E-time | the software company
ACN portal and NIS2 directive
NIS2: The New ACN Portal for Business Security
On October 18, 2024, Legislative Decree No. 138 of 2024, also known as the NIS Decree, came into effect in Italy. This decree implements Directive (EU) 2022/2555, introducing updated regulations to strengthen cybersecurity and digital protection across the European Union.
One of the key obligations introduced by the Directive is the mandatory registration of businesses on a dedicated digital platform. All organizations that meet the requirements of the NIS2 Directive must register on a specific digital portal managed by the National Cybersecurity Agency (ACN).
The platform aims to enhance the national cybersecurity system by facilitating efficient collaboration between NIS entities and the National Cybersecurity Agency. It seeks to provide greater clarity in administrative processes by implementing accurate monitoring of transmitted information.
Which companies are required to register
The businesses required to register include those operating in critical and important sectors, as defined by the Directive, that provide essential services or critical infrastructures, as well as companies meeting specific size requirements: at least 50 employees and an annual turnover or total balance sheet exceeding €10 million.
In essence, the obligation applies to both essential and important entities, which are required to provide all information related to their activities within the established deadlines.
These entities are obligated to ensure compliance with cybersecurity regulations and register on the ACN Portal, enabling the monitoring and management of cybersecurity at a national level.
Registration Phases and Deadlines
Organizations subject to the NIS2 Directive must complete their registration on the ACN Portal by February 28, 2025.
The registration must be carried out by a designated Point of Contact, who can be the legal representative, or a delegated employee. This individual is responsible for implementing the provisions of the NIS Directive and reporting directly to administrative and management bodies.
The registration process is divided into several key phases:
- Authentication on the ACN Portal
The first step to accessing the platform is registering the Point of Contact with their personal credentials (SPID or an equivalent system), providing identification information. These details are reviewed to verify the Point of Contact’s eligibility to represent the entity. Errors or incomplete data may invalidate the registration, causing delays or penalties.
This preliminary phase formalizes the relationship between the user and the NIS Entity. - Linking the Point of Contact to the NIS Entity
Once authentication is complete, the system verifies the Point of Contact’s authority through validation of official documents and delegations, ensuring their legitimacy to represent the NIS Entity.
During this phase, the following information is also verified on the Portal:- Name of the NIS Entity
- Registered office address
- Digital domicile
- Approval by the NIS Entity
The process concludes with approval by the NIS Entity, communicated via notification to the digital domicile. Once confirmed, the ACN sends an official notification indicating the successful completion of the procedure.
This phase ensures a clear and verified association between the Point of Contact and the NIS Entity, guaranteeing compliance and system protection.
Official List of NIS Entities
The registration process culminates in the creation of the official list of NIS Entities by the National Competent Authority. This list serves as an essential tool for monitoring and managing the entities involved in national cybersecurity.
Each entity included in the list receives a unique identification code, which acts as an official reference for both the organization and the Point of Contact. This code ensures the structured and secure management of information.
Through the registration of NIS Entities, the competent authorities can systematically monitor critical infrastructures, contributing to the protection and resilience of the national cybersecurity system.
The NIS 2 Directive: What Changes in Security Management for Companies
The Legislative Decree No. 138, which transposes Directive (EU) 2022/2555, known as NIS2, was officially published in the Official Gazette and came into force on October 16, 2024.
The NIS2 Directive represents a significant regulatory change for the cybersecurity of European companies. Its primary goal is to enhance the resilience and protection of networks and information systems. It applies to companies and public or private entities operating within the EU.
The new Directive updates the previous NIS (Network and Information Security) Directive, adopted in 2016, which required revision due to the increasing complexity of cyberattacks.
What is the NIS2 Directive?
The NIS2 Directive is a European Union regulation designed to strengthen cybersecurity in member states. Compared to the previous NIS Directive, NIS2 expands its scope and introduces stricter requirements regarding risk management, incident reporting, and corporate accountability.
NIS2 requires companies to collaborate with authorities and other businesses across Europe to share information and best practices in cybersecurity. This aims to ensure a more coordinated and effective response to threats that cross national borders.
The aim is to establish common standards within the Union on cybersecurity issues, working synergistically with other regulations such as the GDPR and the Cyber Resilience Act.
NIS2 obligates companies to raise their security standards and adopt advanced solutions such as Single Sign-On (SSO) and Multi-Factor Authentication (MFA), which are essential for protecting access to information systems.
In Italy, the government-designated authority responsible for coordinating cybersecurity activities and implementing the regulation is the ACN (National Cybersecurity Agency).
NIS 2: Who is the target
The NIS2 Directive targets essential entities and important entities, differentiated based on the criticality of the services they provide and their size.
Who are essential entities
Essential entities are companies operating in highly critical sectors listed in Annex 1 of the Directive and meet one of the following criteria:
- More than 250 employees;
- Annual revenue exceeding 50 million euros.
Who are important entities
Important entities are medium-sized enterprises, meaning those with more than 50 employees, that play a significant role in strategic or critical sectors (Annex 1 and Annex 2).
However, it is specified that entities with fewer than 50 employees or lower revenue can also be classified as essential or important if they operate in critical sectors or if their disruption could have a significant impact on security or the economy.
For full details, refer to the complete text published in the Official Gazette.
The obligations of the Directive
Risk management
Companies must implement adequate security measures to manage risks related to the security of networks and information systems
Incident reporting
It is mandatory to report security incidents to the competent authorities by:
- Sending a preliminary alert to the CSIRT (Computer Security Incident Response Teams) within 24 hours;
- Submitting an official notification within 72 hours of the cybersecurity incident.
Security Assessment and Business Continuity
Companies are required to perform regular risk assessments and implement appropriate mitigation measures. Additionally, they must define plans to ensure the operational continuity of critical services even in the event of significant incidents.
Training and Awareness
Companies must provide ongoing cybersecurity training for employees. Furthermore, greater accountability is introduced for executives, as members of boards of directors are directly responsible for compliance with security regulations and may face penalties in cases of non-compliance.
Who Is Required to Comply with NIS2
The NIS2 Directive applies mandatorily to a broad range of companies in both the public and private sectors that, as noted earlier, fall into the categories of Essential Entities or Important Entities. Specifically, the following are considered highly critical sectors:
- Energy (electricity, gas, oil)
- Transportation (air, rail, maritime, road)
- Healthcare (hospitals, laboratories, healthcare centers)
- Public Administration
- Digital Infrastructure (telecommunication networks, data centers)
- Financial Services (banks, financial market operators)
- Postal Services.
- Water Supply and Wastewater Management.
- Digital Service Providers (cloud services, online platforms, search engines)
- Critical Infrastructure Providers (including companies supporting essential sectors like telecommunications)
Additionally, other critical sectors listed in Annex 2 include:
- Food (companies producing and distributing food, particularly those involved in large-scale supply).
- Waste Management (collection, treatment, and disposal).
- Manufacturing (producers of medical devices, machinery, vehicles, and electrical/electronic devices).
- Chemical (production and supply of chemical products).
- Space (satellite operators, space services).
Companies with fewer than 50 employees may also fall under the scope of NIS2 if they are the unique provider of an essential service in a Member State or if a disruption in their service could significantly impact public or national security or health.
Furthermore, Public Administrations are all subject to the Directive’s provisions, regardless of size, except those engaged in activities related to national security, defense, public order, and crime prevention.
Have you already implemented an identity and access management system for your services or your clients?
Sanctions under the NIS2 Directive
The specific sanctions and enforcement procedures may vary depending on the national regulations adopted by different Member States in implementation of the NIS2 Directive. In general, the sanctions that may be imposed include:
- Administrative sanctions: Fines of varying amounts depending on the severity of the violation and the size of the company.
- Financial penalties: In addition to administrative sanctions, further financial penalties may be imposed.
- Sanctions for non-compliance: If a company fails to meet security requirements or does not report violations within the established timeframes, it may face more severe sanctions.
- Suspension of services: Temporary suspension of services provided by a non-compliant company or entity.
- Publication of violations: In specific cases or when deemed appropriate, authorities may decide to make violations public.
Single Sign-On (SSO) and Multi-Factor Authentication (MFA)
The NIS2 Directive encourages the use of Single Sign-On (SSO) systems to simplify and strengthen access management and Multi-Factor Authentication (MFA) to ensure that access to business systems is protected by multiple layers of security, reducing the risk of unauthorized access through credential theft.
SSO allows users to authenticate once to access multiple services, improving both security and operational efficiency.
MFA, on the other hand, adds an extra layer of security by requiring multiple forms of verification (e.g., a password plus a code sent via phone or biometrics).
Combined Use of SSO and MFA
The combined use of SSO and MFA is often overlooked, despite how much this practice can strengthen security. It ensures that even if the credentials used for Single Sign-On are compromised, an attacker would still need to bypass the MFA. The combined use of both systems provides two advantages:
- The convenience of Single Sign-On for the user experience.
- Additional security assurance through Multi-Factor Authentication.
Discover our solutions for Identity and Access Management
IAM Systems in NIS2 Directive
What Are IAM Systems (Identity and Access Management)
A key aspect of the European NIS2 Directive focuses on managing identities and access within organizations, known as Identity and Access Management (IAM).
IAM systems are technological solutions designed to securely and centrally manage the digital identities of users within an organization. These tools oversee the entire system of access rights, which is especially important for safeguarding cloud infrastructures.
Furthermore, IAM systems control user access to company systems, applications, and resources by verifying identities and permissions. They enable administrators to monitor user activity, generate reports, and enforce policies to ensure compliance with current regulations, including the NIS2 Directive.
A properly configured IAM system protects sensitive data and proprietary company information, strengthening overall security.
The Goal of an Identity and Access Management System
The primary goal of an Identity and Access Management (IAM) system is to ensure that only authorized individuals can access the technological resources they need to perform their activities.
This is achieved by defining a user profile that includes attributes such as roles, privileges, and group memberships, ensuring that each individual has the appropriate permissions.
Identity and Access Management Components:
- Identity Management: involves creating, updating, and deactivating user identities to ensure proper control over access to corporate resources.
- User Identity Authentication:
- Traditional Passwords: standard method of user authentication.
- Multi-Factor Authentication (MFA): utilizes multiple verification factors (e.g., passwords, biometrics or tokens) to confirm identity.
- Single Sign-On (SSO): allows users to authenticate once and gain access to multiple applications or services without needing to log in repeatedly.
- Authorization and Access Control: assigns permissions based on business roles, or zero-trust policies to ensure secure appropriate access.
- Monitoring and compliance:
- Tracking user activities: locks and tracks access events with detailed reporting to detect anomalies or unauthorized behaviour.
- Regulatory compliance: ensures adherence to security standards such as ISO 27001 through continuous monitoring and activity analysis.
IAM Systems in the NIS2 Directive: Requirements and Implications
The NIS2 Directive emphasizes the critical role of Identity and Access Management (IAM) in enhancing cyber security. To meet its stringent requirements, organizations are encouraged to adopt measures such as:
- Access Control and Monitoring. Organizations should use activity tracking systems to detect anomalies and maintain detailed logs to monitor access effectively.
- Secure Management of Identities and Access. IAM systems must employ multi-factor authentication (MFA) to safeguard access to sensitive data. Privileged identity management, such as controlling access for administrators handling sensitive areas, is also essential.
- Data Protection. The directive recommends the use of cryptographic methods to ensure the confidentiality and security of credentials and other sensitive information.
- Resilience and Operational Continuity. Organizations must guarantee the resilience of critical systems and ensure operational continuity in the event of cyberattacks or security incidents.
- IAM Risk Management. Regular assessments should be carried out to identify vulnerabilities in identity management systems, supported by a swift incident response plan to address risks effectively.
- Incident Notification. Timely reporting is crucial, with an early warning required within 24 hours and a formal official notification within 72 hours of an incident.
- Adoption of Zero Trust Architecture. Continuous authentication should be enforced for every access attempt, even within internal networks, to minimize risks. As a result of these provisions, developing a robust identity and access management system is essential to ensure the organization’s compliance with the regulation.
The Role of IAM Systems in Corporate Security
IAM systems not only ensure compliance but also play a critical role in safeguarding corporate resources, significantly enhancing overall security.
This preventive and proactive role of Identity and Access Management is achieved through several key actions, including:
- Enhanced and Strict Control of Identities and Credentials: Ensuring that only authorized individuals have access to sensitive resources.
- Protection against Unauthorized Access: Mitigating the risk of breaches and maintaining secure access to corporate systems.
- Centralized Identity Management: Utilizing techniques such as multi-factor authentication (MFA) to streamline and fortify access management processes.
- Support for Regulatory Compliance: Enabling organizations to adhere to stringent security and privacy standards, such as ISO 27001 and NIS2, through rigorous identity and access management practices and proper documentation. Ultimately, IAM systems are indispensable for strengthening corporate security and preventing cyber threats.
Achieving Compliance with the NIS2 Directive through Yookey
Yookey is a platform that provides advanced Identity and Access Management (IAM) solutions based on Keycloak. It emphasizes secure identity management by integrating multi-factor authentication (MFA) with Single Sign-On (SSO), all while ensuring compliance with the NIS2 Directive.
In addition, Yookey supports businesses in meeting the provisions of NIS2 by adopting a Zero Trust model, which verifies every access attempt, including those originating from internal networks. For access monitoring, Yookey securely tracks all actions and generates detailed reports, enabling the thorough analysis of cybersecurity incidents as mandated by NIS2.
In the realm of supply chain security, Yookey facilitates Identity Federation, allowing businesses to securely and compliantly manage external users’ access, including suppliers, partners, and third parties. Furthermore, the platform centralizes access management, enhancing visibility and monitoring of all identities.
By offering these comprehensive solutions, Yookey helps businesses address the challenges of digital security and ensures compliance with the requirements of the NIS2 Directive.
