INFORMATION TECHNOLOGY
The Italian Government approves the legislative decree transposing Directive 2022/2555 (NIS 2) on measures for a high common level of cybersecurity in the Union.
The NIS2 directive is the EU's cyber security legislation. It provides legal measures to strengthen the overall level of cyber security in the EU. Compared to the previous 2016 Directive (NIS 1), it modernised the existing legal framework to keep pace with increased digitisation and an evolving cybersecurity threat landscape, extending the scope of cybersecurity rules to new sectors and entities and further enhancing the resilience and incident response capabilities of public and private entities, competent authorities and the EU as a whole.
The NIS 2 Directive introduces a renewed security culture in all sectors that are vital to the European economy and society and heavily dependent on Information and Communication Technologies (ICT), such as energy, transport, water, banking and financial market infrastructures (it has to be reminded that that the NIS 2 Directive shall not apply to banking financial and insurance entities required to comply with DORA Regulation 2022/2554 on digital operational resilience, a lex specialis of the sector), healthcare and digital infrastructures (ICT providers are also subject to the aforementioned DORA Regulation).
The Italian legislative decree intervenes by introducing the following main innovations (the deadline for Member States to transpose the NIS 2 Directive is 17 October 2024):
The NIS 2 Directive introduces a renewed security culture in all sectors that are vital to the European economy and society and heavily dependent on Information and Communication Technologies (ICT), such as energy, transport, water, banking and financial market infrastructures (it has to be reminded that that the NIS 2 Directive shall not apply to banking financial and insurance entities required to comply with DORA Regulation 2022/2554 on digital operational resilience, a lex specialis of the sector), healthcare and digital infrastructures (ICT providers are also subject to the aforementioned DORA Regulation).
The Italian legislative decree intervenes by introducing the following main innovations (the deadline for Member States to transpose the NIS 2 Directive is 17 October 2024):
- the widening of the subjective scope of application
- the distinction between "essential subjects" and "important subjects" and the adoption of a dimensional criterion for their identification (to overcome the serious subjective limits in the identification of the subjects required, given that NIS 1 left the Member States free to identify national criteria, resulting in a fragmentation of the rules)
- the streamlining of minimum security requirements and mandatory notification procedures;
- the adoption of a 'multi-risk' approach;
- the regulation of coordinated vulnerability disclosure (CVD) and the specific coordination functions assigned to national CSIRTs;
- the implementation of cooperation measures to support the coordinated management of large-scale cybersecurity incidents and crises at the operational level.
