Home  /  Blog  /  Compliance

NIS2: the directive redefining leadership responsibility

A Board of Directors that ignores NIS2 is making a decision, even if it was never discussed in a board meeting. It's a risk decision, made by omission.

Who falls within scope

Directive (EU) 2022/2555, transposed in Italy through Legislative Decree 138/2024, does not apply "only to large IT companies". It applies to anyone operating in the 18 sectors listed in Annexes I and II, exceeding the size thresholds (50 employees or €10 million in revenue), and classified as an essential or important entity.

In practice: energy, transport, healthcare, water, digital infrastructure, public administration, but also medical device manufacturing, chemicals, food, postal services, waste management. If a company thinks "this isn't my sector", the first step isn't compliance: it's verifying the scope, with a formal opinion, not an impression.

A frequent edge case: a mid-sized manufacturing company, outside the direct scope under Annex I, discovers it must still comply because it is a critical supplier to an essential entity. Art. 21 of the Directive requires risk management across the supply chain: the essential-entity customer will ask for evidence of compliance as a contractual requirement, not a courtesy. NIS2 propagates downstream through the supply chain, regardless of a company's formal classification.

Why it isn't an IT issue

Anyone who delegates NIS2 to the systems department has already misunderstood the regulation. Art. 20 assigns responsibility for risk management to the management bodies, with the possibility of personal sanctions and suspension from management functions in cases of serious and repeated violations. For essential entities, financial penalties reach €10 million or 2% of global turnover; for important entities, €7 million or 1.4%.

There's a second, less discussed but more concrete level: NIS2 is becoming a market access requirement. Public tenders, bids and contracts with essential entities are starting to require evidence of compliance as a contractual condition. Companies that aren't ready don't just lose in the event of an incident: they lose at the supplier qualification stage, before even competing on price.

How to build a credible compliance path

A serious path follows four phases, not a checklist filled in over a weekend.

1. Structured gap analysis. Assessment of the current state against the 10 minimum measures under Art. 21: risk management, incident handling, business continuity, supply chain security, security in acquisition and development, evaluation of measures' effectiveness, basic cyber hygiene and training, cryptography, human resources security and access control, multi-factor authentication.

2. Governance and accountability. Appointment of a security officer reporting directly to the board, not buried three levels down the org chart. The board must approve risk management measures and undergo specific training: full delegation to the CISO, without understanding or oversight from directors, is itself a non-compliance.

3. Technical and organisational implementation. This is where the 10 measures become concrete: from managed patching to incident response plans that are tested, not just written. An incident response plan no one has ever simulated is a document, not a capability.

4. Incident notification within the required timeframes. Early warning within 24 hours of becoming aware of a significant incident, notification within 72 hours, final report within one month. A company that has never tested its ability to produce these reports on time will discover the gap during a real incident, the worst possible moment to find out.

"We already have ISO 27001 certification, we're covered." Not quite. ISO 27001 is an excellent starting point for the management system, but NIS2 requires specific elements not always covered: mandatory notification with strict timeframes, personal liability of directors, supply chain management with contractual requirements for suppliers. Certification reduces the gap; it doesn't eliminate it.

When to act

The Italian transposition is already in force. Companies within scope must register with ACN (the National Cybersecurity Agency) according to the communicated timeframes by size and sector, with an obligation to report identifying data and keep it up to date.

The operational point isn't the formal deadline, but the time needed to arrive prepared: a serious gap analysis takes weeks, implementing technical measures takes months, and training the board and staff is an ongoing cycle. Companies that start the process only at the registration deadline are structurally behind on the hardest part, the one requiring real organisational change, not just paperwork.

The question that really matters

It isn't "are we NIS2 compliant". It's: if we detected a significant incident today, could we notify ACN within 24 hours with accurate information, and could our board demonstrate it exercised adequate oversight over risk management? If the answer isn't immediate and documented, the compliance journey hasn't started yet, it's only been scheduled.

Want to assess your NIS2 scope?

Valuemate's Compliance team supports both the board and IT through gap analysis, governance and implementation of the 10 measures under Art. 21.

Talk to an expert

← All articles