# The New NIS2 Directive: A Step Forward for National Cybersecurity

The cybersecurity landscape is at a crucial moment, marked by the introduction of the NIS2 directive, an initiative from the European Union designed to elevate cybersecurity standards at the national level. This regulation, which will come into effect on October 16, 2024, aims to ensure that no entity involved can neglect cybersecurity, marking a significant turning point in the protection of critical networks and systems.

## A Necessary Change in Security Culture

Recent geopolitical dynamics have highlighted how cyberspace can be considered a new generation battlefield, where interactions between civilians and military contexts intertwine. The intent to promote training and awareness is therefore crucial, not only for those already involved in the security sector but also for all public and private entities that face new responsibilities.

The NIS2 directive represents a response to the vulnerabilities highlighted by the previous regulation. The change is even more significant in light of Law 105/2019, which had already initiated the protection of the country’s digital perimeter. The new regulation, in combination with other legislative measures, provides for a more robust and integrated approach to cybersecurity, based on greater awareness and shared responsibility.

## Obligations and Timelines of the NIS2 Directive

The first concrete step in the implementation of the NIS2 directive will occur with the launch of a dedicated platform for the registration of entities subject to security obligations. Starting from December 1, all relevant subjects must register by February 28, 2025, marking the beginning of a pathway that will unfold in three fundamental phases, until April 2026. Each phase will have specific objectives and will be accompanied by clarifying regulations, ensuring a coherent and organized approach to security management.

### Phase 1: Inventory and Basic Obligations
In the first phase, entities will need to register and begin to comply with a basic set of obligations aimed at ensuring a minimum level of security. These obligations will be defined proportionately, depending on the type of entity involved.

### Phase 2: Monitoring and Implementation
The second phase will focus on how to implement and monitor these obligations, with an emphasis on incident reporting protocols and the formalization of other essential security measures.

### Phase 3: Completion and Sustainability
Finally, the third phase will culminate in full implementation and the establishment of long-term obligations. It will be crucial to ensure that each step is supported by the necessary resources and expertise.

## The Impact of Professional Associations

Professional associations have expressed mixed feelings regarding NIS2. Some representatives voice concerns over the difficulties that small and medium-sized enterprises (SMEs) may encounter in adopting these new directives, emphasizing that these measures may come across as impositions rather than growth opportunities.

SMEs, often limited in terms of resources and expertise, need support and compliance strategies that take their specific circumstances into account. For this reason, many call for the establishment of economic assistance measures to facilitate the transition to higher security standards.

## Towards Greater Awareness and Collaboration

A central theme that emerged during recent discussions is the importance of training and awareness. Experts emphasize the need for a targeted informational campaign that combines technology with a culture of security within a framework of collective responsibility. Everyone, both at the individual and corporate levels, has a crucial role to play in ensuring cybersecurity.

The future direction not only involves the adoption of technical measures but also requires a profound cultural change, in which cybersecurity becomes an integral part of the operational ethos across all sectors.