direttiva NIS Piergiorgio Venuti

NIS: what it is and how it protects cybersecurity

Estimated reading time: 6 minutes

The NIS Directive (Network and Information Security) was issued in 2016 by the European Union with the aim of achieving a high level of security of networks and information systems in the European Union.

It applies to essential service providers, such as energy, transport, banks, healthcare, and digital service providers, such as search engines, cloud and e-commerce. NIS has introduced a series of measures to strengthen cybersecurity.

NIS objectives

The main objectives of NIS directive are:

  • Improve prevention of cybersecurity incidents
  • Increase ability to detect and manage computer attacks
  • Limit impact of outages and disruptions of essential services for European citizens.

This is achieved through introduction of security standards, reporting obligations, cooperation between member states.


The subjects covered by NIS are:

  • Essential service operators (ESO): crucial public and private entities for maintaining vital civil, economic and social activities
  • Digital service providers (DSP): online search engines, cloud computing and online marketplaces

For ESOs, NIS applies to energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and distribution sectors.

NIS2: main updates introduced in 2021

In December 2020, the European Commission proposed an update to the NIS Directive, called NIS2, to improve its effectiveness in light of growing cyber threats.

Sectors included in NIS2

In addition to sectors already covered by NIS, NIS2 directive will include:

  • Postal and courier services
  • Waste (wastewater and waste management)
  • Essential public infrastructures (national and cross-border)
  • Manufacturing sector
  • Product safety
  • Space and satellite activities
  • Public administration
  • Education (schools, universities, research centers)

Enhanced cybersecurity for companies of all sizes

Particular attention will be paid to strengthening security standards applicable to small and medium-sized enterprises (SMEs), often the Achilles heel in cybersecurity.

Large companies will also see growing obligations, with fines up to 2% of global turnover for breaches of information security requirements and failure to notify incidents.

This will push top management to seriously invest in cybersecurity.

International cooperation

Closer cooperation between member states will be promoted, establishing cross-border procedures for incident management and crisis management to effectively counter large-scale attacks.

Cooperation mechanisms with third countries are also planned for a global approach to strengthening international digital resilience.

NIS2 supervisory bodies

The proposed NIS2 directive confers new powers to regulatory bodies established at national level (or identified among existing ones) to oversee implementation of legislation.

Competent authorities

Their specific tasks include:

  • Security audits
  • Inspections and investigations of regulated entities
  • Dynamic analysis of IT risks
  • Requests for information
  • Power to impose sanctions.

They will also have task of increasing population awareness and understanding of cyber risk.

For example, in Italy the National Cybersecurity Center already performs some of these functions.

NIS cooperation group

A cooperation group will be established bringing together these national authorities together with ENISA and European Commission to coordinate cross-border issues and exchange information.

Obligations for essential and digital service operators

NIS2 mandatory subjects

The subjects to whom NIS2 obligations apply are divided into 3 categories:

  • Essential service operators (energy, transport, banking, healthcare, etc.)
  • Digital service providers (cloud, web search engines, e-commerce)
  • Public entities (central and local administrations)

Required safety measures

Regardless of size, all NIS2 entities must meet requirements in terms of:

  • Cybersecurity governance
  • Risk management
  • Operational resilience
  • Monitoring, detection, classification of incidents
  • Business continuity and disaster recovery
  • Information sharing with competent authorities

More stringent security standards are required for entities that support critical services or process significant amounts of personal data.

For example, they will be required to conduct regular penetration testing and cyber crisis exercises to test response plans.

Mandatory incident notification

All NIS2 entities, including SMEs, will have to notify national authorities without undue delay of significant cyber incidents that could disrupt essential services or impact security of data and systems.

Penalties are expected in case of failure to notify.

Expected impact on EU digital resilience

With extensive implementation of NIS2, the European Union aims to significantly reduce the risk and impact of cyber attacks against critical infrastructures and digital services in the coming years.

Success indicators

Some key indicators have already been identified to measure progress in European digital resilience:

  • Average time to detect cyber intrusions
  • Average time to respond and resolve a cyber attack
  • Number of personal data breaches reported annually
  • Economic losses caused by disruptions of critical services

Expected social impact

Benefits for European citizens will come from greater protection of essential services such as healthcare, transport and energy from cyber attacks, and consequently less disruption impacting social life.

Qualitative improvements in digital services are also expected, thanks to investments in data security and infrastructure reliability.

Entry into force and transition

The new NIS2 directive is still in the final stages of the European legislative process, with approval by the EU Council and Parliament expected for 2022.

Obligations taking effect

Once published in the Official Journal of the European Union, member states will have 21 months to incorporate NIS2 into national law.

From that moment on, companies and public bodies covered by the legislation will have 15 months to fully comply with the new obligations.

So NIS2 requirements are expected to become binding between 2023 and 2024, depending on transposition times.

SME support

Given the complexity of the matter, European guidelines and support documentation will likely be published to help small and medium enterprises implement processes and technologies compliant with regulations.

Funding and tenders are also planned to economically support smaller operators in necessary ICT security investments.

Transposition in Italy already completed and new deadline

In Italy, NIS2 directive was transposed last July 31, 2022 with “Legislative Decree no. 123 of June 30, 2022”.

The text faithfully reflects framework and content of European legislation, adapting national law.

Final deadline for compliance

Following entry into force of transposition legislative decree, October 17, 2024 now represents the final deadline by which essential service operators and digital service providers operating in Italy must fully comply with new network and information systems security obligations introduced by NIS2.

After that date, entities not yet fully compliant with directive requirements risk pecuniary fines. For this reason, investments in IT security can no longer be postponed.

Indirect impacts on supply chain and public procurement

Although NIS2 obligations directly apply only to specific operators of essential services and providers of certain digital services, the directive will have a “dragging” effect also on many other companies.

Commercial motivation to comply

In particular, compliance with NIS2 requirements could soon become a de facto prerequisite when participating in public or private calls for tender.

Similarly, it may be an appreciated competitive factor for customers who want to ensure all suppliers in their supply chain meet advanced infrastructure reliability and information security standards.

Cybersecurity certifications

Precisely in order to demonstrate their level of adequacy, it is foreseeable that even companies not subject to NIS2 will increasingly resort to voluntary certifications and third-party independent security audits.

In this way, even without regulatory obligations they can still reap commercial benefits from investing in their cyber resilience level.

Useful links:



More Articles…

Categories …


RSS darkreading

RSS Full Disclosure

  • SEC Consult SA-20240527-0 :: Multiple vulnerabilities in HAWKI didactic interface May 28, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on May 27 SEC Consult Vulnerability Lab Security Advisory < 20240527-0 > ======================================================================= title: Multiple vulnerabilities product: HAWKI (Interaction Design Team at the University of Applied Sciences and Arts in Hildesheim/Germany) vulnerable version: 1.0.0-beta.1, versions before commit 146967f     fixed version: Github commit 146967f...
  • SEC Consult SA-20240524-0 :: Exposed Serial Shell on multiple PLCs in Siemens CP-XXXX Series May 28, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on May 27SEC Consult Vulnerability Lab Security Advisory < 20240524-0 > ======================================================================= title: Exposed Serial Shell on multiple PLCs product: Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014) vulnerable version: All hardware revisions fixed version: Hardware is EOL, no fix CVE number: - impact: Low...
  • SEC Consult SA-20240522-0 :: Broken access control & API Information Exposure in 4BRO App May 23, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on May 23SEC Consult Vulnerability Lab Security Advisory < 20240522-0 > ======================================================================= title: Broken access control & API Information Exposure product: 4BRO App vulnerable version: before 2024-04-17 fixed version: 2024-04-17 CVE number: - impact: Critical homepage: https://www.4bro.de found: 2023-05-07...
  • [CFP] Security BSides Ljubljana 0x7E8 | September 27, 2024 May 23, 2024
  • asterisk release 20.8.1 May 21, 2024
    Posted by Asterisk Development Team via Fulldisclosure on May 20The Asterisk Development Team would like to announce security release Asterisk 20.8.1. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/20.8.1 and https://downloads.asterisk.org/pub/telephony/asterisk Repository: https://github.com/asterisk/asterisk Tag: 20.8.1 ## Change Log for Release asterisk-20.8.1 ### Links: - [Full ChangeLog](...
  • asterisk release 21.3.1 May 21, 2024
    Posted by Asterisk Development Team via Fulldisclosure on May 20The Asterisk Development Team would like to announce security release Asterisk 21.3.1. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/21.3.1 and https://downloads.asterisk.org/pub/telephony/asterisk Repository: https://github.com/asterisk/asterisk Tag: 21.3.1 ## Change Log for Release asterisk-21.3.1 ### Links: - [Full ChangeLog](...
  • asterisk release 18.23.1 May 21, 2024
    Posted by Asterisk Development Team via Fulldisclosure on May 20The Asterisk Development Team would like to announce security release Asterisk 18.23.1. The release artifacts are available for immediate download at https://github.com/asterisk/asterisk/releases/tag/18.23.1 and https://downloads.asterisk.org/pub/telephony/asterisk Repository: https://github.com/asterisk/asterisk Tag: 18.23.1 ## Change Log for Release asterisk-18.23.1 ### Links: - [Full ChangeLog](...
  • CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package May 21, 2024
    Posted by Andrea Intilangelo on May 20CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package Use CVE-2024-34058. Additional info: NethServer is an Open Source operating system for the Linux enthusiast, designed for small offices and medium enterprises. From their website: "It&apos;s simple, secure and flexible" and "ready to deliver your messages, to […]
  • SEC Consult SA-20240513-0 :: Tolerating Self-Signed Certificates in SAP® Cloud Connector May 14, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on May 14SEC Consult Vulnerability Lab Security Advisory < 20240513-0 > ======================================================================= title: Tolerating Self-Signed Certificates product: SAP® Cloud Connector vulnerable version: 2.15.0 - 2.16.1 (Portable and Installer) fixed version: 2.16.2 (Portable and Installer) CVE number: CVE-2024-25642 impact: high homepage:...
  • TROJANSPY.WIN64.EMOTET.A / Arbitrary Code Execution May 14, 2024
    Posted by malvuln on May 14Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/f917c77f60c3c1ac6dbbadbf366ddd30.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: TrojanSpy.Win64.EMOTET.A Vulnerability: Arbitrary Code Execution Description: The malware looks for and executes a x64-bit "CRYPTBASE.dll" PE file in its current directory. Therefore, we can hijack the DLL and execute […]