NIS2 is the biggest cybersecurity regulatory change Europe has seen in a decade, and for many Italian SMEs it is something they are not prepared for. Formally it is Directive (EU) 2022/2555, which member states had to transpose by 17 October 2024; Italy did so through Legislative Decree 138/2024, which designates the National Cybersecurity Agency (ACN) as the competent authority and requires in-scope entities to register with the ACN. In other words: it is not "coming", it is already here, and it is binding.
Are you in scope? Essential and important
The first question is whether the directive concerns you, and the answer depends on two axes: sector and size. NIS2 drastically widens the covered sectors compared to the old NIS - alongside energy, transport, banking and health (the "highly critical" of Annex I) come manufacturing, food, waste management, chemicals, postal services, digital providers and others (Annex II). On size, the "size-cap rule" applies: as a rule, medium and large enterprises are in scope, meaning from 50 employees or over 10 million euros in turnover. The directive then distinguishes essential entities from important entities, with similar obligations but different intensity of supervision and penalties.
There is a second, sneakier way to end up in scope: the supply chain. Even if your company is not directly in scope, your large clients - who are - are required to secure their supply chain, and they will do so by demanding contractual security requirements from you. For many SMEs, NIS2 arrives through this door before the regulatory one.
What it requires, concretely
NIS2 is not a list of good intentions: Article 21 mandates minimum risk-management measures, concrete and verifiable. It is not about "doing security" in the abstract, but precise areas.
On the reporting of significant incidents the deadlines are tight, and this is where many companies are caught off guard: an early warning within 24 hours, a full notification within 72 hours, and a final report within one month. You need to know in advance who, in the company, starts the clock.
And then there is the part that really changes the game: management accountability. Management bodies approve the measures, oversee them, and can be held personally accountable. Fines reach up to 10 million euros or 2% of global annual turnover for essential entities (7 million or 1.4% for important ones). Security stops being "an IT problem" and becomes a duty of the top.
The real hurdle is not technology, it is process
The most common misconception is thinking NIS2 is solved by buying products. It is not. The technical measures (MFA, backups, patching) are often the easy part: most SMEs have gaps there, but fillable ones. The real hurdle is the process - the risk assessment done seriously, governance with assigned responsibilities, documentation proving what you do and why, management involvement. It is organizational work before it is technical, and it is not implemented in a weekend: for an SME starting from scratch, several months is a realistic estimate.
What to do, in order
- Determine scope: sector, size, and exposure via the supply chain.
- Run a gap assessment against the Art. 21 measures: what you have, what is missing.
- Assign governance: who is responsible, how management approves and oversees.
- Implement the measures - many coincide with good practices you should have anyway.
- Prepare the reporting process: who starts the 24-hour clock, and how.
- Extend to the supply chain and document everything: without evidence, to an auditor it does not exist.
Not just a cost: a commercial lever
Seen as pure compliance spending, NIS2 is a burden. Seen well, it is a competitive advantage: large clients must secure their supply chain, and they will choose suppliers who are already in order. Being NIS2-ready becomes a selling point. It is the perspective with which I built Cipher, the platform that translates cyber risks into business language: because NIS2 requires management involvement, and management only decides if it understands the risks in its own terms - impact, likelihood, cost - not in technical jargon.
The takeaway
The European deadline has passed, Italy has transposed it, and management can be held personally accountable: the "there's still time" excuse is gone. But NIS2, stripped of the fear, largely asks for what a company should already be doing - assessing its own risks, protecting itself proportionately, knowing how to react to an incident, and proving it. The difference is that now it is written down, it is mandatory, and someone at the top answers for it.
If you want to dive deeper into this topic or need specialized consulting, let us talk.
Let's talk →Analysis on cybersecurity, vulnerability research and practical defense for businesses. No spam: only when I have something worth your time. Unsubscribe in one click.