The draft legislative decree which implements the so-called Nis2 Directive in Italy , the framework that the European Union has conceived to address the new challenges of IT resilience, has been preliminarily approved.
More specifically, Directive 2022/2555, relating to measures for a high common level of cybersecurity in the Union, amends Regulation No. 910/2014 and Directive 2018/1972 and repeals Directive 2016/1148, or the first NIS (Network and Information Security).
Following the introduction of the new framework, the Council of Ministers also approved a legislative decree for the transposition of Directive 2022/2557 relating to the resilience of critical entities , which repeals Council Directive 2008/114/EC.
With the Cer (Critical entities resilience) directive, action is taken to achieve an adequate level of harmonization in the identification of sectors, subsectors and categories of subjects that can be classified as critical, to strengthen their resilience, understood as the ability to prevent, protect, respond, resist, mitigate, absorb, adapt and restore its operational capabilities following incidents that may disrupt the provision of essential services.
The decree therefore identifies the so-called critical subjects in the sectors of energy, transport, banking, drinking and waste water, food production, transformation and distribution, health, space, financial market infrastructures and digital infrastructures, as well as public administration bodies.
The device establishes that the critical subjects themselves will have to carry out a risk assessment, adopt technical, security and organizational measures , adequate and proportionate to guarantee their resilience, restore their operational capabilities in the event of accidents.
At the same time, it will be mandatory to notify the competent authority without undue delay of incidents which significantly disrupt or may significantly disrupt the provision of essential services.
The decree provides for the adoption of an ad hoc strategy and regulates the methods of identifying critical subjects of particular importance at a European level.
It then contains measures aimed at allowing rapid and adequate reactions to incidents (of a physical nature) and establishes common procedures for cooperation and communication on the application of the directive (in particular, coordination with the legislation on cyber security referred to in the Nis directive2).
What does the Nis2 Directive provide
As mentioned, Directive 2022/2555, called Nis2 , responds to the need to strengthen the resilience and security of the networks and information systems of companies and public administrations in the European Union.
The main innovations introduced by the framework (which entered into force on 17 January 2023 and binding from 17 October 2024 , with the replacement of the first NIS) and implemented by the approved legislative decree concern:
the expansion of the subjective scope of application of the discipline;
distinction between "essential subjects" and "important subjects" with the adoption of a dimensional criterion for their identification;
the rationalization of minimum safety requirements and mandatory notification procedures;
the adoption of a "multi-risk" approach;
the regulation of coordinated disclosure of vulnerabilities and the specific coordination functions attributed to national CSIRTS (Computer Security Incident Response Teams)
the implementation of cooperation measures, in order to support the operationally coordinated management of large-scale cybersecurity incidents and crises. (Source: Domenico Aliperto, https://www.corrierecomunicazioni.it/ )