Directive (EU) 2022/2555, commonly known as NIS2, marks a decisive turning point in the European cybersecurity landscape, imposing new and more stringent obligations on a wide range of organisations, with a particular focus on large companies.
Adopted in Italy through Legislative Decree No. 138 of 4 September 2024, the legislation aims to drastically raise the level of collective digital resilience in the face of increasingly sophisticated and pervasive cyber threats.
Italy has designated the National Cybersecurity Agency (ACN) as the hub of the surveillance system and the primary point of contact, supported by specific ministerial competencies for certain sectors. It is imperative for every company to accurately identify the relevant authority for its operational scope.
A crucial appointment awaits the “essential” and “important” individuals: by 31 May 2025, it is mandatory to communicate updated information to the ACN via the dedicated digital platform.
Among these, the identifying data of the legal representatives and management bodies stand out, the designation of a contact point substitute, the list of public IP addresses and domain names used, as well as any cross-border operations and confirmation of the entity's registration details, including the details of the members of the administrative bodies.
Failure to comply with these requirements, or with other provisions of NIS2, exposes companies to a particularly severe penalty regime.
For entities defined as “essential”, financial penalties can reach €10 million or 2% of annual worldwide turnover. For “important” entities, the limit is set at €7 million or 1.4% of global turnover.
Sanctionable infringements include the failure to adopt adequate cyber risk management measures, the failure to notify security incidents promptly or at all, and non-compliance with reporting obligations, such as the 31 May deadline.
Added to these are possible ancillary sanctions, such as the suspension of certifications or a temporary ban for senior figures from exercising managerial functions.
Navigating the complexity of the NIS2 Directive requires a strategic and proactive approach. Businesses are called upon to consolidate their internal cybersecurity governance, with the direct and conscious involvement of senior management.
It is also crucial to conduct periodic risk assessments and implement technical, operational, and organisational security measures commensurate with the threats. Supply chain security, the preparation of incident response plans, and the maintenance of accurate documentation complete the framework of essential actions.
Morelli Bolzoni Law Firm offers specialist consultancy and qualified assistance to companies to successfully navigate all phases of NIS2 Directive compliance, from initial impact assessments to the implementation of required measures and ongoing compliance management.
Contact us for targeted support and to transform a regulatory obligation into an opportunity to strengthen your digital resilience.