**”NIS2: The New Frontier of Cybersecurity – Registration, Obligations, and Future Prospects for Businesses”**

**"NIS2: La Nuova Frontiera della Cybersicurezza - Registrazione, Obblighi e Prospettive Future per le Imprese"**

**Introduction to the NIS2 Directive: Towards a More Robust Cybersecurity System**

Cybersecurity is a critical issue in the current context. With the increase in cyber threats, it is essential for both public and private companies to equip themselves to face and manage information security risks. In this landscape, the NIS2 directive plays a crucial role, establishing obligations to enhance the level of cybersecurity across various critical sectors.

On November 26, a fundamental resolution was signed by the Director of the National Cybersecurity Agency (ACN), which was officially published the following day. This act marks a significant step toward the implementation of NIS2 in Italy, establishing the registration procedures for all parties involved, now designated as “NIS subjects.” This registration will have specific deadlines that must be met by February 28, 2025.

**Key Areas of Application of NIS2**

The new resolution focuses on creating a digital platform for the registration of public and private entities. Each NIS subject must appoint a “contact point” responsible for communications and managing the necessary compliance requirements with the regulation. This information will then be verified by the ACN to ensure its accuracy and consistency.

Starting from December 1, 2024, the digital platform will be available and will serve as a tool for monitoring and registering subjects subject to the obligations of the directive.

**The Implementation Path of NIS2: Stages and Deadlines**

The realization of NIS2 will not be immediate; it will unfold in various successive phases. A recent conference held at a major university outlined the implementation path of the directive. Proportionality criteria for the obligations of “essential” and “important” entities, according to the categories provided by the NIS2 directive itself, were emphasized.

Additional critical information concerns the methods of communication in the event of a cyber incident and the need to closely monitor suppliers, particularly to ensure security within the supply chain. It is evident that the health of an entire supply chain depends on the robustness of each link that composes it.

**Details on the DPCM and Implementing Resolutions**

The implementation of NIS2 is an evolving process, structured through various provisions and resolutions. Some DPCM (Decrees of the President of the Council of Ministers) have already been approved, which set out criteria and operational methods for compliance with the regulation, including criteria for safeguard clauses and the organization of the interministerial table.

However, it is important to note that full compliance with the obligations will remain a work in progress until March 2025, with further developments expected by 2026. This gradual approach allows for a more controlled management and systematic planning of adaptation to the new regulations.

**Who are the NIS2 Subjects: A Wide and Varied Landscape**

The NIS2 directive applies to a wide range of subjects, encompassing over 80 categories of essential and important services, including those operating in critical sectors. It is important to note that the distinction among the various entities is also based on company size (size cap). Large and medium enterprises must register, while small and micro enterprises are generally excluded from obligations, except for certain exceptions where they may be classified as important based on their ties to suppliers subject to NIS2.

**The Registration Process: Guidelines and Recommendations**

One of the crucial points discussed in the conference was the registration process. It is essential for the company to designate an individual as the “contact point” who will be responsible for managing all communications and the necessary documentation. This designation entails a series of responsibilities, which may not always be clear or formalized.

The concept of “Segregation of Duties” (SOD) is fundamental in this context: corporate policies regarding the segregation of functions may conflict with the extended delegation required.

Share Button