructure. Important organizations operate in sectors considered critical but not essential, such as manufacturing, waste management, and postal services. Organizations that must comply have been identified with thresholds related to the number of employees and annual turnover, regardless of whether they are public or private. Member states may include smaller businesses if they play a key role in the local economy.

Scope of application

The Directive requires organizations to adopt a risk management approach to cybersecurity by implementing specific organizational, technical and operational measures, these include:

  • Risk assessment and management;
  • Incident management;
  • The security of the supply chain;
  • cybersecurity training;
  • The use of access controls;
  • data protection;
  • business continuity planning.

The legislation also regulates how organizations are required to report significant security incidents to the appropriate authorities, defining a detailed reporting process with specific timelines.

Sanctions

Next, a stricter penalty regime was introduced, with significant administrative fines for major organizations. In addition, managers can be held personally liable for violations.

SMEs, often considered the weakest point in the cybersecurity chain, face significant challenges in complying with the Directive, and the paper stresses the importance of accurate internal skills assessment, training programs and active employee involvement to improve their cybersecurity posture.

Download the document here

Register for the Oct. 24 Webinar Nis 2: Beyond compliance, toward a new cybersecurity culture