### New Cybersecurity Directives: What to Expect from NIS2

In the increasingly turbulent context of cybersecurity, November 26 marks a crucial milestone for Italy and all public and private stakeholders operating in critical sectors. The first implementing regulation of the NIS2 directive has been published, aimed at strengthening the cybersecurity of essential infrastructures. The term “NIS” refers to the Directive on the Security of Networks and Information Systems, a European regulation that seeks to ensure a high level of security for operators of essential services and digital service providers.

### Registration Requirement: The Role of the Digital Platform

The regulation mandates the creation of a digital platform for the registration of all entities designated as “NIS entities.” These include a wide range of actors, from international companies to small businesses, who must register by February 28, 2025. Registration will not be indiscriminate; each entity will have to appoint a “point of contact,” a person responsible for communications and compliance requirements. This aspect highlights the importance of individual responsibility within a corporate structure and the need to have a clear reference for interactions with the National Cybersecurity Agency (ACN).

All information entered into the platform will be subject to verification by the competent bodies of the ACN, which will assess its accuracy and consistency. This platform is expected to be operational by December 1, 2024, marking the beginning of a new chapter in cybersecurity management in Italy.

### A Step-by-Step Implementation Process

The process of implementing NIS2 is structured in various stages, materializing through decrees and implementing regulations. Some of these regulatory tools are already in force and concern the criteria for applying safeguard clauses and the minimum information each entity must provide. Other elements are still under development and relate to cooperation between national authorities and the identification of entities excluded from general criteria.

The goal is to achieve full compliance with the basic obligations by March 31, 2025, with subsequent deadlines set for the completion of security measures to be adopted by 2026. This gradual approach aims to ensure that all involved parties can adequately adapt to the new regulations without creating excessive operational difficulties.

### Who Are the NIS2 Entities

The scope of NIS2 is broad and encompasses over 80 categories of entities operating in various critical sectors. The legislation distinguishes between “essential entities” and “important entities,” evaluating business size (the so-called “size cap”) to determine who falls under the registration obligations. Large and medium-sized enterprises are required to register, while small and micro enterprises are excluded unless they are considered critical in relation to their suppliers.

This new regulatory landscape underscores the growing responsibility of NIS2 entities in ensuring the security of their networks and information systems, taking into account the interdependence of infrastructures and services in the context of a global supply chain.

### The Registration Phase: A Complex Process

During the presentation seminar of the regulation, the crucial role of the “point of contact” was highlighted. This person, appointed by the registered entity, will be responsible for managing all communications with the ACN, making it essential that they have a clear and defined delegation from the company. Despite the apparent simplicity of this task, many companies may face difficulties clarifying delegations and responsibilities, particularly regarding the division of tasks and “Segregation of Duties” policies.