E-time | the software company
The Legislative Decree No. 138, which transposes Directive (EU) 2022/2555, known as NIS2, was officially published in the Official Gazette and came into force on October 16, 2024.
The NIS2 Directive represents a significant regulatory change for the cybersecurity of European companies. Its primary goal is to enhance the resilience and protection of networks and information systems. It applies to companies and public or private entities operating within the EU.
The new Directive updates the previous NIS (Network and Information Security) Directive, adopted in 2016, which required revision due to the increasing complexity of cyberattacks.
What is the NIS2 Directive?
The NIS2 Directive is a European Union regulation designed to strengthen cybersecurity in member states. Compared to the previous NIS Directive, NIS2 expands its scope and introduces stricter requirements regarding risk management, incident reporting, and corporate accountability.
NIS2 requires companies to collaborate with authorities and other businesses across Europe to share information and best practices in cybersecurity. This aims to ensure a more coordinated and effective response to threats that cross national borders.
The aim is to establish common standards within the Union on cybersecurity issues, working synergistically with other regulations such as the GDPR and the Cyber Resilience Act.
NIS2 obligates companies to raise their security standards and adopt advanced solutions such as Single Sign-On (SSO) and Multi-Factor Authentication (MFA), which are essential for protecting access to information systems.
In Italy, the government-designated authority responsible for coordinating cybersecurity activities and implementing the regulation is the ACN (National Cybersecurity Agency).
NIS 2: Who is the target
The NIS2 Directive targets essential entities and important entities, differentiated based on the criticality of the services they provide and their size.
Who are essential entities
Essential entities are companies operating in highly critical sectors listed in Annex 1 of the Directive and meet one of the following criteria:
- More than 250 employees;
- Annual revenue exceeding 50 million euros.
Who are important entities
Important entities are medium-sized enterprises, meaning those with more than 50 employees, that play a significant role in strategic or critical sectors (Annex 1 and Annex 2).
However, it is specified that entities with fewer than 50 employees or lower revenue can also be classified as essential or important if they operate in critical sectors or if their disruption could have a significant impact on security or the economy.
For full details, refer to the complete text published in the Official Gazette.
The obligations of the Directive
Risk management
Companies must implement adequate security measures to manage risks related to the security of networks and information systems
Incident reporting
It is mandatory to report security incidents to the competent authorities by:
- Sending a preliminary alert to the CSIRT (Computer Security Incident Response Teams) within 24 hours;
- Submitting an official notification within 72 hours of the cybersecurity incident.
Security Assessment and Business Continuity
Companies are required to perform regular risk assessments and implement appropriate mitigation measures. Additionally, they must define plans to ensure the operational continuity of critical services even in the event of significant incidents.
Training and Awareness
Companies must provide ongoing cybersecurity training for employees. Furthermore, greater accountability is introduced for executives, as members of boards of directors are directly responsible for compliance with security regulations and may face penalties in cases of non-compliance.
Who Is Required to Comply with NIS2
The NIS2 Directive applies mandatorily to a broad range of companies in both the public and private sectors that, as noted earlier, fall into the categories of Essential Entities or Important Entities. Specifically, the following are considered highly critical sectors:
- Energy (electricity, gas, oil)
- Transportation (air, rail, maritime, road)
- Healthcare (hospitals, laboratories, healthcare centers)
- Public Administration
- Digital Infrastructure (telecommunication networks, data centers)
- Financial Services (banks, financial market operators)
- Postal Services.
- Water Supply and Wastewater Management.
- Digital Service Providers (cloud services, online platforms, search engines)
- Critical Infrastructure Providers (including companies supporting essential sectors like telecommunications)
Additionally, other critical sectors listed in Annex 2 include:
- Food (companies producing and distributing food, particularly those involved in large-scale supply).
- Waste Management (collection, treatment, and disposal).
- Manufacturing (producers of medical devices, machinery, vehicles, and electrical/electronic devices).
- Chemical (production and supply of chemical products).
- Space (satellite operators, space services).
Companies with fewer than 50 employees may also fall under the scope of NIS2 if they are the unique provider of an essential service in a Member State or if a disruption in their service could significantly impact public or national security or health.
Furthermore, Public Administrations are all subject to the Directive’s provisions, regardless of size, except those engaged in activities related to national security, defense, public order, and crime prevention.
Have you already implemented an identity and access management system for your services or your clients?
Sanctions under the NIS2 Directive
The specific sanctions and enforcement procedures may vary depending on the national regulations adopted by different Member States in implementation of the NIS2 Directive. In general, the sanctions that may be imposed include:
- Administrative sanctions: Fines of varying amounts depending on the severity of the violation and the size of the company.
- Financial penalties: In addition to administrative sanctions, further financial penalties may be imposed.
- Sanctions for non-compliance: If a company fails to meet security requirements or does not report violations within the established timeframes, it may face more severe sanctions.
- Suspension of services: Temporary suspension of services provided by a non-compliant company or entity.
- Publication of violations: In specific cases or when deemed appropriate, authorities may decide to make violations public.
Single Sign-On (SSO) and Multi-Factor Authentication (MFA)
The NIS2 Directive encourages the use of Single Sign-On (SSO) systems to simplify and strengthen access management and Multi-Factor Authentication (MFA) to ensure that access to business systems is protected by multiple layers of security, reducing the risk of unauthorized access through credential theft.
SSO allows users to authenticate once to access multiple services, improving both security and operational efficiency.
MFA, on the other hand, adds an extra layer of security by requiring multiple forms of verification (e.g., a password plus a code sent via phone or biometrics).
Combined Use of SSO and MFA
The combined use of SSO and MFA is often overlooked, despite how much this practice can strengthen security. It ensures that even if the credentials used for Single Sign-On are compromised, an attacker would still need to bypass the MFA. The combined use of both systems provides two advantages:
- The convenience of Single Sign-On for the user experience.
- Additional security assurance through Multi-Factor Authentication.
Discover our solutions for Identity and Access Management
