Guides

The complete guide to the NIS2 Directive 

The NIS2 directive introduces stricter cyber security measures in the EU, requiring organizations to implement multi-factor authentication and procedures for incident management. It extends its scope to sectors such as healthcare and transportation, promoting a risk-based approach to identify vulnerabilities and protect data.

Protection of digital infrastructure

6 November 2024

Table of contents

  • NIS2 Directive: advancing cyber security in Europe 
  • Key objectives and requirements of NIS2 
  • Scope of the NIS2 Directive 
  • The entry into force of the NIS2 Directive and obligations for companies
  • Who are the companies affected by the NIS2 Directive
  • Technical and organizational security measures
  • Incident reporting and management 
  • Key steps to implement NIS2
  • Benefits of NIS2 Compliance 

NIS2 Directive: advancing cyber security in Europe 

The NIS2 Directive is part of the European Union’s strategy to protect its digital infrastructure and enhance cyber security.

Published as an evolution of the first NIS Directive from 2016, NIS2 sets even more ambitious goals and came into effect on January 17, 2023

In Italy, NIS2 took effect on October 16, 2024, replacing the previous EU Directive 2016/1148 (NIS1).

The Directive aims to strengthen the cyber resilience of digital service providers, essential service operators, and other organizations critical to the socioeconomic functioning of the Union. 

Key objectives and requirements of NIS2 

The NIS2 Directive seeks to establish a uniform and higher level of cyber security across the EU by requiring organizations to implement stringent measures in operational continuity, risk management, and incident handling

Among the main innovations, the Directive establishes the obligation for companies to implement security measures such as multi-factor authentication and to have effective procedures for monitoring and responding to cyber security incidents.

Furthermore, it broadens its scope and abolishes the previous distinction between essential service operators and digital service providers, including sectors such as healthcare, transportation, energy, and banking.

A key aspect of NIS2 is the inclusion of a risk-based approach, where each organization is required to identify its vulnerabilities, assess risks, and implement appropriate protection strategies. Security requirements extend across various areas, including:

  • Network and system security
    Establishing resilient infrastructures to withstand cyberattacks and ensure quick incident response. 
  • Operational continuity
    Implementing measures to maintain essential services during threats. 
  • Incident management
    Developing protocols to minimize the damage of significant incidents

Scope of the NIS2 Directive 

The NIS2 Directive has expanded its scope compared to the previous regulations, including a wider range of sectors and organizations operating in areas vital to EU security.

This update is a response to the new challenges posed by cyber security threats and the increase in cyber incidents involving critical infrastructure.

In addition to including digital service providers, it extends to new sectors such as healthcare, financial services, energy, telecommunications, data centers, and cloud computing platforms.

The inclusion of such diverse sectors means that private companies and external suppliers, such as domain name registrars, are also required to comply with the Directive, adopting preventive measures against vulnerabilities and ensuring that their networks are secure.

The entry into force of the NIS2 Directive and obligations for companies

The NIS2 Directive was adopted in Italy on October 1, 2024, with Legislative Decree No. 138, which establishes the entry into force of the regulation on October 16, 2024. Affected companies must therefore quickly comply with the provisions to avoid penalties.

Who are the companies affected by the NIS2 Directive

The Directive distinguishes between two categories of companies:

  • Essential entities
    Fundamental businesses for social and economic functioning, such as energy providers, transportation, healthcare, banking, water supply, and digital infrastructure.
  • Important entities
    Companies that, while not essential, operate in sectors relevant to economic security, such as digital services, food distribution, courier services, chemical production, and waste management.
European regulation high level cyber security

Minimum security requirements 

NIS Directive sets strict requirements to protect critical infrastructure and sensitive data. 

Risk management 

Companies must implement a robust risk management process, including:

  • Regular risk assessments
    Conduct periodic analysis of cyber security vulnerabilities
  • Incident response plans
    Strategies for rapid response to breaches or attacks
  • Vulnerability management
    Measures to identify and fix IT system gaps

Technical and organizational security measures

To protect company data, measures such as the following are required:

  • Multi-Factor Authentication
    Secure access to systems 
  • Data encryption
    Protect sensitive data 
  • Continuous monitoring
    Detect unusual behavior
  • Regular backups
    Prevent data loss 

Incident reporting and management 

Cyber incidents must be promptly reported to authorities, typically within 24-72 hours. Companies are also required to maintain detailed documentation of measures taken to improve defense capabilities. 

  • Supply chain protection 
    The NIS2 Directive emphasizes the importance of cyber security in the supply chain. Companies must ensure that their suppliers also meet high security standards and manage risk effectively.
  • Awareness and training 
    Ongoing staff training, including for leadership, is crucial for effective cyber security. Regular programs should teach employees to recognize cyber threats like phishing and respond quickly. 
  • Security governance 
    Clear cyber security governance is essential. Specific roles and responsibilities must be defined to ensure cyber security is integrated into the company’s strategy
  • Collaboration with authorities 
    The Directive requires close collaboration with national authorities and promotes information sharing among EU member states to address cyber crises in a coordinated manner. 
  • Vulnerability reporting procedures 
    NIS2 mandates a coordinated vulnerability disclosure system, allowing companies to report potential system flaws to prevent exploitation.
  • Regular audits and reviews 
    To ensure compliance, companies are subject to periodic audits. They must maintain up-to-date records and detailed documentation of security measures taken. 
  • Preparing for compliance 
    Companies must conduct a risk assessment of their IT systems, develop security plans, and prepare for possible checks by authorities. 
  • Penalties for non-compliance 
    Penalties for non-compliance are strict: up to €10 million or 2% of global annual turnover for “essential” companies, and up to €7 million or 1.4% for “important” ones. Executives may be held personally liable in cases of severe violations. 

Key steps to implement NIS2

Companies within the scope of NIS2 must adopt a proactive approach to ensure compliance.

Here are some key steps: 

  • Risk assessment
    Identify weaknesses and define specific protection strategies for digital and physical assets. 
  • Staff training: Engage employees in ongoing training on cyber security and digital hygiene practices. 
  • Implementation of technical solutions
    Use advanced network security technologies, such as multi-factor authentication, and monitoring tools to detect anomalies early. 
  • Establishment of a response team
    Every company must be prepared to respond quickly to a cyberattack with a team specialized in incident management. 

Benefits of NIS2 Compliance 

Complying with NIS2 standards offers concrete advantages. First, it enhances a company’s cyber resilience and threat response capabilities, protecting sensitive data and ensuring operational continuity.

Compliance can also boost consumer trust, as companies are seen as security-conscious partners. Moreover, robust security protocols can reduce the risk of penalties and limit financial damage from potential attacks. 

Frequently asked questions

  1. What is the NIS2 Directive? 
    The European regulation to ensure a high level of cyber security across EU member states, effective from 2024. 
  2. What is the goal of NIS2? 
    To establish uniform security measures to protect essential services and digital infrastructure across the EU. 
  3. When did NIS2 go into effect? 
    In Italy, it officially came into force on October 16, 2024, replacing the previous EU Directive 2016/1148 (NIS1). 
  4. Who does NIS2 apply to? 
    Essential service operators, digital service providers, and critical sectors such as healthcare, energy, and transportation. 
  5. What are the main requirements of NIS2? 
    It includes risk management, operational continuity measures, and incident management protocols. 
  6. What happens in cases of non-compliance with NIS2? 
    Companies may face penalties from the relevant authorities. 
  7. Which sectors are included in NIS2? 
    In addition to essential sectors, critical infrastructure like telecommunications, finance, and cloud services are covered. 
  8. How can a company implement NIS2? 
    Start with a risk assessment and adopt technical and organizational security measures. 
  9. What is operational continuity in NIS2? 
    It’s the set of measures to ensure the functioning of services even during a cyberattack. 
  10. Where can I find the NIS2 Directive PDF? 
    The full text can be downloaded from official EU portals and relevant authority websites. 
87
To top