NIS2: Regulatory updates on cybersecurity in Italy

published on 12 November 2024 | reading time approx. 3 minutes

IT security has never been such an urgent and crucial issue for organisations, both private and public.

With the introduction of Directive 2022/2555 (“NIS 2”) on 16 October 2024 with the entry into force of the transposing Legislative Decree No. 138/2024 (“Decree”), the regulatory landscape is undergoing a significant evolution that requires immediate attention, introducing certain requirements for risk management and incident reporting while extending its scope to more actors and sectors.

In short, NIS2 obliges organisations to:

develop a risk-based approach to verify the security of infrastructures and improve operational resilience (“assessment”);
assess their level of security risk (“gap analysis”);
identify and adopt appropriate and proportionate technical, operational, and organisational remedial measures to manage the security risks posed to the information and network systems these entities use in their activities or in the provision of their services, and to prevent or minimise the impact of incidents for the recipients of their services and for other services ensure a high level of cybersecurity (“remediation”). These include the reporting of incidents to the CSIRT and the adoption of cybersecurity certification schemes;
monitor their effectiveness (“monitoring”), including by considering the adoption of a Cybersecurity Officer.

In order to achieve adequate compliance, the Decree sets forth the activities to be carried out and the timeframe, thus helping organisations to prioritise them.

In particular, as a first obligation (timewise) the Decree enshrines that organisations must register on the digital platform made available to the National Cybersecurity Agency (“ACN”) as of 1 January 2025, should the assessment on the applicability of the Directive provide a positive outcome.

Therefore, the abovementioned applicability assessment should be completed before the start of the registration timeframe and, as such, within the end of 2024.

Furthermore, it should be borne in mind that:

by 17 January 2025, domain name system service providers, top-level domain name registry operators, domain name registration service providers, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, online search engines and social networking service platforms, will certainly have to complete registration;
between 1 April 2025 and 15 April 2025, through the platform, ACN will notify registered subjects of their inclusion in the list of essential or important subjects;
by 15 April 2025, those who have received the notification will have to appoint a person in a special deed who will be responsible for fulfilling the obligations of the decree;
between 15 April and 31 May 2025, those who have received the communication will have to provide the additional information required by the regulations. Information stemming precisely from the above-mentioned assessment and gap analysis activities;
remedying and monitoring actions are to be taken from 2026 onwards.

Failure to do so may expose organisations to a severe penalty regime (equal, for example, to a maximum of 0.1 per cent of total annual turnover for essential subjects; 0.07 per cent of total annual turnover for important subjects). Moreover, ACN may even suspend organisations’ services in certain cases.

In light of this, it is therefore necessary for all private and public organisations to first conduct an initial screening regarding the applicability of the new Italian legislation by the end of 2024.