SEM Devs
← All articles
nis2sicurezzacompliancecybersecurity

NIS2: the new EU cybersecurity directive (and why it hits SMEs too)

25 January 20242 min read

The NIS2 directive lands in Italy in 2024. The scope is far wider than NIS1: who is affected, what to do, and where to start.

2024 is the year of NIS2 in Italy. EU Directive 2022/2555 must be transposed by member states by 17 October 2024, and for many Italian SMEs it will be the first real cybersecurity regulation they must confront.

What changes from NIS1

NIS1 (2016) covered a narrow scope: operators of essential services and digital service providers. NIS2 widens it dramatically with two categories:

  • Essential: energy, transport, banking, healthcare, water, digital infrastructure, public administration.
  • Important: postal services, waste management, food, manufacturing (medium-high risk), digital providers (cloud, data centres, MSPs), research.

The test is twofold: sector + size. Companies with 50+ employees or €10M+ turnover operating in those sectors are in. Micro-businesses are out, with narrow exceptions (DNS, registrars, trust services).

What the directive requires

NIS2 lists ten minimum security measure areas, including:

  • Risk analysis and information system security policies.
  • Incident handling, with initial notification within 24 hours and full report within 72.
  • Business continuity and crisis management.
  • Supply chain security — including IT vendors and MSPs.
  • Encryption and cryptography.
  • Multi-factor authentication and access management.
  • Staff training.

The fines

For essential entities, up to €10M or 2% of global turnover. For important ones, €7M or 1.4%. And — new versus NIS1 — there is direct management liability: directors and governing bodies must approve the measures and can be held personally responsible.

Where to start

For SMEs asking "are we in or out?", the path we propose is:

  1. Mapping: confirm whether sector and size trigger obligations.
  2. Asset inventory: full list of servers, applications, vendors and data flows.
  3. Gap analysis: against the ten NIS2 areas (and ISO/IEC 27001 controls, still a good reference).
  4. Three-year plan: priorities, budget, ownership.
  5. Quick wins: MFA everywhere, immutable backups, automated patching, EDR. These four alone cover a lot.

What not to wait for

Some measures do not need NIS2 to be implemented: they are already the 2024 baseline. If your company is not there yet, the directive is just a good reason to accelerate. Not the only one.