NIS2: what changes for Italian companies in 2025
The NIS2 directive (Network and Information Security 2) represents the most significant regulatory update in European cybersecurity in recent years. With its transposition into Italian law, thousands of companies now need to adapt their IT processes within specific deadlines.
Who is subject to NIS2?
The directive considerably expands the scope compared to NIS1. It covers operators in essential sectors (energy, transport, banking, healthcare, digital infrastructure) and important sectors (postal services, waste management, critical manufacturing, digital providers).
The size threshold is lower: medium enterprises with more than 50 employees or over €10 million in revenue in the listed sectors are also included.
The main obligations
- Risk governance: formal security policies, periodic risk analysis, incident management procedures.
- Business continuity: updated and tested BC/DR plans.
- Supply chain security: risk assessment of third-party suppliers (software, hardware, cloud services).
- Incident notification: mandatory reporting to the competent authority within 24 hours for significant incidents.
How does a company comply?
Our typical approach starts with a gap analysis against NIS2 requirements, followed by a tailored remediation plan (based on the organisation’s actual IT maturity), and concludes with implementation and continuous monitoring.
This is not a one-off project: NIS2 requires a systematic and continuous approach to security.
For a NIS2 posture assessment, contact us at info@fenixvega.com.