NIS Directive 2: What Changes for Corporate Cyber Security?

Cybersecurity is increasingly at the center of corporate strategies, especially in light of new European regulations. Among these is the NIS 2 Directive , which represents a fundamental step to strengthen the protection of networks and information systems in Europe. With compliance deadlines now imminent, companies must, in fact, prepare to comply with the new obligations to avoid sanctions and vulnerabilities.

But what exactly is the NIS 2 Directive?​

The Network and Information Security Directive (NIS 2 ) is an update of the previous NIS Directive of 2016, introduced to ensure a high level of information security in the Member States of the European Union . This new version expands the number of sectors involved and imposes more stringent requirements in terms of risk management and incident reporting.

Who is involved?​

Unlike the previous regulation, which only applied to a limited number of critical sectors, the NIS 2 Directive extends the scope of application to a greater number of companies, including:

• Critical sectors such as energy, transportation, healthcare and finance
• Digital services and ICT infrastructure
• Public administrations and essential service providers

Any company that falls into these categories will be obliged to adopt adequate security measures to protect their networks and data.

What are the main obligations?​

Companies subject to the NIS 2 Directive must:

• Implement risk management measures : strategies for preventing, protecting and responding to cyber attacks
• Improving cybersecurity governance : appointing an IT security officer and defining incident management plans
• Timely reporting of cyber attacks : obligation to notify within 24 hours of identifying a breach
• Support periodic checks and audits : to verify compliance with new standards

In particular, the required security measures include, in an analytical manner, the following points:

1. Information and network systems security and risk analysis policies , including vulnerability management and disclosure.
2. Incident management , with procedures and tools for mandatory notifications.
3. Business continuity , backup management, disaster recovery and crisis management.
4. Supply chain security , including relationships with suppliers and service providers.
5. Security in the acquisition, development and maintenance of IT systems.
6. Evaluating the effectiveness of cybersecurity risk management measures.
7. Cyber hygiene practices and training for staff.
8. Use of encryption and ciphering where necessary.
9. Staff reliability and access control .
10. Multi-factor authentication and emergency communication systems .
11. Evaluate vendor vulnerabilities and the quality of their products and security practices.
12. Obligation to notify significant incidents to CSIRT Italy within 24 hours.

What are the deadlines for compliance?​

EU Member States will have to transpose the NIS Directive 2 by 17 October 2024 , by which time companies will have to comply with the new provisions. This means that companies must act quickly to implement the required measures and avoid the risk of fines.

Why is it important to adapt?​

Complying with the NIS 2 Directive is not only a regulatory obligation, but also an opportunity for companies to strengthen their resilience against cyber threats . In a context where ransomware attacks and data breaches are increasingly frequent, investing in cyber security means protecting your business , reputation and customer trust.

The arrival of the NIS 2 Directive marks a significant change in the cybersecurity landscape . Companies must address this challenge with awareness and strategy, taking concrete measures to ensure the protection of their IT systems.