NIS2 Directive: what the new cybersecurity legislation includes and which companies are subject to it

The NIS2 Directive is the new cybersecurity legislation that represents a significant step toward strengthening cybersecurity in Europe. Introduced in response to growing cyber threats, this legislation imposes stringent requirements on a broad spectrum of companies.

But what exactly does it provide for and who is obliged to comply with it?

The NIS2 Directive is an update of the previous NIS1 Directive, adopted in 2016. This new regulatory framework, which came into force in 2022 and was last transposed in Italy on Sept. 4, 2024, aims to prevent and mitigate risks related to possible cyber attacks, ensuring the business continuity of organizations.

The main changes from the 2016 directive include:

• Anextension of scope to more sectors and organizations: from about 400 entities subjected to NIS1, to a total of 50,000 entities subjected to NIS2.
• Higher standards for risk management and incident reporting.
• The introduction of harmonized measures for the entire European Union to be adhered to by all member states

The NIS2 Directive applies to two main categories of subjects: essential and important subjects. This distinction is relevant to being able to determine the financial penalties applicable in the event of a violation of this legislation.

In order to understand whether an organization is involved, it is essential to check whether it falls into one of the indicated sectors, in addition to compliance with the size and territorial character, identified in the regulations.

Regarding dimensionality, the company could be included if it has more than 50 employees or an annual turnover of more than 10 million euros; although this requirement does not always have to be met because some categories, such as qualified digital service providers or DNS system operators, are among the stakeholders regardless of their size.

Organizations that must comply with the NIS2 Directive must meet a number of key requirements:

• Proactive risk management: identifying and mitigating potential vulnerabilities in IT systems, using a multi-risk approach.
• Minimum security measures: implement policies and tools to prevent cyber attacks.
• Incident notification: report any significant event to the appropriate authorities within 24 hours.
• Continuous assessment and monitoring: adopt international standards such as ISO/IEC 27001 for information security management.

Companies that fail to comply with the NIS2 Directive risk several consequences. Among them:

• Significant financial penalties, penalties, for essential parties, can be as high as 10 million euros or 2 percent of annual global turnover, whichever amount is higher, while for major parties, penalties go up to 7 million euros or1.4 percent of globalturnover.
• Reputational damage, negatively affecting the trust of customers and partners.
• Possible operational restrictions, imposed by regulatory authorities.
• Incidental sanctions against management bodies, who will be disqualified from performing management functions in the entity until the entity has taken the necessary measures to remedy the deficiencies found by theNational Cybersecurity Agency.

Companies that take a proactive approach and comply not only reduce the risk of penalties and reputational damage, but also strengthen their competitive position in the marketplace. Investing in cybersecurity is not just about compliance: it is an opportunity to build trust, protect assets and create lasting value.

Preparing for change requires commitment, expertise, and the support of qualified partners. With the help of experts in the field, such as Orbyta Tax&Legal, organizations can tackle the transition effectively and turn a regulatory obligation into a competitive advantage.