NIS 2 is bringing a number of compliance activities by private companies and public administrations, sometimes not very consistent with the regulations. Let us try to make some reflections on this.
Generalities on Italian transposition
The European Directive NIS 2 (CELEX 2022/2555) was transposed by Italy by Legislative Decree 138 of 4 September 2024. The transposition introduces some substantial changes to the norm, such as Annex 3 ‘Central, regional, local and other administrations’, in which the list of the P.A. affected by NIS 2 is made explicit. It is therefore not a direct and unchanged transposition, there have been changes that also produce some important misalignments: Article 21, which in the European text contains the‘Obligations concerning risk management measures for information security‘, in the Legislative Decree is found in Article 24. The rule must therefore be read and also carefully because there are significant differences between the two texts.
Procedures, not just technique
The first common mistake is to consider NIS 2 a regulation based on technical apparatuses; instead, it is a directive that demands the establishment of procedures, policies and strategies i.e. documents. This is stated in the aforementioned Article 24:
(a) Risk analysis policies…
(b) Policies and procedures for evaluating the effectiveness of risk management measures…
(c) Policies and procedures relating to the use of encryption…
(d) Access control policies….
These are some of the security measures and, as you can see, they refer to the management methods and not to the technical systems. This is normal: NIS 2 assumes (correctly) that the technical system is there but that there may not be a well-defined and up-to-date procedure. Therefore, the first aspect to consider is the procedures and thus the completeness of the documents in question.
Supplier Management
Article 24(2)(d) talks to us about supply chain security and this means that the organisation can ask suppliers to prove their security through certifications, attestations of various kinds and, above all, by formalising how they interact and handle incidents.
supply chain security, including security aspects concerning the relationship between each entity and its direct suppliers or service providers;
This last aspect is always very much neglected: NIS 2 requires a review of supply contracts to see whether they have the correct service levels, the procedures to be implemented for handling IT incidents, and the communication modalities on both sides. The formalisation of these agreements (not necessarily contracts) is often partly lacking within the contractual framework.
This is a very important aspect in order to avoid, for instance, the supplier not reporting that it has been the victim of a data breach, in turn exposing the client organisation’s IT ecosystem. On the other hand, however, this also means that organisations using suppliers should check the soundness of the person they intend to hire, and that they should continue to carry out cyclical audits in order to test and guarantee good conduct also during the contractual life of the supplier. This point, therefore, establishes the obligation of ex-ante control, in fieri but also of formalised regulatory procedures for the management of incidents and for the correct communication to those involved. The termination of relations with the supplier must also take place properly, with the closure of accounts and the termination of relations between organisation and customer.
Race to the standards
When a company chooses to adopt a standard (e.g. ISO 27001 or CSCs), it should ask itself some questions about its sustainability. NIS 2 is a constant fulfilment, just as maintaining the security measures of the standard is constant. The path to certification can be long and complex and in most cases rarely observed. It is therefore not a sticker to be displayed, as it is linked to measures and procedures that must be maintained over time. The choice of a standard compatible with NIS 2 is therefore an activity that must be carried out very carefully.
The Italian P.A., by the way, is already obliged to respond to security requirements that, in many cases, are defined within the now almost forgotten (but still mandatory) AgID Circular 2/2017 bearing the ‘Minimum ICT Security Measures for Public Administration’ and based on the famous CIS Critical Security Controls.
The wrong attitude
The most mistaken attitude in terms of the adoption of the NIS 2 Directive is precisely to minimise its consequences. Firstly because the Italian transposition of NIS 2 is wide-ranging and includes substantially all public entities and a large part of private organisations. Secondly because, in the event of an inspection, there would be a concatenation of failures that would not only concern the requirements of NIS 2 but, in the public, could also concern other regulations. One often focuses on the famous and recent Law 90/2024 ‘Provisions on strengthening national cybersecurity and cybercrime’ while ignoring other, sometimes even more technical regulations.
It is therefore a colossal mistake to minimise or neglect adherence to NIS 2 because non-conformities could extend to other regulations, aggravating the subject’s position at the inspection stage.
Initial disorientation
If companies have never made a sound process of adopting security measures, it is clear that the NIS 2 Directive will appear to them as an insurmountable mountain of ‘strange’ obligations and threats of sanctions. However, it must be made clear that this impression is false: NIS 2 adoption is achievable with some effort but certainly not impossible. It requires the establishment of processes, the identification of roles and responsibilities, but it is not impossible. On the contrary, it can help to better identify responsibilities in dealing with the supplier and in minimising the consequences in the event of an incident. Part of the disorientation is due to not reading the standard and the interaction between it and other industry regulations. Another common reason for disorientation is the lack of interaction between the organisation’s internal departments: establishing an effective procedure means involving several company departments and this rarely happens. The result is a gradual decay in the effectiveness of any security systems, leading to the risk of data breaches and measures.
Conclusion
First of all, espousing NIS 2 is possible and does not require ‘somersaults’ or complex financial transactions but the ability to adopt procedures that are then maintained over time. Secondly, it is clear that the legislation has to be read in its entirety, there are many rules that refer to the European Internal Market Regulation that require attention in order to fully understand the scope of the Directive. Ultimately, NIS 2 puts the players at a crossroads, one road leads to real adoption and the other to cosmetic adoption. Time will be the factor that determines which of the two roads will be taken: it is not difficult to espouse cybersecurity policies but it is difficult to maintain them over time. It requires discipline and ethics that people often prefer to give up for convenience and simplicity.
A different name: a question of form
Finally, a curiosity related to the name: the more observant will not have escaped notice that many texts speak indistinctly of NIS2 (without space) and NIS 2 (with space), but what is the correct form? The European Directive (CELEX EU 2022/2555) has the following text in its title:
on measures towards a high common level of cybersecurity in the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 ( NIS 2 Directive)
As can be seen, the original text has the acronym NIS 2 (NIS-space-2), but the transposing legislative decree reads:
DRAFT LEGISLATIVE DECREE TRANSPOSING NIS2
There do not appear to be any occurrences with space and therefore, having to refer to the Italian implementation, one can write NIS2 without space.