NIS2 has 18 months of effective application, and Brussels is already discussing NIS3. Nothing official — we're in informal consultation. But the signals are interesting.
What's emerging
- AI extension: high-impact AI systems would explicitly enter the perimeter, with specific obligations on robustness and adversarial testing.
- OT (industrial systems) more relevant: NIS2 covers them marginally, NIS3 would put them centre. Consequence for Italian manufacturing: real work.
- Extended supply chain: today IT vendors are in scope, in NIS3 indirect — second-tier — vendors would be in scope for certain sectors.
- Mandatory breach disclosure: beyond authority notification, public communication within 30 days for significant breaches.
Realistic timing
If timing follows NIS2: legislative proposal 2026-27, approval 2027-28, transposition 2030-31. Sounds far, but for those managing industrial systems or extended supply chains, it's time to structure multi-year programs.
What to do today
- Map extended supply chain: who are your critical IT vendors' vendors? Often unknown.
- Start OT audits: for those with PLCs, SCADA, HMIs on the factory floor.
- Structured logging of AI systems: prepare to demonstrate what AI does in your company.
Why we talk about it now
Companies that adapted to NIS2 quickly in 2024-25 have the experience to take NIS3 calmly. Those who procrastinated will face double work in 2030. GDPR history says so.