NIS2: EU resilience goes through the country's cybersecurity

The use of ICT technologies is increasingly widespread in society, and their impact on economic activities, service delivery, and even the exercise of fundamental rights is tangible and concrete. Recent scenarios of global pandemic and geopolitical crises have further contributed to a growing need for digital sovereignty.

The Directive (EU) 2022/2555 of the European Parliament and Council, also known as "Network and Information Security (NIS) 2" , replaces its first version dated 2016 and aims to achieve a high level of common cybersecurity across all EU Member States.

The goal is clear: to ensure the resilience of the entire EU system through the adoption of more mature and uniformly applied legislation, starting with the collective strengthening of individual States' cyber defenses.

The involved entities

To implement the project of a common European cyber defense, the Directive identifies (and protects) all public and private entities for which a cyber incident could jeopardize the stability of the state system and ultimately the entire Union. The list of entities already involved in the application of the previous regulation – established in Italy by the so-called National Cybersecurity Perimeter (PSNC) – is expanding, making the new regulation applicable starting from medium-sized enterprises (as defined by Recommendation 2003/361/EC) whose activities take place within the European Union in the following sectors:

• High criticality: energy, transport, banking and financial markets, healthcare, water (drinking and wastewater), digital infrastructure, public administration, space.
• Other critical sectors: postal and courier services, waste management, chemical sector, food sector, manufacturing, digital services, research organizations.

Each Member State may also decide, at its discretion, to include small or micro-enterprises operating in the above sectors that prove critical to national security.

The measures provided

NIS2 entities are required to adopt "appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems [...] as well as to prevent or minimize the impact of incidents on the recipients of their services and on other services". Alongside this principle, the Directive establishes the following elements:

• Implementation of ten minimum security measures (incident management, business continuity, supply chain security, use of encryption, etc.);
• Establishment of mandatory deadlines for reporting incidents to the competent NIS Authority (pre-warning within 24 hours, notification within 72 hours, drafting of the final incident report within 1 month);
• Expansion of the types of controls by Member States for compliance verification of entities;
• Tightening of enforcement measures, particularly monetary administrative penalties.

In the case of particularly critical entities (excluding public administration), the responsibility to ensure compliance with the Directive lies with the legal representatives, with specific penalties foreseen in case of non-compliance.

The transposition in Italy

To be effectively implemented within national legal systems, the Directive needs to be transposed through specific legislative acts by the deadline of October 17, 2024.

In Italy, the draft legislative decree for transposing NIS2 at the national level was recently approved by the Council of Ministers – with a favorable opinion from Parliament – and is awaiting publication in the Official Gazette of the Republic.

The regulation, in addition to designating the National Cybersecurity Agency (ACN) and the Ministry of Defense as the national authorities for managing cyber crises, introduces criteria for the gradual implementation and proportionality of obligations – based on risk analysis – to which private entities and public administrations must conform.

Finally, the activation of a digital platform is planned, through which NIS2 entities will be required to register, providing the information requested by ACN to allow the update and drafting (by March 31 of each year) of the final list of perimeter entities.

Security tailored to business

Mashfrog, adopting a holistic approach that combines Tech Law and Cybersecurity, unites a deep understanding of regulatory requirements, international frameworks, and industry standards with cutting-edge expertise in creating customized technological solutions. These solutions take into account the operational context, dimensions, and specific cyber risks of the organization, allowing the achievement of an optimal balance between protection and costs.

Placing the uniqueness of each client's business at the center.

For more information on how Mashfrog can assist you in applying the NIS2 directive, contact us by clicking here.