Cybersecurity is no longer a purely technical topic, but one that is a strategic priority directly involving top management and all organisations operating in the digital world. While previously security was confined to systems management, the European NIS2 Directive now requires a profound change of perspective. Responsibilities and obligations regarding governance, security measures, supply chain oversight and incident management, involve the governing bodies of all entities within the scope of the regulation, starting with the Boards of Directors.
These aspects were discussed, on 25 March, in the fifth and final episode of the Live LinkedIn of the Registro .it, at the end of the cycle dedicated to professionals and micro, small and medium-sized enterprises on key issues of digital transformation. The meeting entitled "Cybersecurity, with NIS2 everything changes: greater responsibilities, starting with the Boards of Directors"’, was moderated by Massimo Fellini and involved the participation of Ernesto Belisario (lawyer and expert in innovation and AI law), Donato Molino (Chairman of the Steering Committee of the Registro .it – CIR and AssoTLD) and Valentina Amenta (Head of the Legal and litigation Unit of the Registro .it).
At the centre of the discussion, the impact of the European NIS2 Directive, transposed in Italy by Legislative Decree no. 134/2024, which significantly broadens the scope of the individuals and companies involved and introduces new organisational and operational obligations.
As Ernesto Belisario points out, the current environment is characterised by a significant increase in cyber-attacks and escalating costs related to data breaches. Against this backdrop, European legislation seeks to strengthen the resilience of organisations by introducing an element of marked discontinuity: the direct involvement of Boards of Directors, which are called upon to approve security measures, supervise their implementation and promote internal training.
Among the most innovative aspects of NIS2 is the focus on supply chain security. Indeed, organisations are required to assess and monitor their suppliers, introducing security requirements in contracts and regular audits, with a risk management perspective that extends across the entire value chain.
From an operational point of view, the directive imposes strict deadlines for notification of incidents, within 24 hours for early warning and 72 hours for complete transmission, thus requiring appropriate organisational structures and processes. In addition to this, there is a substantial sanctioning regime, which can reach up to 2% of the global turnover for essential individuals or companies.
In her keynote presentation, Valentina Amenta pointed out that NIS2 represents a profound evolution from the previous directive (NIS1), noting once again how the focus shifts from the individual organisation to the entire digital ecosystem, making it clear that vulnerabilities can lurk across the supply chain. This change requires not only technological investment, but also a cultural leap forward, with increased awareness and a proactive approach to risk management.
One particularly important issue concerns the level of maturity of Italian companies, especially SMEs. While awareness of cyber risk has increased, critical issues remain related to the lack of skills and resources needed to fully comply with the legislation. In this sense, NIS2 can also be an opportunity: companies investing in security strengthen their market position and their ability to stay within supply chains.
Donato Molino pointed out that, after a first phase characterised mainly by formal obligations, companies are entering a more operational phase, made up of risk analysis, definition of procedures and implementation of concrete measures. Governance also demands particular attention: the direct responsibility of the Boards of Directors and the need to adopt business continuity and disaster recovery plans require a rethinking of internal processes.
However, there is no shortage of difficulties, especially for smaller companies, which are faced with stringent compliance deadlines, procedural complexities and new responsibilities. In this context, the importance of cooperation between institutions, trade union associations and players in the sector to support businesses emerged, particularly in terms of training and the dissemination of clear guidelines.
Molino also emphasised the specific role of Registrars, initially excluded from the legislation and now considered essential subjects for the security of digital infrastructures, in particular for the management of domain name data. Although they are often small companies, they must guarantee accuracy and completeness of information and make their operating procedures transparent. This new responsibility requires structural and procedural adjustments, but it also represents an opportunity to strengthen the overall security of the Italian network.
A few months ahead of the main deadlines set by the legislation, the compliance process is already underway, though still evolving. NIS2 should be seen not merely as a bureaucratic requirement, but as a genuine strategic investment for businesses and public administrations. The real challenge for the country’s system will be to transform compliance into operational capability: integrating security into processes, strengthening resilience, and making the economic fabric more reliable and competitive over the long term