TomatoBlue
Back to Services
Core Service

NIS2 Directive: What It Is, What It Requires, and How to Comply

Directive (EU) 2022/2555, known as NIS2, represents the new European regulatory framework for cybersecurity and operational resilience. Entered into force in 2023 and transposed in Italy with Legislative Decree 138/2024, NIS2 replaces the previous NIS directive by introducing much more extensive and rigorous obligations for businesses and public entities. Its goal is to strengthen the cybersecurity of critical infrastructure and essential services throughout the European Union.

Scope of Application

NIS2 applies to two broad categories of subjects:

Essential Entities

Energy, transport, healthcare, finance, drinking water, digital infrastructure, central public administration.

Important Entities

Critical manufacturing, ICT providers, postal services, waste management, local public administration, digital service providers, high-tech manufacturing.

The compliance obligation also falls on third-party service providers to these entities. Many medium-sized private operators are also included, especially in the technology, industrial, and healthcare sectors.

Main Regulatory Obligations

Organizations subject to NIS2 must:

  • Adopt adequate technical and organizational measures for cyber risk management.
  • Draft and update IT security policies, including incident response plans.
  • Implement controls on supply chain and critical suppliers.
  • Notify significant incidents to CSIRT Italia (ACN) with an early warning within 24 hours and a full notification within 72 hours, pursuant to Legislative Decree 138/2024.
  • Ensure training and accountability of top management.
  • Maintain audit trails and documentation of security activities.
  • Collaborate with authorities during inspections and in case of incidents.

Sanctions

The penalties for violations are very severe:

  • Up to €10 million or 2% of annual global turnover.
  • Direct liability of the Board of Directors and executives.
  • Possibility of temporary suspension of activities in case of serious non-compliance.

Deadlines

Registration and updates of entities on the ACN platform take place every year between 1 January and 28 February. For entities already listed, incident-notification obligations are operational from 2026 and baseline security measures must be adopted by October 2026 (about 18 months), following the principle of gradualism and proportionality indicated by ACN. Specific deadlines apply to entities listed for the first time.

Our NIS2 Consulting Services

We support businesses and public organizations in full compliance with the NIS2 Directive, offering specialized technical and regulatory consulting through three scalable packages:

Basic Package

Compliance Analysis

  • Gap analysis against NIS2 requirements
  • Executive report on risks and missing measures
  • Identification of specific obligations (essential/important)
  • Compliance timeline with priorities
Advanced Package

Operational Implementation

Drafting and/or revision of mandatory policies:

  • Corporate security policy
  • Incident response policy
  • BYOD and smart working policy
  • Credentials and access management
  • Drafting of incident notification and communication plan
  • Mandatory staff training
  • Guidelines for the Board of Directors
Complete Package

Governance, Audit, Contracts

  • Security audit on critical suppliers
  • Integration of NIS2 clauses in contracts (SLA, cooperation obligations, audit rights)
  • Data breach simulations and tabletop exercises
  • Assistance in case of ACN inspection
  • Continuous compliance maintenance program

The first step is a free 30-minute preliminary call: we check whether you fall within the NIS2 scope, identify the adequacy priorities and map out the first stretch of the roadmap. No commitment.

Request the preliminary call