**Corporate Responsibilities: Navigating the New NIS2 Regulation**
The digital era has radically transformed the way companies operate and interact with information. However, along with the increase in opportunities, the risks related to cybersecurity have also grown. The new regulatory framework introduced by the NIS2 directive represents an important step towards protecting collective interests, establishing a regulatory context that requires companies to adapt to increasingly stringent security requirements.
### A New Approach to Cybersecurity
The NIS2 directive significantly expands the scope of application compared to its previous version. It no longer limits itself to sectors that were already operating under security rules but includes new critical areas such as waste management, transportation, food production, drinking water distribution, and much more. This extension acknowledges the interconnection between different sectors and the risk of cyberattacks that can propagate through supply chains.
### Obligations and Responsibilities
For example, companies will need to adopt a risk-based approach to identify vulnerabilities and implement appropriate security measures. This will require periodic assessments and continuous updates of measures to ensure effective protection. Incident reporting procedures for security incidents to the competent authorities will now be more rigorous, with faster response times and detailed information to be provided.
Another fundamental aspect is related to the management’s responsibility in managing cybersecurity. Companies will be required to ensure that executives are held accountable for any violations, applying sanctions to those who do not comply with security protocols.
### Proportionality and Gradualism for SMEs
The NIS2 regulation takes into account the reality of small and medium-sized enterprises (SMEs) by introducing the principle of proportionality. This principle implies that security obligations should be calculated based on the size and risk profile of the organization. Although the intent is commendable, its implementation is not without complexities.
With the introduction of the concept of “connected enterprises,” it is necessary to reflect on which companies fall under this definition. The regulation indicates that an SME may not be considered as such if it is part of a larger economic group where a large enterprise exercises control. This situation could lead to obligations regarding registration and compliance with security requirements that would otherwise not have been applicable.
### The Structure of the NIS2 Regulation in Italy
The Italian legislator has implemented a “layered” model in transposing the NIS2 directive. This approach foresees different categories of subjects, creating a system that distinguishes between companies, public administrations, and critical subjects based on their size and importance in the context of cybersecurity.
1. **First layer**: includes entities of considerable size that exceed particular revenue and employment thresholds.
2. **Second layer**: includes companies that, although not large, provide critical services or operate in clearly identifiable sectors deemed essential for security.
3. **Third layer**: pertains to businesses that, while smaller in size, may be connected to larger companies and thus subject to registration requirements.
This structure serves to clarify the situation for smaller businesses, allowing for greater flexibility and sustainability in their application of regulations.
### Independence Criteria and Registration
An essential aspect of NIS2 concerns the independence criteria for connected companies. To avoid overly burdensome applications for SMEs, the legislator stipulates that the safeguard clause may not apply if the smaller company does not influence or control critical cybersecurity decisions.
### The Future of Cybersecurity
The NIS2 approach is a commitment to a more robust security model, but it also presents challenges, especially for smaller entities. Local administrations
