Italy adopts the NIS 2

Gianpaolo Todisco - Partner

Legislative Decree No. 138, which implements Directive (EU) 2022/2555, known as NIS 2, was published in the Official Gazette on Oct. 1, 2024. The planned provisions will come into force as of Oct. 18, 2024.

This measure represents a significant step for Italy in the management of cyber security, with the introduction of measures to ensure a high common level of cyber security both nationally and throughout the European Union.

The adoption of this decree comes in an increasingly digitized context, in which cyber security has emerged as a crucial priority. Indeed, cyber threats are becoming increasingly sophisticated, endangering the stability of critical infrastructures and the protection of sensitive data.

Against this backdrop, the Legislative Decree implementing the NIS 2 directive stands as a milestone in strengthening cybersecurity, both for Italy and the European Union.

The measure primarily aims to protect essential infrastructure by introducing new obligations for companies considered crucial to the economy and society. These measures are designed to increase resilience and reduce vulnerability to growing cyber threats.

Technical Requirements

One of the main objectives of the regulation is to ensure that entities subject to the NIS 2 Directive take proportionate technical and methodological measures to manage cyber risks. These measures must be tailored to the specific risks to which entities are exposed, considering factors such as their size, likelihood of incidents, and severity of incidents, including economic and social impacts. The technical requirements are based on recognized international standards, such as ISO/IEC 27001 and ETSI EN 319, and must be tailored to the operational characteristics of each entity.

The regulation requires the adoption of a systematic approach to risk management, including policies dedicated to network and information system security. Recommended measures include access management and network segmentation to ensure that only authorized individuals and systems can access critical resources.

One relevant aspect concerns small and medium-sized enterprises (SMEs), which can take compensatory measures if they have difficulty fully meeting technical or methodological requirements. However, such measures need to be documented and alternative solutions implemented to mitigate risks.

Significant incidents

A central point of the regulation is the definition of “significant incident” (Art. 3), which occurs when at least one of the following criteria is met:

  • Direct economic damage exceeding 500,000 euros or 5 percent of the entity's total annual turnover (whichever is less);

  • Exfiltration of trade secrets within the meaning of Directive (EU) 2016/943;

  • Death of an individual;

  • Significant damage to the health of an individual.

Excluded are planned events, such as planned outages, which do not fall into the category of significant incidents.

To assess the impact of incidents, the regulation requires entities to consider the number of users directly affected, including both end customers and entities that use the services provided.

The regulation also introduces the concept of recurring incidents (Article 4). If multiple minor incidents with a common cause occur within a six-month period and together meet the criteria of a significant incident, they are treated as one major incident. This approach aims to identify systemic deficiencies in risk management and strengthen overall safety.

Risk management

Entities must develop a risk management plan that includes the identification, analysis, and treatment of network and information system security risks. This plan should be reviewed at least annually or when significant operational changes occur.

A key aspect is the adoption of basic cyber hygiene practices, such as:

  • Network segmentation;

  • Multifactor authentication;

  • Regular software updates;

  • Protection against phishing and other social engineering techniques.

In addition, entities should promote awareness and training programs for employees and vendors, with periodic updates to account for evolutions in the threat landscape. Their effectiveness should be verified through regular testing.

To ensure operational resilience, entities are required to have business continuity and disaster recovery plans in place. These must include business impact analysis, recovery goals, and roles and responsibilities in the event of a disaster. Plans should be tested and updated regularly to ensure their effectiveness.

The supply chain

Risk management also extends to suppliers and supply chain partners. The regulation requires entities to establish specific policies for supply chain security, including criteria for selecting and contracting suppliers. These criteria must evaluate cybersecurity practices and suppliers' ability to meet the requirements.

Entities should continuously monitor suppliers and update contracts to ensure compliance with security specifications. The use of cybersecurity certifications is encouraged to ensure that products and services meet appropriate standards of protection.

In summary, the regulation aims to build a more secure and resilient ecosystem by strengthening cybersecurity at all levels, from individual entities to entire supply chains, promoting effective risk prevention and management.