Riccardo Nuti : 15 November 2025 15:22
On 10 November 2022, the European Parliament, by a large majority, approved the NIS2 (Network and Information System Security) Directive with its publication in the Official Journal of the European Union ( EU Directive 2022/2555 ) on 27 December 2022. The NIS2 Directive amends Regulation (EU) No. 910/2014 and Directive (EU) 2018/1972, and indicates its implementation by the EU Member States by 17 October 2024.
Like all documents relating to technology, but especially digital security, they must not be monolithic and definitive, but must take into account the technological, sociological (e.g., COVID pandemic), geopolitical (e.g., war in Ukraine) contexts and any potential improvements related to the “applicability” and “application” of the specific legislation in question.
The overall scenario, from the perspective of equipment and related technological infrastructure, presents a growing overall risk, unlike anything seen in previous years. Member states, and therefore the European Union, have felt the need to increase their capacity for resilience, response, and risk sharing. This means increasing interactions between states to respond to threats in a unified manner, sharing information and taking timely action to reduce the risk to individual stakeholders from cyber attacks or, more generally, from unintended situations of degradation or disruption of the operational functionality of equipment and systems, such as businesses and public administrations, which are the first to be exposed to cyber threats.
The main elements that led to the re-issuance of the NIS2 were:
The distinction between Essential and Important Entities depends on the service offered, its size in terms of employees and revenue, and its criticality. Regarding size, their identification is left to the Member States, but at the same time, in order to avoid uncertainty on the part of individual States and inconsistencies in the application of the Directive in question, the Directive refers to Commission Recommendation 2003/361/EC (Article 2, paragraph 1) for the objective and uniform identification of a threshold criterion with which companies are promptly identified as “medium-sized enterprises” or those that exceed the thresholds for medium-sized enterprises. In this regard, the EU also provides that individual Member States may include, regardless of their size, small and micro enterprises in the application of the said Directive if, due to their criticality, they fulfil key roles ” for society, the economy or for particular sectors or types of service ” (recital 7);
For the sake of completeness, additional services already present in the previous Directive are listed, again divided into “Highly Critical Sectors” and “Other Critical Sectors.” The first group includes the following services: “Energy,” “Transport,” “Banking,” “Financial Market Infrastructure,” “Healthcare,” “Drinking Water,” and “Digital Infrastructure.” The second group includes the services “Manufacturing” (of healthcare systems, computers, electronic equipment, means of transport, motor vehicles, etc.), “Digital Service Providers,” and “Research.”
The NIS2 Directive does not apply to public administration bodies whose entities operate predominantly “ in the areas of national security, public safety, defence or carry out law enforcement activities, including the prevention, investigation, detection and prosecution of criminal offences ”;
Individual Member States must ensure that the supervisory or enforcement measures imposed on Essential and Important Persons, in relation to the obligations set forth in the NIS2 Directive (with particular reference to Articles 21 and 23), ” are effective, proportionate, and dissuasive, taking into account the circumstances of each individual case ” (Article 32, paragraph 1). Specifically, Member States, through their competent national authorities (for Italy, the National Cybersecurity Agency), may decide to subject Essential Persons to: on-site inspections, security audits, ad hoc audits, security scans, and requests for information necessary to evaluate the cybersecurity risk management measures adopted.
If, after the investigations, the measures adopted prove ineffective, the Member State shall ensure that its competent authority (i.e., the ACN) has the power to set a deadline by which an Essential Person is required to implement binding actions and report on their implementation. Even for Important Persons, if they fail to comply with the NIS2 Directive, the competent authorities must act promptly through ex-post supervisory measures, taking into account, as already mentioned, the application of controls that are “effective, proportionate, and dissuasive.”
If the incident is not concluded by the time of the final report, the interested parties must provide a report on the situation and progress achieved up to that point, submitting ” the final report within one month of managing the incident .” Finally, between the notification “within 72 hours” and the “final report,” the CSIRT or, alternatively, the competent authority, may request intermediate status reports on the status of incident management.
Beyond the considerations that have led to a greater redefinition and direction of the NIS2 Directive to avoid uncertainty and inconsistency, as well as to provide a minimum basis for common treatment among Member States on cybersecurity issues, it is also necessary, and above all, to highlight and recognize the presence of six fundamental pillars that significantly characterize the essence of the Directive in question.
With the NIS2 Directive, Member States become promoters of pursuing increased capacity to prevent and manage cyber incidents among individual Essential and Important Entities (Article 20). Corporate management bodies can no longer delegate to information systems and/or network managers the objectives, priorities, and measures to be implemented to ensure corporate security. In this regard, the Directive requires that the same managers, who compose and contribute to the definition and direction of the governance of Essential and Important Entities, be specifically trained to support their awareness of cybersecurity process management, i.e., the governance of risk approval activities, decisions supporting measures, and their supervision.
Similarly, training must be provided periodically to their employees to develop the knowledge and skills needed to recognize and identify risks. They must be aware of risk management practices and the associated impacts on the services provided should they occur. In practice, it is necessary to foster cross-sectoral and vertical growth in cyber risk management among all stakeholders involved in that service, starting with management bodies and including those responsible for implementing and monitoring the approved and applied measures.
The risks affecting companies or public administrations that qualify as Essential or Important Persons can be endogenous or exogenous. For example, the former may include human error by an operator or a dissatisfied employee, as well as technical issues (software malfunctions and updates, imperfect/lack of maintenance). The latter may include natural phenomena (e.g., earthquakes, floods), malicious events (hackers or activists), and geopolitical situations (e.g., hybrid warfare). Examples have been provided, and this is not an exhaustive list of the risks affecting Essential or Important Persons. However, it is important to highlight the multiple risks that must be identified, analyzed, and assessed. To this end, the NIS2 Directive, which goes beyond a purely technical risk assessment, addresses the management of the service offered as an ecosystem that can be subject to a “multi-risk” analysis approach (Article 21).
Security requirements are of particular importance since the Directive seeks to provide two important guidelines. The first is that Member States ensure that the technical, operational, and organizational security measures adopted by Essential and Important Entities are adequate and proportionate to the management of risks related to the security of the information and network systems that effectively support the services provided by those entities. These measures must not only prevent activities and events that could result in partial or total service interruptions, but also minimize the impact on the efficiency and performance of their services and any other related services.
The Directive does not address technical security measures in absolute terms, but focuses on their implementation and enforcement in relation to ” the entity’s degree of exposure to risk ,” the size of the entity implementing them, the probability of an abnormal event occurring, and also identifies its severity in terms of social and economic impact. The second indication is that the Directive requires Member States to adopt, as part of so-called multi-risk management, a set of minimum measures on specific aspects to be analyzed and applied in order to effectively and promptly counter potential unwanted events; In particular, the specific aspects indicated by the directive in question are: “ a) risk analysis and information systems security policies; b) incident management; c) business continuity, such as backup management and disaster recovery, and crisis management; d) supply chain security, including security aspects of the relationship between each entity and its direct suppliers or service providers; e) security of the acquisition, development, and maintenance of information technology and network systems, including vulnerability management and disclosure; f) strategies and procedures for evaluating the effectiveness of cybersecurity risk management measures; g) basic cyber hygiene practices and cybersecurity training; h) policies and procedures regarding the use of encryption and, where appropriate, encryption; i) human resources security, access control strategies, and asset management; j) use of multi-factor or continuous authentication solutions, secure voice, video, and text communications, and secure emergency communication systems by the entity internally, where applicable.”
Another area of concern introduced by the Directive under consideration concerns the potential vulnerabilities that may arise in the provision of a service or the production of a product through the supply chain. In this regard, it is necessary to evaluate and identify the risks associated with the relationship between the parties and the suppliers of products and services, with regard to the quality of the products produced by suppliers, as well as with the methodological practices adopted by suppliers in the secure code development processes (Article 21, paragraph 3).
Effective and timely measures to prevent and respond to anomalous events also depend on coordinated practices implemented in each Member State for disclosing vulnerabilities. Each Member State designates a CSIRT that ” acts as a trusted intermediary ,” facilitating interaction between the person (natural or legal) who detects the vulnerability and the manufacturer or provider of ICT services/products for which vulnerabilities may exist.
In this regard, NIS2 promotes and facilitates, through the contact details of each member state’s national CSIRTs, the anonymous reporting of vulnerabilities, while safeguarding the anonymity of the individual (natural or legal) who reported the issue. It is entirely unnecessary that if the vulnerability is confirmed and its impact affects other entities in other member states, the CSIRT first involved cooperates, if necessary, with the CSIRTs of the member states whose entities may be affected by the same vulnerability (Article 12).
In multi-risk management, Essential and Important Persons absolutely cannot ignore operational continuity. This means that companies or public administrations have regulatory obligations following a cybersecurity incident to mitigate its effects, ensuring adequate levels of services offered and the procurement of ICT (Information and Communication Technology) products and services.
In business operations, although not explicitly stated in the Directive under consideration, we cannot ignore OT (Operation Technology) tools, which support industrial monitoring and automation, in addition to traditional IT (Information Technology) tools. These systems were once characterized by reliability and continuity because they enjoyed physical isolation (air-gapped networks). Today, however, OT systems are increasingly becoming advanced computing systems, converging and integrating with IT systems with clear processing and computing advantages. On the one hand, these facilitate management and operations, but on the other, because they are more technologically advanced and, above all, increasingly connected to public networks, they can be subject to cyber attacks.
The concept of business continuity in NIS2 is expressed in a few lines and in a relatively generic manner, in terms of ” backup management, disaster recovery, and crisis management ” (Article 21, paragraph 2). To better contextualize the aspect of business continuity, stakeholders must consider and apply the Business Impact Analysis (BIA) methodology. This analysis methodology allows, based on the company’s business, to determine the potential impacts and unintended influences on the business itself caused by anomalous or unwanted events (such as the provision of services or the interruption of ICT products and resources).
Defining and identifying the economic, regulatory, and reputational impacts will certainly be crucial. A general analysis that must certainly be considered is that of not viewing a system, process, or service as a monolithic and independent element. Given the strong interconnections, both direct and indirect, between infrastructures/systems, it is necessary to evaluate interactions that could negatively impact the service or product being created. In particular, alongside the BIA methodology, it is necessary to introduce practices for “modeling multiple and complex structures to identify cascading effects,” as these would allow for the adoption of resilient solutions that would ensure the effectiveness and timely response to unintended events.
As previously mentioned, the NIS2 Directive plays an important role in the European context in increasing the fight against and resilience to cybersecurity attacks. This role does not stand alone, but relates to and creates a critical mass with other existing European regulations that strengthen the fight against, perception of, and Europe’s commitment to raising and consolidating the level of countering cyberattacks. The other regulations just mentioned are the GDPR (EU Regulation 2016/769), the Cybersecurity Act (EU Regulation 2019/881), the DORA Regulation (EU Regulation 2022/2554), and the CER Directive (EU Directive 2022/2557). The following are the distinguishing features of the various regulations and their points of contact with the NIS2 Directive:
The GDPR addresses the protection of natural persons with regard to the processing of their personal data and the free movement of such data. The NIS2 Directive does not overlap with or replace the GDPR, but integrates it. The Directive explicitly references the GDPR at various points (Articles 2, 31, and 35), stating that if network and IT systems have been affected by cyberattacks and analysis of such attacks has revealed a data breach, the NIS2 requires the national authorities responsible for enforcing the directive (the ACN for Italy) to inform and work closely with the national supervisory authorities on the application of the GDPR (the Italian Data Protection Authority).
In addition to this shared focus, the NIS2 Directive and the GDPR also share other elements: i) incident notification; ii) cooperation and information exchange between EU member states; iii) risk assessment and the adoption of appropriate security measures. Regarding this last aspect, the purpose of the two risk assessments is different: for NIS2, it is the risk associated with the security of networks and information systems, while for the GDPR, the risk is assessed on the rights and freedoms of individuals.
The Cybersecurity Act (EU Regulation 2019/881), which entered into force on June 27, 2019, is an integral part of the EU’s overall cybersecurity project. The Regulation is an important and complementary element to the NIS2 Directive, which aims to increase the level of resilience of information systems to attacks. The Cybersecurity Act Regulation comprises two key elements: i) the introduction of information security certification systems valid within the EU for internet-connected devices, IT products and services, and IT processes; ii) greater clarification of the role of ENISA through the definition of its organizational structure, objectives, and related tasks (the details of this European body and the strengthening of its role in Europe with the issuance of the NIS2 Directive will be discussed later).
The DORA Regulation (EU Regulation 2022/2554), effective January 17, 2023, has a deadline of January 17, 2025, for financial institutions to comply with its requirements. The DORA Regulation applies to banks, insurance companies, financial institutions, stock exchanges, cryptocurrency service providers, credit rating agencies, crowdfunding service providers, and ICT service providers. Economic and financial institutions that fall under the DORA Regulation are not required to apply the NIS2 Directive “pursuant to the specialty criteria” (Article 4, paragraphs 1 and 2), as the provisions of the aforementioned Regulation are considered to correspond to and therefore satisfy those of the NIS2 Directive.
The common aspect, albeit complementary, between the two regulations is that the supervisory authorities responsible for the application and supervision of the Directive in question cooperate with the corresponding supervisory authorities of the individual Member States responsible for monitoring and supervising the adoption of the Dora Regulation. In practice, when applying the NIS2 Directive to an entity designated as an Essential or Important Person and which in turn falls within the role of a critical third-party provider of ICT services, the various competent authorities communicate with each other the status of the interested party’s NIS2 implementation (Article 33, paragraph 6). The interrelationship is not only national but also international, as the DORA Regulation allows the European Supervisory Authorities and the competent authorities to participate in the activities of the various cooperation groups, including CSIRTs for the exchange of information (e.g., incident details, cyber threats) (Recital 28).
The CER Directive (EU Directive 2022/2557) is the European regulation that directs the identification of critical entities in order to implement actions to ensure the resilience of the infrastructures that support and contribute to the operation of services against unwanted events associated with natural hazards, terrorist attacks, and sabotage. The CER Directive requires each EU Member State to identify critical entities from the following sectors by July 17, 2026: energy, transportation, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, public administration, space, and food production, processing, and distribution.
An important aspect that highlights the strong interdependence between the two directives is the fact that the NIS2 Directive applies to all entities, regardless of their size, identified as “Critical Entities” by the CER Directive (Article 2, paragraph 3). In summary, the common aspects of the two directives are: i) identification of critical entities; ii) adoption of appropriate technical and organizational measures to ensure and strengthen resilience and operational capacity; iii) identification of a competent authority with supervisory duties for the correct application of the CER Directive.
The European Union’s ENISA (European Network and Information Security Agency) aims to improve the security and resilience of information systems and telecommunications networks. The EU entrusts ENISA with the role of hub for cybersecurity issues, providing the expertise to which member states and the European institutions themselves must turn.
The NIS2 Directive strengthens and clarifies ENISA’s tasks and role. For example, ENISA ensures:
Given the widespread use of digital technology and telecommunications networks, now indispensable for the well-being and quality of life of a community, and also given the general increase in unwanted situations, due to the deliberate actions of malicious actors (hackers, activists, hybrid warfare) or unintended actions originating from human error, the European Union has issued the NIS2 Directive.
This issuance is part of a coherent and contextualized European framework of other regulations, with the aim of improving the response and overall resilience of digital systems, networks, and ICT systems. This improvement should not be undertaken solely and monolithically by individual member states; it should be coordinated with all other member states, taking into account individual national needs and capabilities. The latter are encouraged to share the measures implemented through national reference centers and to promptly share the types of attacks, creating a common defense front. Is this a point of arrival?
Absolutely not. The set of regulations issued to date can represent an ecosystem where each regulation, with its own peculiarities and specificities, builds upon and complements the others. Whenever a new regulation is added or an existing one is modified, the entire framework must be evaluated to avoid creating operational, governance, and managerial accountability gaps that could introduce weaknesses and vulnerabilities in the services and products provided by Essential and Important Entities. In this regard, the NIS2 Directive, while providing very specific guidance, leaves its implementation to individual member states.
This implementation, referring to Italy, must also take into account the various decrees issued within the “National Cybersecurity Perimeter” and therefore create the integration and coherence necessary to guarantee the diverse objectives to which the various regulations relate. Specifically, the objective of the NIS2 Directive is the maintenance of social and/or economic activities on which citizens, businesses, and markets generally depend. Meanwhile, for the National Cybersecurity Perimeter, the primary objective is the security of the state and the essential services that contribute to its functions.
In conclusion, important and fundamental steps have been taken to secure technological systems and infrastructures. However, attention to the various technical and geopolitical dynamics, the ability to understand the diverse cultural and technological evolutions of the cyber world, and, above all, professionalism must always be a step ahead of malicious behaviors that can cause serious damage to systems and infrastructures. This requires timely and effective support and updating of European and national regulations as a fundamental and fundamental element.
Riccardo Nuti