Cybersecurity and compliance are among the major challenges facing corporate directors, having to navigate between different regulations from countries and sectors and at the same time, ensure rapid operations for the teams involved in the defense of networks.
In fact, far from excluding each other, both must find an integration that allows them to comply with the directives and at the same time safe from intrusions, in a balance that is never predictable. Laws and regulations that are varied, different for industrial sectors and even between countries. Thus a company may have to comply with more than one directive, however this does not necessarily mean that the corporate infrastructure reaches an acceptable level of security. Just as the opposite is not guaranteed either. At the European level, attempts have long been made to standardize the legislation on the subject, with the 2016 Directive on the security of networks and information systems (NIS), whose goal was precisely to achieve high levels of security common to all member states. . The deadline for transposing the directive into national law was May 2018. Italy did so with Legislative Decree no. 65 of 18/05/2018.
The NIS Directive.
Who is it for?
The NIS Directive involves all operators of essential services within the European Union (OES) and digital service providers (DSP) operating within the European Union. Small digital service providers with fewer than 50 employees and annual turnover of less than € 10 million were excluded. The former include operators in the drinking water, energy, digital infrastructure, health, transport and finance sectors. The latter include services such as that provided by search engines, cloud computing services and e-commerce platforms.
What it establishes
Specifically, the NIS Directive requires the adoption of adequate technical and organizational measures to secure their corporate networks starting from the analysis of potential risks with the implementation of all those practices necessary to prevent the occurrence of security incidents or minimize the potential damage, ensuring the continuity of services. Furthermore, a crucial aspect is the timely communication to the competent authority of any IT incident that affects the continuity of the service. For all organizations involved that do not comply with the Directive, administrative sanctions of up to 150 thousand euros are envisaged.
The NIS2 Directive.
The one defined as NIS2 is in fact an update of the original NIS Directive of 2016, made necessary by the evolution of the IT risk scenarios and by the need to fill some gaps that emerged previously. In May 2022, an agreement was finally reached on these updates. The focus remains that of enhancing the level of safety for companies, with particular reference to the supply chain, which has proved to be one of the greatest critical issues, but also the simplification of the methods and obligations for reporting incidents. Another important aspect is that the double distinction between the parties involved is eliminated in favor of a classification of companies into "essential" and "important", established on the basis of the services offered. Finally, the scope of application is extended, also involving the pharmaceutical, chemical products and medical devices, food, waste and postal services sectors, and the public administration.
The advantages for companies.
The subjects involved in the NIS - NIS2 Directive are clearly specified and a large number of companies remain excluded from these obligations. However, the Directive remains an excellent opportunity to carry out a critical self-assessment of one's IT infrastructures to better understand the situation and potential risks, as well as improve the response in the event of a breach. In fact, even without a legislative constraint, ensuring adequate protection of networks to guarantee the operation and supply of services as well as the confidentiality of information must be a priority for every company, even for small ones.
In fact, the self-assessment that the Directive proposes is feasible for every company, any interventions can also be challenging at an economic level, however already being aware of one's limits is a step forward. The self-assessment process addresses two areas: the analysis of the risk related to information breach or unauthorized use and the analysis of the effectiveness of security measures based on standard checklists. This type of approach significantly improves awareness of risks even for those companies that are not directly involved by legal obligations but which are no less exposed to data loss or blocking of operations. Protecting your business can only be a priority for every economic operator.
