The major impacts of European cyber legislation for italian companies? The NIS2

published on 18 March 2025 | reading time approx. 4 minutes

The evolution of the European regulatory framework in the cyber sphere is wide-ranging, with numerous rules entering into force in 2025 that affect different aspects of technology and data. In this context, we will look in particular at the impacts on corporate governance resulting from the NIS2 regulation.

The Legislative Decree no. 138/2024 (‘NIS2 Decree’), which transposes the NIS2 Directive, requires stringent risk governance and cybersecurity measures to be adopted by public and private organisations operating in critical sectors (such as production, manufacturing and distribution of products, PCs, software, appliances, machinery, motor vehicles, transport, energy, ICT services digital infrastructure, health, water, space, electronic communications, digital service providers, research, waste, postal services, domain name registration, cloud, and so on) and systemic suppliers part of the supply chain, including the digital supply chain, of one or more NIS2-regulated entities.

in order to achieve adequate compliance, the Decree indicates to organisations the activities to be carried out, as well as the timeframe. In particular:

Registration and screening

By 17 January 2025, entities such as cloud providers, data centres, domain name providers or online marketplaces, and by 28 February 2025, other organisations targeted by the regulation, must register with the National Cybersecurity Agency (NCA), having successfully completed a regulatory applicability screening.

Following this, from April 2025, the ACN will confirm or not confirm the applicability of NIS2 to the registered organisations, which can then start the necessary activities towards compliance.

Measures

By 2025, organisations must carry out an assessment of their technical and organisational measures, including initiating employee training programmes on IT security, and, from 2026, update their measures found to be not fully compliant with the regulations, in particular with regard to:

ICT Governance: implementing internal plans for ICT risk management and a framework based on risk-based approaches;
Business Continuity: by defining strategies to ensure operability even in crisis situations and to notify high impact incidents;
ICT supplier management: by classifying suppliers and providing for specific contractual obligations.

In the event of non-registration or late registration on the digital platform within the time limits set out in Article 7 of Legislative Decree 138/2024 NIS 2, the administrative fines set out in Article 38 shall apply. Violations relating to non-registration are punishable by penalties of up to 0.1 per cent of annual worldwide turnover (or for major players, 0.07 per cent of annual turnover). Moreover, in the case of non-registration, the other breaches may also be contested, if the conditions are met (in this case, the sanction for the most serious breach increased by up to three times).

Deadline Calendar

We therefore summarise the upcoming deadlines, which may change depending on the determinations of the National Cybersecurity Agency (NCA):

17th January 2025

By this date, specific categories of entities, such as domain name system service providers, domain name registry operators, cloud computing providers and data centres, will have to complete registration on the digital platform;

28th February 2025

By 28th February 2025, all other essential and important parties identified by the decree must complete the registration or update of the required information on the digital platform;

31st March 2025

The NIS Competent National Authority will draw up, by 31st March of each year, the list of essential and important subjects on the basis of the registrations made. Whether this deadline is met will also depend, in all likelihood, on the actual activation of the platform;

31st May 2025

Entities that have been notified of their inclusion in the list of essential or important entities (due by 31 March 2025) are required, via the digital platform, to provide or update the following information: the public IP address space and domain names in use, the list of member states in which they provide services relevant to the decree, and the names of the senior persons responsible for fulfilling the obligations under the decree;

Within 9 months from the date of communication of inclusion in the list

From the date of the communication of inclusion in the list, entities will have a period of nine months to start complying with the incident reporting requirements of Art. 25;

1st January 2026

The obligation to notify the list of activities and services, including their characterisation and categorisation, will come into force on 1st January 2026. From that date, entities will have to provide such information annually;

Within 18 months following notification of listing

Within 18 months of receiving the notice, probably starting in October 2026, key and important entities will have to fulfil their obligations for risk management and security measures. This includes the approval of IT risk management policies and the implementation of appropriate security measures.

In conclusion, NIS2 marks a new era for corporate governance in Europe, characterised by an increasing focus on security, ethics and responsible data management. Organisations must therefore adopt a strategic vision, investing in technology and expertise to ensure compliance and competitiveness. They must also take appropriate technical and organisational measures to ensure the timely notification of incidents and the protection of networks and systems. Training, on all the measures listed, is then a key role in both governance and compliance. Adapting to these regulations is therefore not just an obligation, but an opportunity to build a competitive advantage based on security, transparency and innovation.