Article by Giulio Uras, Francesco Fidel Camera e Matteo Pagliarulo.
Legislative Decree No. 138/2024 (“NIS2 Decree”), transposing Directive (EU) 2022/2555, known as the “NIS2 Directive” was published in the Official Gazette.
The NIS2 Decree, in addition to repealing Legislative Decree No. 65/2018 – which transposed Directive 2016/1148, the so-called NIS Directive –also provided for the repeal of Articles 40 (“Security of networks and services”) and 41 (“Implementation and control”) of Legislative Decree No. 259/2003 (“Electronic Communications Code”), with the consequence that now providers of public electronic communications networks or publicly available electronic communications services are subject only to the provisions set out in the NIS2 Decree.
To whom does it apply?
The NIS2 Decree applies to both public and private entities operating in “critical” sectors (e.g. energy, transport, banking, healthcare, digital infrastructure, space, waste management, manufacturing of medical devices, machinery, motor vehicles, etc.).
Moreover, the obliged entities are distinguished into “essential” and “important”, according to their importance for the sector or type of services they provide, as well as their size. Belonging to one or the other category is relevant for the application of sanctions in the event of breach of the obligations under the NIS2 Decree, which are higher for essential entities (equal to a maximum of at least EUR 10 million or a maximum of at least 2% of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher).
What are the obligations?
The main obligations incumbent on the obliged parties are the adoption of IT security risk management measures and the notification of significant incidents.
With regard to the obligations in the area of IT security risk management, essential and important entities are required to take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of the information and network systems used in their activities or in the provision of their services.
With regard to reporting obligations, the NIS2 Decree requires essential and important entities to notify the CSIRT (Computer Security Incident Response Team) of incidents that have a significant impact on the provision of their services.
Notification is phased and involves: a pre-notification within 24 hours of the incident, the actual notification within 72 hours of the incident, and a final report within 1 month of the notification.
Both IT security risk management and reporting obligations will be set in detail (also with regard to terms, modalities, specifications and gradual implementation timeframes) by the NCA (National Cybersecurity Authority), through its own decisions based on gradualness and proportionality criteria.
The responsibility for ensuring compliance with the obligations laid down in the NIS2 Decree lies with administrative and management bodies of essential and important entities, which are responsible for breach of the NIS2 Decree.
For more information, see our Guide on Cybersecurity (updated in accordance with NIS2 Decree, CER Decree and the Cybersecurity Law) or contact our dedicated professionals.
