NIS 2 Directive Implemented in Italy: What You Need to Know

The NIS 2 Directive has been implemented in Italy with its publication in the Official Gazette, in this article we analyze its main contents.

As we have already discussed here, last February, the Italian Parliament delegated to the government the implementation of the (now famous) NIS 2 Directive. Although the Delegation Law stipulated that the Government should adopt the legislative decree to implement the Directive within the deadline of four months prior to the deadline specified in the relevant directive thus, by mid-June 2024, approval in the Council of Ministers, however, did not occur until early August. We then waited until October for the long-awaited publication of Legislative Decree Sept. 4, 2024, No. 138 in the Official Gazette.

The text of the Legislative Decree is basically in line with the text of the Directive. However, there are some differences, the main ones below.

Applicability Scope of the NIS 2 Directive implemented in Italy

The first difference from the Directive is the scope of the Italian Legislative Decree. As noted above, the scope of the Directive is subject to the combined presence of three different criteria:

• A size requirement, where the company qualifies as a medium-sized or large enterprise within the meaning of Article 2 to Recommendation 2003/361/EC; and
• A territorial requirement, where the company provides its services or conducts its business within the EU;
• A sectoral criterion, where the relevant company provides its services or carries out activities in one or more of the economic sectors listed in the Annexes to the Directive.

With respect to this last point, however, the Legislative Decree slightly broadens the scope by providing that, among the sectors to which the new regulation applies must also be considered:

1. Public administrations identified on the basis of a graded criterion, the evolution of the public administration’s degree of exposure to risk, the probability of incidents occurring and their severity; and
2. Regardless of size (i) entities that provide local public transportation services, (ii) educational institutions that carry out research activities, (iii) entities that carry out activities of cultural interest, and (iv) in-house companies, investee companies, and publicly controlled companies, as defined in Legislative Decree No. 175 of August 19, 2016 (Consolidated Law on Public Participation Companies).

Deadlines for Compliance with the NIS 2 Directive Implemented in Italy

Although the NIS 2 Directive is applicable starting next October 17, 2024, in reality the compliance obligations applicable to companies within its scope are broadly expanded with the adoption of the Legislative Decree.

In fact, as the Decree makes clear, the first activity required to companies is to assess the applicability of the Legislative Decree to their operations. Although this seems obvious, in reality, this assessment is not always straightforward given the often very broad subcategories related to the sectors referenced by the NIS 2 Directive. By the end of 2024, therefore, companies are required to carry out a timely analysis to understand whether their services fall within the scope of the Legislative Decree, taking into consideration the relevant sectors but also the dimensional and territorial criteria mentioned above.

Pursuant to Article 6 of the Legislative Decree, it is only from January 1 2025 (until the end of February, except in the case of some companies whose registration is required by January 17, 2025) that companies that believe they fall within the scope of the Legislative Decree will be required to register on a special portal being adopted by ACN by providing a range of relevant information such as, the company name, updated address and contact information, including e-mail addresses and telephone numbers of the company, designation of a point of contact, indicating the role at the entity, relevant sectors, sub-sectors and types of entities listed in the annexes to the Legislative Decree.

Following this, ACN will have until March 31, 2025 to analyze the companies registered in the platform and draw up the list of essential and important parties who will then be notified of their inclusion in the relevant list by April 15, 2025.

In addition to the above-mentioned dates:

• the notification obligations of computer incidents are extended up to 9 nine months after receipt of notification about being on the applicability lists of the Legislative Decree (so indicatively to January 2026)
• obligations of administrative and governing bodies and obligations on information security risk management measures are extended until 18 months after the above-mentioned notice (so indicatively October 2026).

Does this mean that there is nothing to be done in the meantime? In our view, no. Central to this remains the need to ascertain by the end of the year whether relevant companies enter the scope of the NIS. This is followed by the need for an assessment with respect to the IT systems, which requires time and detailed analysis with respect to the internal governance as well. The example of GDPR was certainly helpful: although the timeframe was wide (a full two years from the entry into force of the Regulation until its actual applicability), companies needed ample time to take all the necessary measures and to enable them to adopt an internal compliance system in line with business needs.

The Competent Authorities

With reference to the competent authorities, the National Cybersecurity Agency (ACN) certainly stands out. ACN is called upon to (i) oversee the implementation and enforcement of the Legislative Decree (ii) prepare measures necessary to implement the Legislative Decree (iii) carry out regulatory functions and activities, including adopting guidelines, recommendations, and non-binding guidance; and (iv) identify essential and important actors, (v) participate in the NIS Cooperation Group and other EU-level activities.

To implement the Decree at the sector level, however, other NIS Sector Authorities are also identified to support ACN. Specifically, the following are designated:

4. the Presidency of the Council of Ministers for the ICT service management sector, the space sector, public administrations and in-house companies, and publicly owned or controlled companies;
5. the Ministry of Economy and Finance, for the banking and financial market infrastructure sectors;
6. the Ministry of Enterprise and Made in Italy for the digital infrastructure sector, the postal and courier services sector, the chemical manufacturing, production and distribution sector as well as the sub-sectors of computer and electronic and optical products manufacturing, electrical equipment manufacturing and manufacturing of machinery and equipment not elsewhere classified (n.e.c.), the sub-sectors of motor vehicle, trailer and semi-trailer manufacturing, and manufacturing of other transport equipment, digital service providers;
7. The Ministry of Agriculture, Food Sovereignty and Forestry for the food production, processing and distribution sector;
8. The Ministry of Environment and Energy Security for the energy sector, the drinking water supply and distribution sector, the wastewater sector, and the waste management sector;
9. The Ministry of Infrastructure and Transport for the transport sector, entities providing local public transport services;
10. The Ministry of University and Research for the research sector and for educational institutions conducting research activities;
11. The Ministry of Culture for entities carrying out activities of cultural interest;
12. the Ministry of Health for the health sector, the sub-sector manufacture of medical devices and in vitro diagnostic medical devices.

The Applicable Sanctions under the NIS 2 Directive Implemented in Italy

Failure to comply with the above obligations may result in significant penalties for operators. Specifically, following ACN’s reporting of non-compliance, administrative penalties of up to €10,000,000 or 2 percent of the subject’s total annual worldwide turnover for the previous fiscal year, whichever is higher, may be issued by the relevant authorities. Besides, there is a personal liability and sanctions for managers that do not put in place the actions to ensure compliance.

In order to avoid the aforementioned penalties, companies should assess as soon as possible the applicability of the NIS2 Directive to their reality, also in view of the applicable reporting requirements and to carefully map their cyber structure from both a technical and compliance perspective in order to take the necessary measures as soon as possible.

On the topic, you can find the material (in Italian) of a recent webinar run on the topic HERE.