### NIS2: New Rules for Cybersecurity in Italy

With the entry into force of the new NIS2 regulation, Italian organizations will face significant changes in cybersecurity. Starting from December 1st, all entities affected by the regulation will be able to start registering on the digital platform of the National Cybersecurity Agency. This move is crucial, as compliance with these regulations is not optional: failing to meet the requirements will result in financial penalties and other administrative consequences.

### Who Are the Entities Involved in NIS2?

The transposition of the NIS2 directive significantly expands the scope compared to the previous NIS1. The new regulation targets more than 80 types of entities operating in 11 high-criticality sectors, such as energy, transport, banking, healthcare, and digital infrastructure. Moreover, it includes seven critical sectors: food, chemicals, manufacturing, digital services, and research.

Cybersecurity issues will affect all medium- and large-sized businesses, specifically those with at least 50 employees or a turnover exceeding 10 million euros, with a turnover of at least 50 million euros for large enterprises. Micro and small businesses, unless specified exceptions apply, do not fall into this category.

### Obligations and Responsibilities

Essential and important entities are required to register or periodically update their registration on the digital platform of the National Cybersecurity Agency. This obligation applies annually by February 28 and is crucial for ensuring transparency and security in the management of cybersecurity.

Another fundamental aspect of the registration is the designation of a dedicated contact point within the organization. This individual will be responsible for communication between the organization and the Authority, overseeing the implementation of the provisions of the Decree. The contact point can be a legal representative or an employee specifically designated for this role and must report directly to the governing bodies.

### Cyber Risk and Incident Management

One of the most significant innovations introduced by NIS2 is the obligation to adopt technical and organizational measures for managing cyber risks. Organizations must develop an appropriate governance model that includes:

– **Risk Analysis Policies**: Identification and assessment of potential threats.
– **Incident Management Procedures**: Protocols for effectively addressing cyber threats.
– **Access Controls and Encryption**: Preventive measures to protect sensitive information.

The regulation also requires special attention to the supply chain. Suppliers must be selected based on specific security criteria and must ensure compliance with cybersecurity regulations.

### Incident Notification

Another key obligation for essential and important entities is to notify CSIRT Italy of any incidents that could significantly impact service delivery. Relevant incidents must be reported within 24 hours of discovery, followed by a detailed notification within 72 hours. This reporting process is crucial for ensuring transparency and prompt management of incidents.

Additionally, entities may also voluntarily submit information about incidents and threats with the aim of contributing to a collective protection network against cyber threats.

### Suitability and Proportionality of Security Measures

NIS2 emphasizes the importance of the proportionality of the security measures adopted. There is no one-size-fits-all solution; measures must be appropriate and proportionate to the risks and the size of the organization. This requires continuous assessment and realignment of cybersecurity strategies with legal requirements and existing regulations.

The governance of the organization will play a crucial role in this process. It is essential that each entity not only complies with the regulations but also integrates them into its overall management system.