HOME
NIS2

NIS2: The new Cybersecurity Directive

The EU's new Cybersecurity standards respond to growing digital threats with stricter protocols and more robust governance frameworks.

The details of the directive

In December 2022, the Council of the European Union and the European Parliament adopted Network and Information Systems Directive 2 (NIS2), or Directive 2022/2555, on network and information system security, with the aim of improving security systems to cope with increasingly frequent cyber attacks and providing for new, broader Cybersecurity requirements for all EU Member States.

‍In Italy, the Directive was implemented on 1 October 2024 through Italian Legislative Decree No. 138/2024, the date on which companies must start the process of adapting to the new requirements, and it will be fully operational from 1 January 2026.

Leviahub, always keen to ensure that its solutions are as secure as possible, has already complied with the guidelines as best it can, to offer secure environments to its customers and guide them towards risk-free business.

Hardware does not last forever and data centres have to be upgraded to keep abreast of an ever-changing market. Prevention, Monitoring and Recovery are the three key concepts to comply with regulations and remain competitive, and Leviahub is ready and willing to support you with the best services for your business.

NIS2 Directive: what has changed compared to NIS?

NIS2, is a major evolution of the previous Network and Information Systems Directive (NIS) that broadens the EU's Cybersecurity strategy in order to strengthen the cybersecurity of key entities within the organisation, responding to growing digital threats and protecting the internal market through stricter protocols and more robust governance frameworks.

Specifically, compared to NIS1, the new Directive provides for:
BUSINESS CONTINUITY GUARANTEE

The aim of the new measures is to ensure the business continuity of the entities even in the event of serious damage to the technological infrastructure, so as to prevent any interruptions in the workflow and any loss of essential data.

COOPERATION BETWEEN MEMBER STATES

The Directive aims to create and strengthena European-wide cooperation network to promote the exchange of informationbetween Member States. This will facilitate the sharing of best practices andenable a coordinated response to cyber incidents across borders.

EXPANSIONOF THE SECTORS INVOLVED

The Directive applies to more medium-sized and large industries than the previous NIS. The sectors involved have increased from 6 to 18.

GREATERRESPONSIBILITY FOR MANAGEMENT

The Directive introduces stricter penalties for repeated non-compliance and makes corporate safety managers responsible for breaches.

MORE STRINGENT RISK MANAGEMENT MEASURES

All entities involved must adopt specific technical and organisational measures for reporting incidents and managing or resolving cybersecurity risks.

INVOLVEMENTOF THE SUPPLY CHAIN

More attention is required regarding vulnerabilities related to third-party providers. In this way, the entire supply chain is involved.

DEFINITION OF MAXIMUM PENALTIES

The penalties envisaged for breaching NIS2 regulations are severe and proportional to the seriousness of the breach; they vary depending on the type of entity involved (essential or important) and may relate to failure to manage risks, failure to comply with incident reporting requirements or failure to register with the competent authorities.

Penalties must be set by the Member States but must be at least equal to:

- 1.4% of global turnover or €7 million for important entities;

- 2% of global turnover or €10 million for essential entities.

Scope of NIS2

The NIS2 Directive divides the organisations concerned in to two main categories:

1. Essential entities

- Critical sectors such as energy, transport, healthcare and digital infrastructure.
- Higher penalties in the event of non-compliance.
- Need for active supervision and stringent security requirements.

2. Important entities

- The sectors are less critical, but still relevant.
- Lighter security requirements, but still mandatory.
they are placed in one or other category on the basis of their size and the criticality of the sector to which they belong.
Furthermore, the Directive broadens the scope: the sectors covered are now 18, 11 of which are highly critical and 7 critical, involving more than 80 types of entities.

Risk management measures

According to the new NIS2 Directive, responsible parties must implement appropriate and proportionate technical, operational and organisational actions to manage the security risks of the network and information systems used to conduct their activities or provide their services, as well as to prevent and limit the impact of any incidents on service recipients and on other services.

Companies must determine the measures to be taken by following two operational steps:
ANALYSIS PHASE

At this stage, companies must analyse the circumstances of each individual case, taking into account the human factor and the level of dependence on the network and information systems, with a view to determining the measures to be taken, commensurate with the potential socio-economic impact of any cybersecurity incidents.

The greater the potential severity of the damage, the greater the effort that the responsible party will need to make to implement risk management measures.

ADOPTION OF SPECIFIC MEASURES

The company will have to adopt specific policies for risk analysis and security, backup management and disaster recovery, and crisis management; furthermore, measures for incident management, maintenance of computer and network systems, and supply chain security must be defined.

The responsible entity will be required to put procedures in place to evaluate the efficacy of the risk management measures. In this regard, companies not directly covered by the directive may be indirectly involved within the scope of the supply chain, even if they are not based in the EU, but only operate within it as part of the supply chain.

Standardisation and Certifications

Following the NIS2 Directive, Member States may require certifications and/or the use of certified products by the entities responsible.

Product certification is based on the European programmes for Cybersecurity certifications under EU Cybersecurity Regulation 2019/881. Additionally, according to the Directive, the European Commission may implement delegated acts in order to make specific categories of entities adopt certified technical solutions or obtain a corresponding certificate; these, however, may only be adopted if the Commission has previously discovered insufficient levels of cybersecurity and set a deadline for implementation.

Standardisation and Certifications

In Italia, dal 1° dicembre 2024 ed entro il 28 febbraio 2025, le aziende rientranti nella Direttiva NIS2 devono completare l’iscrizione al portale ACN (Autorità per la Cybersicurezza Nazionale), al fine di adeguarsi alla normativa europea e di non rischiare di incorrere in pesanti sanzioni.

L’iscrizione al portale dell’Autorità per la Cyber sicurezza Nazionale permette alle aziende di:

  • attestare l’adozione di misure efficaci contro le minacce informatiche;
  • dimostrare la disponibilità alla cooperazione con le autorità competenti;
  • usufruire di uno strumento di aggiornamento grazie ad avvisi sulle novità normative e sugli strumenti da adottare.

Qualora un’azienda non si iscriva al Portale entro il 28 febbraio 2025 rischia di andare incontro a:

  • sanzioni e multe per mancato adempimento agli obblighi normativi e non conformità alla NIS2;
  • esclusione da risorse e strumenti di Cyber Security esponendo l’azienda a maggiori rischi e attacchi informatici;
  • rischi reputazionali e operativi.

LEVIAHUB'S SOLUTIONS TO COMPLY WITH NIS2

Leviahub is the trusted partner that also accompanies you in complying with the new NIS2 Directive.

Always attentive to regulatory and market developments to ensure maximum efficiency for its customers, Leviahub provides all the tools needed to ensure a high level of security for your IT systems and data. In a world where digital threats are constantly evolving, protecting your systems and taking the right precautions to anticipate potential risks becomes an absolute priority. This is why we have been working for some time now on the most sophisticated security measures, while always adapting to the latest developments in order to keep abreast of the most advanced prevention systems.

With our Cybersecurity services you will find a Team of experts ready to suggest the best cybersecurity solutions to implement for your company, protecting it from unwanted threats and attacks.

Our experience allows us to intervene with precision, offering custom-tailored solutions that preserve the stability of your systems and minimise the risk of disruption, ensuring that every action contributes to strengthening business resilience.

Protect corporate information and sensitive data: with our technologically advanced Cybersecurity services, designed exclusively for the Supply Chain sector, you can count on a secure and reliable digital environment.

Our Cybersecurity services include:

  • Risk Assessment
  • Vulnerability Assessment
  • Penetration Test
  • Security Awareness (ingegneria sociale)
  • Brand reputation (dark & deep web scouting)
  • Cyber Threat Intelligence
  • SOC (Security Operations Center)
  • SIEM (Security Information and Event Management)
  • NDR (Network Detection & Response)
  • MDR (Managed Detection & Response)
  • SOAR (Security Orchestration automation and Response)
  • WAF (Web Application Firewall)
  • E-mail security Advanced
  • Continuous monitoring to detect suspicious activity
  • Backup e disaster recovery to safeguard data
  • Multi-factor authentication for an additional layer of security

Each service plays a key role in building a safe and secure IT environment.

With Leviahub you can face the digital world with confidence and peace of mind, knowing that you have a trusted partner at your side. Put your trust in us and fulfil all the NIS2 requirements now, to avoid penalties and cybersecurity risks!

You might also be interested in

Get your demo now

Leviahub Spa

Headquarters: Foro Buonaparte, 71 - 20121 Milano (MI)

Tel. +39 02 611133 | info@leviahub.com

Share capital Euro 5.000.000,00i.v.

P.I. e C.F. 01233220324 | REA MI-2503338

SDI: 1YY4LRX

Privacy policy

Cookies policy

Designed by Blhack