NIS 2: A New European Era of Cybersecurity Governance

The NIS 2 Directive – formally, Directive (EU) 2022/2555 – is the cornerstone of the EU’s strategy for a cybersecure and resilient digital economy. On October 1, 2024, Italy transposed NIS 2 into national law via Legislative Decree No. 138 of September 4, 2024, which entered into force on October 16, 2024.

This legislation significantly expands the scope and impact of the original 2016 NIS Directive by:

• Broadening the list of obligated entities, including medium and large companies across strategic sectors (health, energy, transport, digital infrastructure, manufacturing, finance, etc.);

• Introducing stricter security and incident-reporting obligations;

• Holding management bodies directly accountable for compliance failures.

Implementation Deadlines in Italy

The decree provides a phased compliance approach:

• By February 28, 2025:

  Entities must register with the national digital platform (managed by ACN) and designate a point of contact.

• By May 31, 2025:

  First annual update of organizational and operational information, including services, governance structure, and supply-chain data.

• By January 2026:

  Implementation of incident notification procedures, including deadlines of 24h / 72h / 1 month, depending on the severity.

• By October 2026:

  Entities must fully implement technical and organizational security measures as per Annex I and II of the decree.

A Strategic Opportunity

NIS 2 should not be seen as a compliance burden but, instead, as a strategic accelerator for:

• Enhancing digital resilience and operational continuity;

• Increasing trust with clients, partners, and regulators;

• Aligning with best practices in cybersecurity, supply chain oversight, and risk management.

With penalties of up to €10 million or 2% of global turnover for essential entities (and €7 million or 1.4% for important entities), the cost of non-compliance is significant — but so is the opportunity to lead by example in cyber risk governance.