NIS2 in Italy: the new Cybersecurity Directive

The digital world is evolving fast, and so are the threats that come with it. From ransomware attacks to data breaches, companies face increasing cybersecurity challenges. To respond to this growing risk, the European Union introduced the NIS2 Directive — a new set of rules aimed at strengthening digital resilience across Member States.

Italy, like other EU countries, is now in the process of implementing this directive. For Italian businesses, understanding what NIS2 means and how to comply is not just a matter of legal necessity — it’s a strategic move toward a safer, more competitive digital future.

In this article, we break down what NIS2 is, how Italy is adopting it, and what businesses should do to prepare. We’ll keep the language simple and the message clear. Whether you’re a manager, a legal expert, or a business owner, this guide will help you understand how to take action.

What is NIS2?

Let’s start with the basics. NIS stands for "Network and Information Security." The original NIS Directive was adopted by the EU in 2016. It was the first European law that focused on cybersecurity at a national level. But the digital landscape has changed a lot since then.

Officially adopted in January 2023, NIS2 expands and updates the original directive. It covers more sectors, introduces stricter requirements, and aims to create a more harmonized cybersecurity framework across the EU.

‍

Make sure to read our blog article about the NIS2 in the EU.

Italy’s approach to NIS2 implementation

Italy is taking the implementation of NIS2 seriously. The national agency responsible for cybersecurity, ACN (Agenzia per la Cybersicurezza Nazionale), is leading the charge. As of early 2024, the Italian government has already passed a legislative decree that defines how NIS2 will be applied nationally.

Here are some key highlights:

• Wider scope: The Italian NIS2 decree includes many new sectors not previously covered, including digital services and manufacturing.
• Risk-based approach: Companies must perform risk assessments and adapt their cybersecurity measures accordingly.
• More responsibility: Top management is now directly accountable for cybersecurity compliance.
• Stronger penalties: Fines for non-compliance can reach up to €10 million or 2% of global annual turnover.

The goal is clear: boost cybersecurity, protect critical infrastructure, and ensure that companies are better prepared for digital threats.

Want to know more about the timeline of implementation? Read the in-depth article here.

Who is affected by NIS2 in Italy?

Understanding whether your organization falls under the NIS2 scope is crucial. In Italy, the directive applies to both public and private entities that meet specific size and sector requirements.

Essential and important entities

• Essential entities include large operators in critical sectors like energy, banking, healthcare, and digital infrastructure.
• Important entities include medium-sized businesses in sectors such as manufacturing of critical products, postal services, and digital providers.

In general, if your company has more than 50 employees and an annual turnover exceeding €10 million, and operates in one of the covered sectors, you should take a closer look.

Even smaller organizations could be subject to NIS2 if they play a key role in a larger supply chain. Italy’s decree also allows ACN to designate specific entities based on risk level — even if they don’t meet the size thresholds.

Key obligations for businesses

Implementing NIS2 requires companies to take a proactive stance on cybersecurity. Here are some of the main obligations under the Italian implementation:

1. Cybersecurity risk management

Organizations must implement technical and organizational measures based on the risks they face. This includes:

• Access control and encryption
• Business continuity and disaster recovery
• Incident handling
• Supply chain security

You can’t just install antivirus software and call it a day. The approach must be strategic and holistic.

2. Incident notification

Entities must report significant cybersecurity incidents to ACN. The timeline is tight:

• Initial alert within 24 hours
• Detailed report within 72 hours
• Final report within one month

Delays or omissions can lead to heavy fines and reputational damage.

3. Governance and accountability

One of the biggest changes under NIS2 is that senior management is now legally accountable for cybersecurity. In Italy, this means:

• Cybersecurity must be integrated into corporate governance
• Executives can be held personally responsible for non-compliance
• Regular training and awareness programs are mandatory

No more delegating cybersecurity to the IT department alone. It’s now a board-level issue.

4. Supply chain security

Under NIS2, businesses are required to evaluate and manage the cybersecurity posture of their suppliers and partners. This is especially important in Italy’s industrial and manufacturing sectors, where supply chains are long and complex.

Start by mapping your supply chain. Then assess each partner’s cybersecurity level. Contracts should also include clear obligations regarding data protection and risk management.

How to prepare for NIS2: A step-by-step guide

If your business is subject to NIS2 in Italy, don’t panic. Start planning early. Here’s a step-by-step checklist to help you prepare:

1. Assess your status
2. Confirm whether your organization is classified as an essential or important entity under Italian law.
3. Conduct a risk assessment
4. Identify your assets, threats, and vulnerabilities. Prioritize the most critical systems.
5. Develop a cybersecurity plan
6. Define policies and procedures aligned with NIS2 requirements. This should include incident response, backup plans, and employee training.
7. Engage leadership
8. Make sure top management understands their responsibilities and is actively involved.
9. Audit your supply chain
10. Review contracts, set cybersecurity standards, and monitor third-party compliance.
11. Train your team
12. Human error is often the weakest link. Invest in regular awareness programs for all staff.
13. Document everything
14. Maintain records of all security measures, training sessions, and incident reports. This will help in case of audits or investigations.

‍

Don't know where to start? Read the 5 steps to start with NIS2.

Turning compliance into opportunity

The NIS2 Directive represents a big shift in how the EU — and Italy — approach cybersecurity. But it’s not just about avoiding fines or ticking boxes. It’s about building a more secure and resilient business.

For Italian companies, this is an opportunity to modernize, innovate, and gain a competitive edge. By investing in cybersecurity today, you not only comply with the law — you also protect your customers, your reputation, and your future.

Start preparing now. Stay informed. And remember: cybersecurity is no longer optional. It’s a core part of doing business in the digital age.

Need help figuring it out? We’re here to help! 🙋

Chino.io is the one-stop shop for solving all privacy and security compliance aspects.

As a partner of our clients, we combine regulatory and technical expertise with a modular IT platform that allows digital applications to eliminate compliance risks and save costs and time.

Chino.io makes compliant-by-design innovation happen faster, combining legal know-how and data security technology for innovators.

To learn more, book a call with our experts.