direttiva NIS Piergiorgio Venuti

NIS: what it is and how it protects cybersecurity

Estimated reading time: 6 minutes

The NIS Directive (Network and Information Security) was issued in 2016 by the European Union with the aim of achieving a high level of security of networks and information systems in the European Union.

It applies to essential service providers, such as energy, transport, banks, healthcare, and digital service providers, such as search engines, cloud and e-commerce. NIS has introduced a series of measures to strengthen cybersecurity.

NIS objectives

The main objectives of NIS directive are:

  • Improve prevention of cybersecurity incidents
  • Increase ability to detect and manage computer attacks
  • Limit impact of outages and disruptions of essential services for European citizens.

This is achieved through introduction of security standards, reporting obligations, cooperation between member states.

Scope

The subjects covered by NIS are:

  • Essential service operators (ESO): crucial public and private entities for maintaining vital civil, economic and social activities
  • Digital service providers (DSP): online search engines, cloud computing and online marketplaces

For ESOs, NIS applies to energy, transport, banking, financial market infrastructures, healthcare, drinking water supply and distribution sectors.

NIS2: main updates introduced in 2021

In December 2020, the European Commission proposed an update to the NIS Directive, called NIS2, to improve its effectiveness in light of growing cyber threats.

Sectors included in NIS2

In addition to sectors already covered by NIS, NIS2 directive will include:

  • Postal and courier services
  • Waste (wastewater and waste management)
  • Essential public infrastructures (national and cross-border)
  • Manufacturing sector
  • Product safety
  • Space and satellite activities
  • Public administration
  • Education (schools, universities, research centers)

Enhanced cybersecurity for companies of all sizes

Particular attention will be paid to strengthening security standards applicable to small and medium-sized enterprises (SMEs), often the Achilles heel in cybersecurity.

Large companies will also see growing obligations, with fines up to 2% of global turnover for breaches of information security requirements and failure to notify incidents.

This will push top management to seriously invest in cybersecurity.

International cooperation

Closer cooperation between member states will be promoted, establishing cross-border procedures for incident management and crisis management to effectively counter large-scale attacks.

Cooperation mechanisms with third countries are also planned for a global approach to strengthening international digital resilience.

NIS2 supervisory bodies

The proposed NIS2 directive confers new powers to regulatory bodies established at national level (or identified among existing ones) to oversee implementation of legislation.

Competent authorities

Their specific tasks include:

  • Security audits
  • Inspections and investigations of regulated entities
  • Dynamic analysis of IT risks
  • Requests for information
  • Power to impose sanctions.

They will also have task of increasing population awareness and understanding of cyber risk.

For example, in Italy the National Cybersecurity Center already performs some of these functions.

NIS cooperation group

A cooperation group will be established bringing together these national authorities together with ENISA and European Commission to coordinate cross-border issues and exchange information.

Obligations for essential and digital service operators

NIS2 mandatory subjects

The subjects to whom NIS2 obligations apply are divided into 3 categories:

  • Essential service operators (energy, transport, banking, healthcare, etc.)
  • Digital service providers (cloud, web search engines, e-commerce)
  • Public entities (central and local administrations)

Required safety measures

Regardless of size, all NIS2 entities must meet requirements in terms of:

  • Cybersecurity governance
  • Risk management
  • Operational resilience
  • Monitoring, detection, classification of incidents
  • Business continuity and disaster recovery
  • Information sharing with competent authorities

More stringent security standards are required for entities that support critical services or process significant amounts of personal data.

For example, they will be required to conduct regular penetration testing and cyber crisis exercises to test response plans.

Mandatory incident notification

All NIS2 entities, including SMEs, will have to notify national authorities without undue delay of significant cyber incidents that could disrupt essential services or impact security of data and systems.

Penalties are expected in case of failure to notify.

Expected impact on EU digital resilience

With extensive implementation of NIS2, the European Union aims to significantly reduce the risk and impact of cyber attacks against critical infrastructures and digital services in the coming years.

Success indicators

Some key indicators have already been identified to measure progress in European digital resilience:

  • Average time to detect cyber intrusions
  • Average time to respond and resolve a cyber attack
  • Number of personal data breaches reported annually
  • Economic losses caused by disruptions of critical services

Expected social impact

Benefits for European citizens will come from greater protection of essential services such as healthcare, transport and energy from cyber attacks, and consequently less disruption impacting social life.

Qualitative improvements in digital services are also expected, thanks to investments in data security and infrastructure reliability.

Entry into force and transition

The new NIS2 directive is still in the final stages of the European legislative process, with approval by the EU Council and Parliament expected for 2022.

Obligations taking effect

Once published in the Official Journal of the European Union, member states will have 21 months to incorporate NIS2 into national law.

From that moment on, companies and public bodies covered by the legislation will have 15 months to fully comply with the new obligations.

So NIS2 requirements are expected to become binding between 2023 and 2024, depending on transposition times.

SME support

Given the complexity of the matter, European guidelines and support documentation will likely be published to help small and medium enterprises implement processes and technologies compliant with regulations.

Funding and tenders are also planned to economically support smaller operators in necessary ICT security investments.

Transposition in Italy already completed and new deadline

In Italy, NIS2 directive was transposed last July 31, 2022 with “Legislative Decree no. 123 of June 30, 2022”.

The text faithfully reflects framework and content of European legislation, adapting national law.

Final deadline for compliance

Following entry into force of transposition legislative decree, October 17, 2024 now represents the final deadline by which essential service operators and digital service providers operating in Italy must fully comply with new network and information systems security obligations introduced by NIS2.

After that date, entities not yet fully compliant with directive requirements risk pecuniary fines. For this reason, investments in IT security can no longer be postponed.

Indirect impacts on supply chain and public procurement

Although NIS2 obligations directly apply only to specific operators of essential services and providers of certain digital services, the directive will have a “dragging” effect also on many other companies.

Commercial motivation to comply

In particular, compliance with NIS2 requirements could soon become a de facto prerequisite when participating in public or private calls for tender.

Similarly, it may be an appreciated competitive factor for customers who want to ensure all suppliers in their supply chain meet advanced infrastructure reliability and information security standards.

Cybersecurity certifications

Precisely in order to demonstrate their level of adequacy, it is foreseeable that even companies not subject to NIS2 will increasingly resort to voluntary certifications and third-party independent security audits.

In this way, even without regulatory obligations they can still reap commercial benefits from investing in their cyber resilience level.

Contattaci

Useful links:

Share


RSS

RSS feed

More Articles…

Categories …

Tags

Acronis Cloud Backup BaaS Backup cloud cloud computing Cloud Conference cloud provider reggio emilia cloud server cloud services CTI cyber security cyber security cyber threat Cyber Threat Hunter Data Exfiltration GDPR Machine Learning Monitoraggio infrastruttura ICT Next Generation SIEM nextgen siem online hosting owncloud owncloud pentest Phishing Plesk Ransomware Ransomware security server virtuale sicurezza siem Smart Working SOAR SOCaaS Threat intelligence UEBA VDS Virtual Machine vps vulnerability assessment web hosting webinar Zabbix Zabbix as a Service

RSS Unknown Feed

RSS Full Disclosure

  • MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client February 21, 2025
    Posted by Qualys Security Advisory via Fulldisclosure on Feb 20Qualys Security Advisory CVE-2025-26465: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client CVE-2025-26466: DoS attack against OpenSSH's client and server ======================================================================== Contents ======================================================================== Summary Background Experiments Results MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client DoS...
  • Self Stored XSS - acp2sev7.2.2 February 21, 2025
    Posted by Andrey Stoykov on Feb 20# Exploit Title: Self Stored XSS - acp2sev7.2.2 # Date: 02/2025 # Exploit Author: Andrey Stoykov # Version: 7.2.2 # Tested on: Ubuntu 22.04 # Blog: https://msecureltd.blogspot.com/2025/02/friday-fun-pentest-series-19-self.html Self Stored XSS #1: Steps to Reproduce: 1. Visit "http://192.168.58.168/acp2se/mul/muladmin.php" and login with "admin" / "adminpass" 2. In the field "Put the […]
  • Python's official documentation contains textbook example of insecure code (XSS) February 21, 2025
    Posted by Georgi Guninski on Feb 20Python's official documentation contains textbook example of insecure code (XSS) Date: 2025-02-18 Author: Georgi Guninski === form = cgi.FieldStorage() if "name" not in form or "addr" not in form: print("Error") print("Please fill in the name and addr fields.") return print("name:", form["name"].value) print("addr:",...
  • Re: Netgear Router Administrative Web Interface Lacks Transport Encryption By Default February 18, 2025
    Posted by Gynvael Coldwind on Feb 17Hi, This isn't really a problem a vendor can solve in firmware (apart from offering configuration via cloud, which has its own issues). Even if they would enable TLS/SSL by default, it would just give one a false sense of security, since: - the certificates would be invalid (public […]
  • Monero 18.3.4 zero-day DoS vulnerability has been dropped publicly on social network. February 16, 2025
    Posted by upper.underflow via Fulldisclosure on Feb 16Hello, About an hour ago, a group appearing to be named WyRCV2 posted a note on the nostr social network, which can be found at the following link: https://primal.net/e/note1vzh0mj9rcxax9cgcdapupyxeehjprd68gd9kk9wrv939m8knulrs4780x7 Save, share, use. The paste link includes a list of nodes that the attacker has instructed to target, along […]
  • Netgear Router Administrative Web Interface Lacks Transport Encryption By Default February 16, 2025
    Posted by Ryan Delaney via Fulldisclosure on Feb 16
  • [CVE-2024-54756] GZDoom <= 4.13.1 Arbitrary Code Execution via Malicious ZScript February 16, 2025
    Posted by Gabriel Valachi via Fulldisclosure on Feb 15In GZDoom 4.13.1 and below, there is a vulnerability involving array sizes in ZScript, the game engine&apos;s primary scripting language. It is possible to dynamically allocate an array of 1073741823 dwords, permitting access to the rest of the heap from the start of the array and causing […]
  • Re: Text injection on https://www.google.com/sorry/index via ?q parameter (no XSS) February 16, 2025
    Posted by David Fifield on Feb 15Today at about 2025-02-13 19:00 I noticed the "≠" is back, but now the type 0x12 payload of the ?q query parameter gets formatted into the string representation of an IP address, rather than being copied almost verbatim into the page. If the payload length is 4 bytes, it […]
  • SEC Consult SA-20250211-0 :: Multiple vulnerabilities in Wattsense Bridge February 13, 2025
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Feb 12SEC Consult Vulnerability Lab Security Advisory < 20250211-0 > ======================================================================= title: Multiple vulnerabilities product: Wattsense - Wattsense Bridge vulnerable version: Wattsense Bridge * Hardware Revision: WSG-EU-SC-14-00, 20230801 * Firmware Revision: Wattsense (Wattsense minimal)...
  • APPLE-SA-02-10-2025-2 iPadOS 17.7.5 February 11, 2025
    Posted by Apple Product Security via Fulldisclosure on Feb 10APPLE-SA-02-10-2025-2 iPadOS 17.7.5 iPadOS 17.7.5 addresses the following issues. Information about the security content is also available at https://support.apple.com/122173. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. Accessibility Available for: iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, […]

Customers

Newsletter

{subscription_form_1}
Products and Solutions
Partners
Cloud Models
News
Google Reviews
Secure Online Desktop s.r.l.
4.9
Based on 37 reviews
powered by Google
review us on
Omid Fazeli
06:59 20 Apr 18
They have a lot of solutions for any kind of business. Lower prices than many others. The support service is always active and efficient.
See All Reviews
js_loader
Facebook
Secure Online Desktop s.r.l.
Secure Online Desktop s.r.l.
5.0
Based on 12 reviews
powered by Facebook
review us on
Paolo Raimondi
Paolo Raimondi
11:06 21 Apr 18
La Polimatica Progetti Srl, azienda di... cui sono titolare, collabora con soddisfazione da alcuni anni con Secure Online Desktop. L'Azienda è costituita da professionisti seri e competenti. Insieme a loro abbiamo costruito un sistema organizzato di soluzioni ICT, servizi e attività di consulenza per la compliance alla normativa in materia di protezione dei dati personali (GDPR).read more
Ilaria Miglietta
Ilaria Miglietta
04:16 21 Apr 18
Servizi affidabili e di semplice... utilizzo. I loro tecnici molto attenti alle esigenze del cliente, continuate cosìread more
Francesca Marastoni
Francesca Marastoni
11:41 20 Apr 18
Excellent service company with... wonderful stuff. Highly recommended.

Ottima azienda, servizi molto utili, staff qualificato e competente. Raccomandata!read more
Alessio Liga
Alessio Liga
08:25 20 Apr 18
Servizi di alto livello, competenti e... disponibili a accettare nuove sfide per sviluppare business
Ottimo supportoread more
Matteo Revelli
Matteo Revelli
22:39 19 Apr 18
Ottima azienda, offre servizi di alta... qualità con personale competente e disponibile.read more
Lorenzo Munari
Lorenzo Munari
16:25 19 Apr 18
Azienda molto seria e... affidabile.

E' un piacere poter collaborare con realtà di questo tiporead more
Francisco Amadi
Francisco Amadi
10:41 19 Apr 18
Ho avuto il piacere di collaborare con... loro e spero vivamente che succeda di nuovo. Competenti, professionali, precisi e cordiali!read more
Davide Michelotto
Davide Michelotto
07:42 19 Apr 18
Ottimo servizio, seri professionisti al... timone della società e celerità nei tempi di risposta, oltre ogni aspettativa.read more
Gabriele Petralia
Gabriele Petralia
12:28 18 Apr 18
Luca Prati
Luca Prati
10:12 18 Apr 18
Azienda eccellente, consulenza... customizzata e puntuale.
Un ottimo fornitore.
Io personalmente ho parlato con l' Ing. Venuti, valore aggiunto indubbiamente.read more
Valerio Lezza
Valerio Lezza
21:35 17 Apr 18
Daniela Cospito Di Leo
Daniela Cospito Di Leo
21:20 17 Apr 18
More Reviews
js_loader
payments gateway
About