NIS2 Directive: What You Need to Know, What to Do, and by When

Martina Montanari
Business Controller
October 28, 2024
5 MIN
Security
Security
Cyber Security - Europe NIS2
Contents
H2 Heading
H3 Heading
H4 Heading
H5 Heading
H6 Heading
Share

Cybersecurity is a growing priority globally, and the NIS2 Directive represents a crucial step towards greater protection of critical infrastructure in Europe.

In this article, we explore what NIS2 is, who it applies to, the penalties for non-compliance, and how companies can take this path.

What is NIS2?

The NIS2 Directive (Network and Information Security Directive 2) is an implementing legislation adopted by the European Union with the objective of improve cybersecurity And the resilience of critical infrastructures.

Taking note of the growing cyber threats, in fact, the European Commission and consequently the member states have introduced a series of more stringent measures and obligations, compared to previous legislation, in terms of risk management and incident reporting.

Who does NIS2 apply to?

Spoiler: potentially to many Italian companies.

In fact, the NIS2 regulation, compared to the previous one, extends the scope of application to a series of sectors and entities considered to be”Essentials” or”important” within the European market.

The NIS2 is therefore applied to a wide range of public entities and privates which are strictly defined in the standard itself and divided into:

  • Essential Entities
    These are the realities that are part of sectors considered fundamental to social and economic well-being. These include providers of digital infrastructure services, transportation, financial services, healthcare, public administration, and service companies such as energy providers. For these entities, NIS2 reaffirms their importance and increases compliance requirements.
  • Important Entities
    They are a novelty of NIS2 and include industries such as chemistry, digital providers, food, manufacturing, postal services, research, waste management that will have to adapt and quickly audit their IT security procedures. For these subjects, given the breadth of the requirements and the short time required, although shorter than for essential entities, it could represent the most demanding initial challenge.
  • Supply Chain
    NIS2 also significantly expands the scope of regulation, creating a much larger network that also includes the areas and organizations that are part of the supply chain of the sectors defined earlier, thus increasing the number of companies subject to regulatory control.

What does NIS2 mean for companies?

As we said at the beginning, for companies NIS2 means implementing technical, legal and organizational measures that are missing from those required by regulations, with the aim of strengthening the protection of their IT infrastructure and networks from damage.

Based on their classification, companies must apply certain measures to achieve compliance. These measures can be traced back to four areas:

  • Risk Management through the implementation of incident management methods, the improvement of supply chain security, the enhancement of network security, better access control and encryption;
  • Corporate Responsibility through the supervision, approval and reception of the company's cybersecurity procedures and to address cyber risks by business management;
  • Communication obligations with the definition of systems and processes to communicate as soon as possible security events that have a significant impact on their offer of services or on those who receive them;
  • Business continuity through planning and maintaining business continuity in the event of serious cyber incidents. This strategy must consider system recovery, emergency procedures, and the creation of a crisis response team.

NIS2 and sanctions

Failure to comply with the NIS2 Directive may result in significant penalties at the level legal, financier, penalty for the companies involved.

Depending on the areas, these consequences have different weights:

  • Essential entities face administrative penalties of up to 10 million euros or at least 2% of the total annual worldwide turnover of the company to which the entity belongs, whichever is the higher value.
  • Major entities are subject to administrative penalties of up to 7 million euros or at least 1.4% of the total annual worldwide turnover of the previous year, whichever is the higher value.

What are the deadlines for complying with NIS2 in Italy?

The process of complying with the NIS2 standard includes different steps and activities that every interested entity must consider to avoid sanctions.

The first deadlines concern preparation activities and analysis of the situation of each reality with the confirmation by the ACN of the reference category.

  1. Dal December 1, 2024 to February 28, 2025 companies must register on the ACN platform indicating their sector of activity and a point of contact;
  2. By 31 March 2025 the ACN draws up the list of essential and important subjects and communicates it to them through the platform;
  3. From April 15 to May 31, 2025 subjects must communicate and/or update the ACN with additional information to allow controls.

From confirmation by the National Cyber Security Authority, on the other hand, interested parties must:

  • fulfill accident notification obligations by 31 December 2025;
  • fulfill all other obligations defined in the regulations by September 30, 2026.

Once compliance has been achieved, then it is necessary to carry out a continuous risk assessment and regulatory compliance.

This means that there is no time to waste understanding the legislation and eventually applying it.

What are the differences between NIS2, ISO 27001 and GDPR?

The NIS2 directive covers various areas also addressed in the ISO/IEC 27001 certification and in the GDPR regulation. Although these tools pursue similar objectives, they differ in application and requirements.

La NIS2 in fact, it covers a wider scope but does not require certification, it is a fulfillment of a compliance.

Difference NIS2 vs ISO 27001
NIS2 versus ISO 27001

Being compliant with NIS2 does not therefore mean being ISO/IEC 27001 certified, but it is certainly a step that makes it easier to obtain this certification. The same goes for the GDPR.

This means that, although this legislation may be perceived as a burden, in truth it represents a great opportunity to align your business procedures, thus ensuring a standard of security for your customers.

How can CloudFire help you with NIS2?

Considering that thecompliance with NIS2

  • It is not a delegable activity completely to external parties;
  • requires a active and attentive participation of different components of each reality;
  • It is not a simple sporadic and occasional compliance In accordance with the law but it is a structured, assisted and documented program

you need to be ready to start this journey.

CloudFire can help you with that. In fact, thanks to the partnership with B&P Solutions & CD Design, we offer a unified solution from a legal, operational and governance perspective. We aim to create an integrated system within the company that eliminates the duplication of procedures but that leads to a unification of the same and of the company documents in a timely manner and in line with the regulations involved.

CloudFire offers a Framework in which, following a Initial checklist And a Gap Analysis of interested parties, organizations can plan to adapt to the required standards, minimizing the impact on their operational processes.

Compliance with the Regulations remains a complex and delicate activity, for this reason it is right to approach it by relying on a reliable partner able to support you on a daily basis.

If you want to find out more or start this journey together contact us!

You might also be interested

Cloud Awareness
CloudFire at KubeCon + CloudNativeCon 2024 - Salt Lake City
Discover the most interesting news presented at KubeCon + CloudNativeCon 2024 in Salt Lake City with CloudFire: from Kubernetes innovations, to real use cases of AI and Ingress API Gateway.
Read the article →
Cloud and ISO: our first step towards Cloud compliance
Being certified to ISO 27001 and ISO 9001 means a constant commitment to ensuring cloud data security and the quality of processes.
Read the article →
Agentless backup: the Storware case as an innovative solution
Let's compare the two main backup methods Agentless and Agent through an example of concrete and innovative software such as Storware.
Read the article →
Immutable Storage: why use it?
Immutable storage is the answer to ransomware attacks, malicious or accidental actions by authorized and unauthorized users. Learn more
Read the article →
CloudFire logo
CloudFire Srl
Via Giambattista Vico 93
42124 — Reggio Emilia
VAT ID: IT02764700353
Contacts
info@cloudfire.it+39052217534
Badge UNI EN ISO 9001Badge ISO/IEC 27001
Products
Openstack as a ServiceS3 Scalable Object StoragevSphere as a ServiceBare Metal as a ServiceAcronis Cyber BackupVeeam Cloud PlatformTalky Time Direct RoutingSIP Account3CXQbox emailCloud InterconnectSOC and NOCManaged Backup
Solutions
Backup & Disaster RecoverySecurityManaged IaaSUnified CommunicationInternal Development PlatformComposable Stack PlatformKubernetes MulticloudKubernetes Disaster Recovery
Resources
Login/RegisterBlogKnowledge BaseTech TalksHelpdeskStatus PageInformation and Policies
Why CloudFire
Partner ProgramCortexTechnologiesInfrastructureCompliance and SecurityAbout usCareersCertifications and QualificationsContact us
Follow us on
Privacy Policy
|
Cookie Policy
Copyright © {year} CloudFire Srl