NIS 2 – strengthened cybersecurity and focus on the supply chain: the Italian challenge

The decree transposing the European NIS 2 Directive (this is specifically Legislative Decree 138/2024, “NIS 2 Decree”) has been published in the Official Gazette, which came into force on Oct. 16 and has been applicable since last Oct. 18. The NIS 2 Decree extends the scope of NIS 1 to more and more entities, dictates minimum requirements in cybersecurity, and strengthens supply chain verification systems, providing important penalties for violations.

1. What is new compared to NIS 1

Compared to the previous legislation, the areas in which the NIS Decree 2 applies have been expanded, the notification system of ACN (National Cybersecurity Agency, i.e., the NIS competent authority) has been, in most cases, replaced with an opt-in mechanism, i.e., entities that fall under the scope will have to register on the special platform made available by ACN, cybersecurity obligations as well as supply chain verification obligations are strengthened, and lastly, a stricter penalty system has been provided, which also takes into account the turnover of the violator.

2. Scope of application

As for private entities, the application of NIS Decree 2 in Italy depends on two criteria, which must exist together.
2.1 Dimensional criteria
Regarding the size criterion, the NIS 2 Decree states that this applies to entities included in Annexes I and II, which exceed the ceilings for small businesses, subject to certain exceptions, identified in the decree itself. For certain entities, this dimensional criterion is actually irrelevant, finding application in any case: think for example of PAs or providers of certain strategic services or even so-called critical entities.
2.2 Sectoral criteria
Annexes I and II of the Decree contain a specific list of sectors to which the regulations apply, which essentially takes up in full the sectors identified within NIS 1 (think transportation, energy, CDN providers, and cloud computing), but with respect to the latter:

• the number of players within the “electric power” sector is expanded;
• the hydrogen, district heating/tele-cooling and space sectors have also been included;
• even in the health sector, more and more players are included (think of medical device manufacturing);
• the digital infrastructure sector has been greatly expanded to include data center providers and communication network providers, among others;
• even the food sector, particularly related to distribution, is now among those included;
• the electronic equipment and computer manufacturing sector has been added;
• digital services include social network providers and providers of domain name registration services.

In addition to the above, Annex III of NIS Decree 2 identifies the PAs (both at the state, regional and municipal levels) that fall within the scope, while Annex IV identifies other categories of entities still (e.g., educational institutions and entities carrying out activities of cultural interest).

3. Formal compliances

By December 31, 2024 – each company will have to carry out a self-assessment process to verify whether or not, in light of the services offered, the sector it belongs to and the size criteria, it falls within the scope of the NIS 2 Decree, also assessing the actions necessary and to be implemented for relevant compliance.
From January 1 to February 28 [of each subsequent to the entry into force of the NIS 2 Decree, so as early as 2025] – registration on the platform that will be made available by ACN where, among others, the point of contact at the company for NIS-related issues with its contact information must also be indicated.
By March 31 [of each subsequent to the entry into force of the NIS 2 Decree, so as early as 2025] – ACN confirms or does not confirm the registration (possibly it may consider that a person should be expelled).
From April 15 to May 31 [of each subsequent to the entry into force of NIS Decree 2, so as early as 2025] – where necessary, integration of information on the ACN portal.
From May 1 to June 30 [of each subsequent to the entry into force of NIS Decree 2, so as early as 2025] – where necessary update of services provided.

4. Substantive compliances

Entities within the scope of the Decree must adopt (indicatively by September 2026) appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of the information and network systems that these entities use in their activities or in the provision of their services. The decree provides a list and minimum set of such measures, which of course, on a case-by-case basis, can be implemented.

1. risk analysis and security policies for information and network systems;
2. Incident management, including procedures and tools for performing incident notifications and voluntary incident notifications (on this point, again the Decree stipulates that, as of January 1, 2026, the CSIRT – Computer Security Incident Response Team established at the ACN that is in charge of monitoring national security and possibly intervening in the event of incidents – must be notified of any incident that has a significant impact on the provision of services, including information that allows the CSIRT to determine any cross-border impact of the incident, within 24 hours – possibly proceeding with a pre-notification);
3. business continuity, including backup management, disaster recovery, where applicable, and crisis management;
4. supply chain security, including security-related aspects concerning the relationship between each entity and its direct suppliers or service providers (this measure has a direct impact on the verification of the supply chain and its mapping, including and especially in terms of security);
5. security of the acquisition, development and maintenance of information and network systems, including vulnerability management and disclosure;
6. policies and procedures for evaluating the effectiveness of cybersecurity risk management measures;
7. basic hygiene practices and cybersecurity training;
8. policies and procedures regarding the use of encryption and, where appropriate, encryption;
9. personnel security and accountability, access control policies, and asset and asset management;
10. use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications, and secure emergency communications systems by the individual internally, where appropriate.

4.1 What is meant by “enhanced cybersecurity”
Companies that fall within the scope of the NIS 2 Decree will have to implement measures and procedures to ensure and oversee cybersecurity risk management, adopt governance that ensures ongoing training of governing bodies and employees, with increased awareness of cybersecurity issues, implement procedures aimed at guarding against possible incidents and proactively notifying, within the terms specified by the standard, the same, and lastly, adopt systems that ensure business continuity.
4.2 Verification of the supply chain – main compliances
It is necessary for companies to have supplier and related supply chain management systems in place so that the security measures implemented by the same suppliers are monitored, including through the integration of the agreements in place today and the planning of periodic audits that allow for constant monitoring of the subsistence of the aforementioned measures. Among others, it will therefore be necessary to verify that suppliers adopt business continuity and disaster recovery measures congruent with the minimum measures required by the company in the perimeter of the NIS 2 Decree, coordinating these monitoring activities with the corporate procedures already in place, for example in the area of data protection and ISO certifications
.

5. Sanction system

The penalty system has been tightened even more, providing for differentiated brackets depending on the type of violation and whether the subject is defined as essential or important by ACN.
For failure to approve how to implement risk management measures and provide specific training, failure to adopt risk management measures and report incidents, or failure to comply with the provisions adopted by ACN, sanctions range up to a maximum of 10,000,000 euros or 2 percent of total annual worldwide turnover for the previous fiscal year for essential subjects. For major players, on the other hand, sanctions of up to a maximum of 7,000,000 euros or 1.4 percent of the total annual worldwide turnover for the previous fiscal year.
Reduced penalties (for essential subjects, up to a maximum of 0.1% of total annual worldwide turnover for the previous fiscal year; for important subjects, up to a maximum of 0.07% of the total annual turnover on a worldwide scale for the previous fiscal year) are then provided in case of failure to register, communicate or update information on the platform, failure to comply with the procedures established by ACN regarding platform registration and information entry, failure to communicate or update the list of activities and services as well as their categorization, failure to implement or enforce sector-specific obligations and forecasts, and failure to cooperate with ACN and CSIRT Italy.

in case of failure to register, communicate or update information on the platform,failure to comply with the procedures established by ACN regarding platform registration and information entry, failure to communicate or update the list of activities and services as well as their categorization, failure to implement or enforce sector-specific obligations and forecasts, and failure to cooperate with ACN and CSIRT Italy.

Of course, the size of the sanction may vary according to certain corrective criteria, such as the severity of the sanction and again the duration as well as the repetition of the sanction over the years.