TomatoBlue
Back to Services
Core Service

NIS2 Directive: What It Is, What It Requires, and How to Comply

Directive (EU) 2022/2555, known as NIS2, represents the new European regulatory framework for cybersecurity and operational resilience. Entered into force in 2023 and transposed in Italy with Legislative Decree 138/2024, NIS2 replaces the previous NIS directive by introducing much more extensive and rigorous obligations for businesses and public entities. Its goal is to strengthen the cybersecurity of critical infrastructure and essential services throughout the European Union.

Scope of Application

NIS2 applies to two broad categories of subjects:

Essential Entities

Energy, transport, healthcare, finance, drinking water, digital infrastructure, central public administration.

Important Entities

Critical manufacturing, ICT providers, postal services, waste management, local public administration, digital service providers, high-tech manufacturing.

The compliance obligation also falls on third-party service providers to these entities. Many medium-sized private operators are also included, especially in the technology, industrial, and healthcare sectors.

Main Regulatory Obligations

Organizations subject to NIS2 must:

  • Adopt adequate technical and organizational measures for cyber risk management.
  • Draft and update IT security policies, including incident response plans.
  • Implement controls on supply chain and critical suppliers.
  • Notify serious security incidents within 24 hours to the National Cybersecurity Agency (ACN).
  • Ensure training and accountability of top management.
  • Maintain audit trails and documentation of security activities.
  • Collaborate with authorities during inspections and in case of incidents.

Sanctions

The penalties for violations are very severe:

  • Up to €10 million or 2% of annual global turnover.
  • Direct liability of the Board of Directors and executives.
  • Possibility of temporary suspension of activities in case of serious non-compliance.

Deadlines

Organizations must communicate their data to ACN and implement minimum measures by May 2025. Full operability of the regulation is expected for 2026, but controls and sanctions will begin in the coming months.

Our NIS2 Consulting Services

We support businesses and public organizations in full compliance with the NIS2 Directive, offering specialized technical and regulatory consulting through three scalable packages:

Basic Package

Compliance Analysis

  • Gap analysis against NIS2 requirements
  • Executive report on risks and missing measures
  • Identification of specific obligations (essential/important)
  • Compliance timeline with priorities
Advanced Package

Operational Implementation

Drafting and/or revision of mandatory policies:

  • Corporate security policy
  • Incident response policy
  • BYOD and smart working policy
  • Credentials and access management
  • Drafting of incident notification and communication plan
  • Mandatory staff training
  • Guidelines for the Board of Directors
Complete Package

Governance, Audit, Contracts

  • Security audit on critical suppliers
  • Integration of NIS2 clauses in contracts (SLA, cooperation obligations, audit rights)
  • Data breach simulations and tabletop exercises
  • Assistance in case of ACN inspection
  • Continuous compliance maintenance program

Contact us to discover how we can support your organization in NIS2 Directive compliance effectively, completely, and proportionally to your structure and sector.

Request NIS2 Consulting