Cybersecurity: Who Are the Entities Affected by the New European Directive and What Are the New Security Requirements to Comply With?
The NIS 2 Directive updates the old European regulation on cybersecurity and aims to strengthen the level of security for technological infrastructures in member states.
The new regulation, implemented in Italy last October, sets new requirements for companies required to ensure a high level of cybersecurity and extends the obligation to several sectors that were not involved in the NIS Directive.
To comply with NIS 2, it will be necessary to implement policies for risk analysis and cybersecurity of information systems, incident management procedures, as well as multi-factor authentication solutions and protected communication systems.
The NIS 2 (EU Directive 2022/2555) is a significant update of the previous NIS Directive that aims to establish a community strategy for cybersecurity.
NIS 2 came into effect on January 17, 2023, and was implemented by the Italian government with the publication of Legislative Decree No. 138 of September 4, 2024. The new directive, which aims to increase the security of European technological infrastructure and make it capable of facing increasingly sophisticated cyber threats, introduces a number of significant changes to the previous regulation.
NIS 2 strengthens security requirements, introduces new supervisory measures, and significantly expands the number of affected entities. Today, sectors not included in the old lists of essential services (OSE), such as trust service providers and data centers, are considered critical for the socioeconomic functioning of the European Union.
According to Decree 138/2024, which came into force on October 16, the obligation to comply with NIS 2 applies to highly critical sectors, certain public administration categories, and other critical sectors.
Highly critical sectors include:
Additionally, other sectors considered critical include:
As specified in Annex III, several public entities must also comply with NIS 2, including the Presidency of the Council, ministries, tax agencies, regions, municipalities with populations over 100,000, and local health agencies.
Finally, Annex IV lists other entities affected by the changes to the European Directive, including public transport service providers, educational institutions conducting research, organizations involved in cultural activities, and public or government-controlled companies.
In some cases, the regulation also applies to small businesses. This happens if the entity is identified as a critical supplier, such as when it is:
This list also includes those previously identified as critical under the previous NIS Directive.
The first major change of NIS 2 concerns the responsibilities for cybersecurity measures, which go beyond the IT department and become a central issue, for which management bodies are also accountable.
According to the new Directive, it is the responsibility of the company’s Board of Directors not only to approve risk management measures but also to supervise and implement them. Management bodies are also encouraged to participate in “specific training on cybersecurity topics, extending this opportunity to their collaborators in order to assess the effectiveness and adequacy of the adopted security measures.”
The measures outlined in NIS 2 are based on a multi-risk approach that must include, in the complete risk assessment, non-digital elements such as natural disasters, hardware failures, and lack of staff training.
Furthermore, the new Directive requires that the involved organizations be capable of responding to incidents and commit to notifying any event to the competent authorities “without undue delay and in any case within 24 hours of becoming aware of the incident that has a significant impact on the provision of their services.”
The key elements of the multi-risk approach outlined by NIS 2 include:
Multi-factor authentication is one of the requirements of NIS 2: adopting a strong authentication method such as 2FA and multi-factor authentication (MFA) helps protect access to information systems and ensures the authenticity of the information.
In 2019, a Google study on accounts found that multi-factor authentications prevented 100% of automatic attacks, 96% of mass phishing attacks, and 76% of targeted attacks.
In a more recent study by Microsoft, which examined a list of users who had registered suspicious activity, it was reported that “implementing MFA provides exceptional protection, with over 99.99% of accounts with MFA remaining secure during the investigation period.”
Integrating these authentication systems is not necessarily difficult: there are methods based on the physical possession of an object (e.g., a token) and others that use the user’s physical characteristics, such as biometric data. There are also more agile systems, such as those using one-time passcodes, QR codes, and verification via SMS.
Carbon free energy for Our Cloud Low CO2
© 2024 Openapi SpA, a single-member company, under the direction and control of Open Holding Srl.
Viale Filippo Tommaso Marinetti 221 - 00143 Rome - Business Register: 1378273, Share Capital: €50,000.00, VAT Number: IT12485671007, Recipient Code: 'USAL8PV' - Certified Email:
Openapi is certified in: Quality System - **UNI EN ISO 9001:2015** - Data Quality **ISO 25012:2014** - Security Management **ISO/IEC 27001:2022**
All prices are net of any VAT, stamp duty, registration fees, or other taxes that may be due. All logos listed on the portal are copyrighted and owned by their respective owners.