Italy
No items found.
No items found.
Cybersecurity
All articles

NIS2: Risks and Opportunities for Businesses

authors

Fabio Borri
No items found.

Published on:

July 30, 2025

Content

Share this article

I will be the URL to copy

whatsapp

Introduction and regulatory references


NIS is an acronym that stands for "Network and Information Security".

With this acronym; the European Community intended to denote the legislative effort to define a standardised approach to cyber security in all EU Member States.

In 2018; the first European regulation called NIS1 (EU Directive 2016/1148) was passed; transposed at national level by Legislative Decree 65 of 18/05/2018.

The NIS Decree also provided for the adoption of a 'national cyber security strategy' by establishing the Italian CSIRT (Computer Security Incident Response Team) with technical tasks related to the prevention; response and monitoring of cyber incidents; in collaboration with European CSIRTs.

NIS1 was subsequently superseded by NIS2 (EU Directive 2022/2555); transposed at national level by Legislative Decree 138 of 4 September 2024.

NIS 2 aims to overcome the limitations of NIS 1; which left too much discretion to Member States during transposition; resulting in a failure to achieve the objective of harmonisation; and also excluded certain categories of entities that should have been regulated because of their importance to the European market.

Furthermore; NIS2 was introduced to respond to the increase in the rate of digitisation that has taken place in all Member States and has been accelerated by the pandemic; which has expanded the surface area for cyber attacks without a corresponding increase in security systems.

Finally; another objective of NIS2 is to oblige operators of essential and important services and digital service providers to adopt adequate security measures and to report incidents promptly to the competent authorities and users of their services.

The new directive has been aligned with other specific European sectoral regulations; including:

- the Directive on Digital Operational Resilience for the Financial Sector (DORA). This is the Regulation approved on 10/11/2022 with the aim of increasing security measures in favour of the resilience and cybersecurity of the financial sector through the implementation of a series of mandatory security measures that guarantee the integrity of information and the cybersecurity of services;

- the Critical Entity Resilience Directive (CER); aimed at ensuring legal clarity and consistency between the various directives.

The companies concerned have been divided into:

  • Essential entities (energy; transport; health; water supply; public administration; finance; space; digital infrastructure)
  • Important entities (research; chemicals; food; industrial production; digital providers; postal services; waste)
  • Public bodies: Central government (constitutional and constitutionally relevant bodies; the Prime Minister's Office and ministries; tax agencies; independent administrative authorities) | Regional government (regions and autonomous provinces) | Local government (metropolitan cities; municipalities with > 100;000 inhabitants; regional capitals; local health authorities) | Other public entities (economic regulatory bodies; economic service providers; associations; welfare; recreational and cultural service providers; research bodies and institutions; experimental zooprophylactic institutes) | Other types of entities (entities providing local public transport services; educational institutions carrying out research activities; entities carrying out activities of cultural interest; in-house companies; investee companies and publicly controlled companies)
  • Suppliers: organizations that provide critical services to entities affected by NIS2 must strengthen their digital security; even if they are explicitly included in the mandatory sectors.

Content of NIS2


The general obligations inherent in the content of NIS2 can be summarised on the basis of four main pillars:

Governance: Management must approve the risk management measures adopted by the organisation and assess their effectiveness over time: follow regular training on cybersecurity issues and offer similar training to employees.

Risk management: the organisation must assess security and network risks and adopt appropriate and proportionate technical; operational and organisational measures to prevent or minimise the impact of incidents on the recipients of its services.

Business continuity: the organisation must adopt solutions to ensure business continuity (e.g. backups; disaster recovery plan and crisis management procedure); aimed at minimising the impact of any interruptions to the services provided.

Supply chain: the company must assess the vulnerabilities of each direct supplier and the overall quality of its suppliers' products and cybersecurity practices. The assessment will cover ICT suppliers and other critical suppliers that could cause disruption to the service for which the organisation has been included in the NIS2 perimeter.

Companies will therefore be required to be able to measure and report on:

  • Risk analysis and information system security policies
  • Incident management procedures
  • Business continuity solutions (backup and disaster recovery) and crisis management and communication procedures
  • Supply chain security policies (suppliers and service providers)
  • Security in the acquisition; development; maintenance and management of information system and network vulnerabilities

NIS2 Timeline


Companies and public administrations will have to carry out an assessment to understand whether or not they are subject to the obligations of the NIS2 Directive.

From 1 December 2024 to 28 February 2025; companies should have authenticated themselves on the ACN (National Cybersecurity Agency) Portal using their SPID credentials. During this period; users designated as /Registration Service.

In particular; companies are required to:

  • Indicate whether the entity is part of a group of companies and provide the tax code of the parent company; if applicable.
  • List the related companies and provide their tax codes.
  • List the ATECO codes describing the entity's activity.
  • Indicate the relevant European Union sectoral regulations.
  • Provide turnover; balance sheet and number of employees figures to determine the category of the company.
  • List the types of entities to which the company belongs.


By 17 January 2025; operators of top-level domain name registries; providers of domain name system and domain name registration services; cloud computing; data centers; content delivery network providers; managed service providers; managed security service providers; as well as online marketplace providers; online search engine providers and social networking service platform providers should have registered on the platform.

By 31 March 2025; the ACN compiled a list of essential and important entities based on the registrations received through the platform.

Between 1 April 2025 and 15 April 2025; the ACN notified the entities concerned whether they had been included in the list of essential or important entities.

By 15 April 2025; the entities that received the notification were required to appoint; by means of a specific act; an entity responsible for fulfilling the obligations of the decree.

After that; the entities affected by the Directive will have to comply with further requirements:

  • by 1 January 2026; incident reporting obligation
  • by 1 October 2026; obligations regarding administrative bodies and security measures must be fulfilled


Each year; the ACN will update the list of entities involved. Companies and public administrations will have the opportunity to register each year; between January and February; if they consider themselves to be among the entities concerned.

Risks for companies but also opportunities


Following the entry into force of NIS2 and the identification of the operators involved; the competent authorities may carry out surveillance and spot checks to verify their compliance with the Directive. In the event of non-compliance; penalties will be applied to the companies involved.

The penalties are very severe: for large companies; up to €10 million or 2% of global turnover; for medium-sized enterprises; up to €7 million or 1.4% of global turnover.

Although compliance with the regulations requires a clear effort and investment on the part of companies; it must also be recognised that the regulations themselves seek to provide a substantial remedy to the problem of cyber attacks; to which Italian companies are still very susceptible and which they often tend to cover up for image reasons. In economic terms; the estimated average damage for each individual cyber attack is more than €2 million; regardless of the company's turnover.

How ERA can help with NIS2 compliance management


Despite all of the above; which might suggest that companies are extremely interested and involved in cyber security issues; it is not uncommon; especially among small SMEs; to find companies that have done little or nothing about these issues and are currently unable to define their position in terms of the risks to which they are exposed; both from a technical point of view and in terms of compliance with the various existing regulations.

Some companies address the issue of cybersecurity through insurance coverage. However; insurance companies are often reluctant to offer this type of protection to companies that have never taken concrete action in the cyber sphere. This is because there is no reliable method for accurately estimating the damage caused by a cyber attack. As a result; 'NIS2 packages' focus on cyber risk assessment services; but leave it up to companies to take the necessary measures to address any gaps. ERA can offer a more comprehensive service; relying on a network of highly qualified suppliers at very competitive commercial terms.

In detail; ERA's support consists of:

  • An assessment of the company's organisational and technical structure; with the aid of self-assessment questionnaires using predefined indicators;
  • Awareness-raising and training courses; with basic courses for all staff and advanced modules for top and middle management; in queue with NIS2 guidelines;
  • Specific and highly qualified tests on vulnerability analysis; phishing treatment and ransomware risk assessment;
  • Support from dedicated consultants during the remediation phase following the assessment;
  • Specialised support from dedicated consultants to guide strategic decisions in the field of cybersecurity.


Our solution includes analysis of compliance with NIS2 regulations; which is certainly the most urgent concern; but can also accompany the customer in the project management of the remediation phase; i.e. the phase in which the customer must remedy the various 'flaws' identified in the diagnosis process; and is the phase in which the difficulties of some companies are most apparent; both in terms of internal skills and the availability of time and resources.

authors

Fabio Borri
No items found.
Associated Articles

You Might Also Like

Insights

Getting a Grip on Fleet Operating Costs in 2026

Insights

Q2-2026: Manufacturing, consumables, & packaging news

Insights

On the Road: Q2 2026 Freight Newsletter

Insights

The Rising ERISA Risk in Voluntary Benefits

Insights

The Growing Impact of Fuel Price Increases on E-Commerce

Insights

Q2-2026 U.S. Small Parcel Market Brief

Insights

Unlocking Hidden Value: How Supplier Cost optimisation Gives You the Competitive Edge

Insights

H1-2026 Benefits Bulletin: Navigating Rising Costs, Legislative Shifts & the Evolving Workforce Benefits Landscape

Insights

Seismic Shifts in the Uniform & Workwear Industry

Insights

Property & Casualty Outlook

Insights

ERA Group Secures Triple Victory at Global Franchise Awards 2025

Insights

Disruption of the Consulting Industry is real: Are You Overpaying?

Insights

The impact of the new mandatory Danish road toll – What does it mean for you and your business?

Insights

New collaboration brings cost reductions and greater focus on sustainability at Carglass

Insights

Smart Procurement should be a Key Strategy in Food Cost Savings

Insights

Hospitality's Generational Reset

Insights

Finding the Right Media Agency

Insights

Electronic Payments: A Strategic Receivables Tool?

Insights

Human-led, insight-powered: The Missing Link Between AI and Actual Savings

Insights

Cost Intelligence in Action - Healthcare

Insights

From Contract to Advantage: How Leaders Turn Supplier Agreements into Performance Engines

Insights

Cost to Make, Cost to Move: Manufacturing in a Tariff-Driven, High-Energy World

Insights

2026 Cost Management Barometer

Insights

Q'4-2025: Manufacturing consumables & packaging news

Insights

ERA enters into partnership with Hapro Electronics AS

Insights

Vilmers UAB chooses ERA Group for cost optimisation

Insights

Kymera uses ERA Group to identify opportunities for improvement

Insights

Meet our new partner: Shahid Salim

Insights

The Hidden Complexity of Microsoft licensing and Cloud Management

Insights

ERA Group identifies four key challenges that are forcing professional services firms to act urgently

Insights

Strategic Partner for the Technology, Media, and Telecommunications Sector

Insights

A Strategic Approach to Risk – Setting the Foundations for Growth

Insights

ERA Group Enters Exciting New Chapter with Horizon Capital Investment

Insights

2025 Cost Management Barometer: Retail & Wholesale Edition

Insights

CEO of BNI Global, Mary Kennedy Thompson, joins ERA Group as board advisor

Insights

Why Not-for-Profit Leaders Must Achieve More with Less – and Demonstrate Accountability

Insights

Beyond Resilience: A 2026 Supply Chain Playbook for Growth

Insights

Turbulent Times: Middle East Escalation and What UK Businesses Must Consider Now

Insights

On the road: Q3 Freight newsletter

Insights

What the cessation of Microsoft EA discounts signifies for your business

Insights

Are you prepared for the office supply industry shake-up?

Insights

2026 Express and Parcel Market Perspective

Insights

The Importance of Digital Marketing in Hospitality

Insights

Inflation within Technology

Insights

The Importance of Supplier Relationships

Insights

What would I do if I were the owner of the company?

Insights

The Importance of Investing in Technology for Business Success

Insights

The Importance of Digital Marketing in the Tourism Industry

Insights

Is there a practical future for cryptocurrency?

Insights

Difference Between Cost and Expense

Insights

The 3 changes that leading companies are currently making

Insights

Interview with Roberto Serra, General Manager of Galbusera SpA

Insights

AI in Procurement: Turning Financial Intelligence into Structural Advantage

Insights

ERA Group names Marcel Lal as new Global Chief Development Officer

Insights

The Post-Peak Profit Squeeze: Q1 priorities for Retail CEOs & CFOs

Insights

2025 Wrapped: Costs, Complexity and the Road to 2026

Insights

ERA Group launches in India!

Insights

The Resilient (Yet Still Uncertain) Global Economy

Insights

5 Procurement Priorities for 2026: From Cost Visibility to Cost Intelligence

Insights

Fuel Finder: Transparency Tool or Profit Booster?

Insights

The Hidden Costs in Service Charge Apportionments: What Finance Directors Need to Understand as a Tenant

Insights

The Oversight Gap: When Cost Optimisation Is “Already Covered”

Insights

Market Intelligence 2026.1

Insights

What Businesses with 10+ Employees Must Address Now

Insights

Scotland’s Hospitality Squeeze: When Elevated Rates Render Survival the Primary Challenge

Insights

PSTN Switch-Off: A Compulsory Change Ahead

Insights

The Strategic Power of Procurement

Insights

Rethinking Technology: Thriving When Change Is Constant

Insights

The day electricity also started displaying a “sold out” sign

Insights

The conflict in Iran is affecting fixed electricity and gas tariffs

Insights

Tensions in the Middle East and their impact on business costs

Insights

Will your brand survive, or will it succeed?

Insights

Paper or electronic meal voucher? Instructions for use

Insights

Study: Sustainability in Procurement – Cost and Supply Security Remain Key Focus Areas

Insights

How artificial intelligence is transforming the retail supply chain

Insights

44 staffing agencies have gone bankrupt in 6 weeks

Insights

SORP 2026: What Charities Need to Know and How to Prepare

Insights

What your P&L isn't revealing: Uncovering savings through cost intelligence

Insights

Q1-2025: Manufacturing consumables & packaging news

Insights

Q2-2025: Manufacturing; consumables; & packaging news

Insights

How Hybrid Working Has Reshaped the Office Products Market

Insights

Maintaining the human element in the age of AI

Insights

New Partner at ERA

Insights

NORBIT ASA enters into collaboration with ERA Group.

Insights

Companies are not prepared; and many will go bankrupt in the next 24 months

Insights

Artificial intelligence in business: small adjustments with a big impact

Insights

10 Ways Your Company Can Reduce Costs - Without Cutting Back on People

Insights

Study: Crisis Management and Leadership Culture

Insights

Financial resilience: How California food producers can prepare for 2026

Insights

ERA Group named Top Consultant for the eleventh time in a row

Insights

White paper 'The Future of Packaging: Strategies for Economy & Environment'

Insights

Clean Solutions Group on working with ERA Group: 'The direct lines of communication with the expert are great'

Insights

Professional services in Europe: how to deal with new pressures

Insights

Cost Management Action Plan

Insights

Market Intelligence 2024.4

Insights

Transforming the Way Businesses Manage FX Fees

Insights

How the container and shipping crisis could leave us without Christmas

Insights

Is the maritime industry becoming environmentally conscious?

Insights

Cyber Security in a Digital Landscape

Insights

Financial Services | Transformative Technology & Optimisation

Obtain insights that propel your business.

Sign Up
Thank you! Your submission has been received.
An error occurred during form submission.
value through insight
TM

E R Associates (Europe) Ltd
Registered in England and Wales, No. 08258451

Suite 24, 40 Churchill Square
Kings Hill
West Malling, Kent ME19 4YU
United Kingdom

Find a Consultant
Cost Optimisation
Sector Expertise
Case Studies
Insights
About Us
Our Methodology
Careers
Contact
logo-vimeo
logo-youtube
logo-instagram
© ERA Group. All Rights Reserved.
Legal and compliance