# New Regulations on Cybersecurity: What Changes with the 2024 Legislative Decree

October 1, 2024, marked a crucial moment for the national cybersecurity landscape with the publication in the Official Gazette of Legislative Decree No. 138. This decree implements Directive (EU) 2022/2555, known as NIS2, and introduces significant changes in the field of cybersecurity, imposing stricter and broader requirements compared to the previous NIS Directive (2016/1148).

## A New Level of Security

The primary aim of the Decree is to ensure a high standard of cybersecurity both nationally and throughout the European Union, with the goal of improving the functioning of the single market. It is an approach that recognizes the importance of cybersecurity as a key factor in contemporary economic and social activities.

### What Changes?

The innovations introduced by Legislative Decree 138/2024 are structured into six titles, designed to replace Legislative Decree 65/2018, which has now been repealed and was anchored to the less stringent requirements of the previous NIS directive. Among the most notable changes are new definitions that provide clarity on important terms such as ‘security of information and network systems’, ‘cybersecurity incident’, and ‘cybersecurity’. It is essential for organizations to understand these definitions as they form the operational basis for the new security framework.

## Key Definitions

Several adopted definitions serve as fundamental pillars of the new regulatory regime:

– **Security of Information and Network Systems**: Refers to the ability to resist events that could compromise the confidentiality, integrity, and availability of data.

– **Incident**: Any event that compromises information systems in any way, after which corrective measures may need to be implemented.

– **Cyber Threat**: A set of circumstances or events that could have negative effects on information systems and their operation.

Understanding and implementing these definitions is vital for organizations as they delineate what is meant by risks and vulnerabilities in the context of cybersecurity.

## Obligated Entities: A New Scenario

The Decree identifies various public and private entities required to adhere to the new provisions. Categorization occurs based on specific annexes, which delineate sectors considered highly critical, such as the banking sector and the infrastructure of financial markets.

Micro and small enterprises operating in key sectors are also highlighted, implying that even smaller actors must adapt to the new regulations if they operate in strategic areas.

### Categories of Entities

The decree classifies the entities into two main categories: **essential entities** and **important entities**. The former include those that meet specific structural and operational requirements, such as business size. Common characteristics include the obligation to register with the competent authority and notify any significant incident that could affect the services provided.

## Necessary Organizational and Technical Measures

Organizations designated as essential and important entities must adopt a series of technical and organizational measures. Such measures must be adequate and proportionate to the risks reflecting the operational environment in which they operate.

### Key Requirements

The measures required by the Decree include:

– **Risk Analysis Policies**: Identifying and mitigating potential cyber risks through thorough analysis.

– **Incident Management**: Establishing clear procedures for detecting, responding to, and recovering from any cybersecurity incidents.

– **Supply Chain Security Policies**: Implementing measures to ensure that supply chain partners also adhere to cybersecurity standards.