NIS2 DIRECTIVE

THE PILLAR OF EUROPEAN CYBERSECURITY

SCENARIO

The threat landscape in the network domain in Italy is highly diverse and constantly evolving, with the country emerging as a prime target for cybercriminals. The latest 2024 CLUSIT report provides a detailed and updated overview of the various types of attacks shaping the Network Security landscape. These attacks span a wide range of vectors, from vulnerabilities in systems—whether previously known or newly discovered—to social engineering attacks, where criminals deceive users through fraudulent communications.

The report's data highlights two types of attacks favored by cybercriminals for their high impact: malware, malicious software designed to damage or compromise network systems, and DDoS (Distributed Denial of Service) attacks, aimed at rendering online services inaccessible by overwhelming system resources. Statistics show that malware and DDoS attacks account for 32.6% and 30.3% of reported incidents, respectively. Given this context, attention is focused on these attack types to develop innovative and effective solutions to mitigate damage and improve system resilience.

IMPACTS

The economic damage resulting from these threats is significant. In 2024, the average cost of a data breach in Italy reached €4.37 million, reflecting not only direct damage from data loss or compromise but also recovery costs and potential legal actions. Regarding phishing, the average cost per breach stands at €4.18 million, while theft or compromise of credentials escalates the figure to €4.75 million.

Social engineering, one of the most insidious techniques for manipulating individuals to access sensitive information, incurs an average cost of €4.78 million per incident.

In response to the intensification of these threats, the European Union adopted the NIS2 Directive, which mandates stricter security standards for critical networks and information systems. The directive's goal is to strengthen network defenses, enhance data protection, and reduce risks associated with attacks, aiming to ensure greater security at both national and transnational levels.

SOLUTION

NIS2 DIRECTIVE

The NIS2 Directive marks a milestone in Europe’s cybersecurity strategy, aiming to bolster the protection of networks and information systems on a continental scale. This regulation is designed to safeguard the digital infrastructure interconnecting businesses, institutions, and public administrations across Europe, ensuring the continuity and security of essential services for modern society. Compared to the earlier NIS Directive, which focused primarily on critical infrastructure in energy and transport sectors, NIS2 significantly broadens its scope, encompassing new crucial sectors such as digital services, healthcare, public administration, and industries producing essential goods.

Under the directive, organizations are categorized into two main groups: "essential" and "important." The former includes entities operating in sectors where information security is critical for societal functioning and national security. Among Net Reply's clients are numerous companies in the energy (ENERGY) and telecommunications (TELCO) sectors, which, due to their function, are subject to stricter security obligations. ENERGY companies involved in the production, transmission, and distribution of electricity are classified as "essential entities" because their activities are vital for maintaining the safety and stability of the country's key systems.

TELCO companies managing critical infrastructures, such as INWIT, TIM, and Fibercop, also fall under the essential entities category if they support emergency services, provide indispensable infrastructure for vital national services, or if service disruptions would cause widespread harm to society. Their role is thus crucial not only for the economy but also for crisis management and national security.


THE ROLE OF ACN

Mandatory Measures and Implementation Roadmap

Mandatory Measures and Implementation Roadmap

The responsibility of ensuring compliance with the NIS2 Directive falls on the National Cybersecurity Agency (ACN), which will play a central role in coordinating, monitoring, and supporting organizations in implementing the regulations. The ACN will provide guidelines, certification schemes, and respond to non-compliance reports, imposing severe penalties on organizations failing to meet the directive's obligations. Fines can be particularly steep: up to €10 million or 2% of annual turnover for essential entities, and up to €7 million or 1.4% of annual turnover for important entities. These measures are designed to incentivize a high level of protection for infrastructures and sensitive data, equipping them to face growing networking threats with adequate preparation and resilience.

The implementation roadmap sets clear and binding deadlines for companies and public administrations alike.


Prevention & Remediation

The NIS2 Directive mandates organizations to adopt a series of compulsory measures to improve Network Security, structured into two main areas: prevention and remediation. Prevention encompasses actions aimed at minimizing the risks of network attacks, while remediation focuses on strategies and measures to contain damage and quickly restore normal operations after an attack.

At a strategic level, every organization must develop policies and procedures to continuously assess the effectiveness of its security measures and its capacity to counter risks. A key component here is risk analysis: each organization must define clear security policies for network systems, implement regular evaluations of threats and vulnerabilities, and monitor the level of system protection continuously.

A top priority, especially for companies managing complex supply chains, is ensuring the security of the entire process, from supplier to end customer—commonly referred to as the supply chain. This must be protected at every stage, ensuring that all partners and suppliers adhere to required security standards.

Incident Management and Reporting

Employee training is another indispensable element. It is crucial for every staff member to be adequately trained on Network Security, acquiring skills to recognize and prevent threats while adhering to basic cyber hygiene practices. Companies must also implement access control policies and securely manage user identities, safeguarding access to sensitive data and critical resources.

At the operational level, securing systems involves protecting network assets at every stage of their lifecycle, from design to maintenance. Preventive measures include adopting encryption to protect sensitive data and implementing secure authentication to ensure that only authorized users can access systems.

When an attack occurs, the priority becomes ensuring business continuity, maintaining operations without significant disruptions. Measures such as backup management, crucial both as a preventive step and for post-attack recovery, play a vital role. Adopting disaster recovery plans is essential to ensure rapid data restoration and minimal operational interruption.

Network Incident Management

Another core aspect of the NIS2 Directive is managing Networking Incidents. Organizations must be prepared to respond swiftly to attacks, minimizing their impact on operations and data. This involves not only creating detailed incident management plans but also promptly reporting each breach and assessing its severity.

The NIS2 Directive outlines a precise protocol for incident reporting, divided into three key stages


  • Pre-alert

    A preliminary notification of a significant incident signaling a potential attack. This must be submitted to the ACN portal within 24 hours of identifying the risk.

  • Incident Notification

    An official notification of the incident, accompanied by an initial assessment and impact estimate. This must be submitted within 72 hours of identifying the attack.

  • Final Report

    A detailed description of the incident, including the mitigation measures taken to respond to the event and limit the damage. This report must be provided after completing the incident analysis.

HOW NET REPLY CAN SUPPORT YOU

To ensure full compliance with regulations and robust protection against network security threats, Net Reply has developed a three-phase process aimed at enhancing the overall security of organizations:


Contact us

Before filling out the registration form, please read the Privacy notice pursuant to Article 13 of EU Regulation 2016/679
Invalid Input
Invalid Input
Invalid Input
Invalid Input
Invalid Input
Invalid Input

Privacy

I declare that I have read and fully understood the Privacy Notice and I hereby express my consent to the processing of my personal data by Reply SpA for marketing purposes, in particular to receive promotional and commercial communications or information regarding company events or webinars, using automated contact means (e.g. SMS, MMS, fax, email and web applications) or traditional methods (e.g. phone calls and paper mail).