Diritto al Digitale

NIS 2 in Italy: Is Your Company Ready? The Cybersecurity Rules You Can't Ignore

DLA Piper Law Firm

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 4:56

Is your organization truly ready for NIS 2? Italy transposed the NIS 2 Directive through
Legislative Decree 138/2024 — but implementation is complex, obligations are strict, and
the criticalities are real.

In this episode of The Legal Break, Giulio Coraggio, location head of the Italian Intellectual Property and Technology department at the global law firm DLA Piper and the journalist Antonio Ravenna give a clear, practical breakdown of what NIS 2 means for companies operating in Italy today.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📌 KEY TOPICS COVERED
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✔ NIS 2 Directive (EU 2022/2555) — what changed vs. NIS 1
✔ Italian transposition via Legislative Decree 138/2024
✔ 18 sectors in scope, including 11 "highly critical" sectors
✔ Essential vs. important entities: how to determine your category
✔ Registration obligations with ACN (Agenzia per la Cybersicurezza Nazionale)
✔ Technical and organizational security measures
✔ Incident notification timelines and requirements
✔ Supply chain and third-party vendor risk
✔ Management body accountability and personal liability
✔ Sanctions up to 0.1% of global turnover for essential entities
✔ Remaining open questions and compliance roadmap

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
👥 SPEAKERS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔹 Giulio Coraggio — Partner, Technology & Data, DLA Piper Italy
   LinkedIn:   / giulio-coraggio 
   Blog: https://www.gamingtechlaw.com

🔹 Antonio Ravenna — Legal Journalist

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔗 USEFUL RESOURCES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📄 D.Lgs. 138/2024 (Official text): https://www.normattiva.it
🌐 ACN – Agenzia per la Cybersicurezza Nazionale: https://www.acn.gov.it
🌐 DLA Piper Technology & Data practice: https://www.dlapiper.com

━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🎙️ ABOUT THE LEGAL BREAK
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
The Legal Break is DLA Piper's podcast series where legal experts decode the most relevant regulatory and legal developments for business — clearly, concisely, and without the jargon.

🔔 Subscribe so you never miss an episode.
👍 Like this video if you found it useful.
💬 Have a question about NIS 2 compliance? Drop it in the comments.

Send us Fan Mail

📌 You can find our contacts 👉 www.dlapiper.com

SPEAKER_01

Hello everyone, I'm Giulio Coraggio from GLPR. And I'm Antonio Ravenna, a journalist. We're here to talk about the implementation in Italy of NIST2 where we are at the moment.

SPEAKER_00

And we're gonna make it during the time of a coffee break. So, Giulio, let's talk about the implementation of the NIST2 directive. Where are we?

SPEAKER_01

Well, uh Antonio, it's kind of um interesting where we are because it's one of the situations where Italy was uh among the fastest implementators of NIST II. And even in this situation, it was criticized because we were much faster than France, Germany, all the big um countries uh across Europe because um the legislation came into place more than a year ago, and then we already have um the first year of registration with the cybersecurity authority. We have already in place uh the provisions on the notification of um incidents under NIST II that uh became applicable from January of this year. So companies, if they suffer an incident, already need to report to ACN, the Italian Cybersecurity Authority, an incident. They already need to have in place a policy in order to assess incidents. But then we have other approaching deadlines, and we have uh the cybersecurity authority that is generating so much volume of documentation on obligations that need to be fulfilled.

SPEAKER_00

So, what companies should do and should know actually about the NIST 2 implementation?

SPEAKER_01

Well, first of all, they need to understand whether they are in and out, which uh after a year seems a given, but it's not because we still have uh clients that um tell us, am I within the perimeter of uh NIS2? Then also the fact that uh Dora became applicable during the same period, there are is lots of confusion of what is covered by Dora and what is left out and might be covered by NIS2. So, first of all, you need to understand whether you are within the perimeter. Secondly, you need to understand in relation to which services we are within the perimeter NIST 2, and um, it's relevant that uh the Italian Cybersecurity Authority required very recently a categorization of services that the company provides within the NIST 2 perimeter. So basically, it's not just a one-off exercise, then you need to map all your services and understand what is covered by each category of NIST 2 services. So it's a mapping exercise that needs to be done on a yearly basis and it's really time-consuming because it requires to analyze your actual operations.

SPEAKER_00

So, Julio, you mentioned the dollar regulation. So, once again, there's a lot of stratification within Europe regulations. Do the digital omnibus actually have any impact also in the NIST 2 directive?

SPEAKER_01

The provisions that have been agreed uh introduced some minor changes. There is an attempt by the European Union to create some kind of uh harmonization across NIST 2 as well, because uh what we've been noticing over the last months is that uh NIST II is a directive and it was uh implemented um quite differently across the European Union. The one-stop shop principle applies uh in very limited circumstances when there are digital services, and then the requirements and uh the guidelines from local cybersecurity authorities are often inconsistent. So having a pan-European approach to NISTIL in some cases is not feasible. It requires to put on the ground different documents, it requires to give evidence to authorities in a different manner.

SPEAKER_00

So let's be practical as always. I have a company, what should I do? I don't know, in the next three months.

SPEAKER_01

First of all, if you are not sure whether you are in or out or in relation to which services you are in and out, you need to do an institution assessment exercise on your services. Secondly, if you reach the conclusion you are in, then you need to understand which services are covered and then put on the ground the policies that shouldn't be just some additional paper, but they should be embedded in the actual operations. Let's bear in mind that NIST II is one of the limited legislation that in some countries like Italy provides for a direct liability of board members, which is in line with the DNA of the NIST 2 that wants to create a higher level of accountability of the top management in relation to cybersecurity compliance.

SPEAKER_00

Thank you, Giulio. This was very clear and very useful as always.

SPEAKER_01

Thank you, Antonio. I hope it helps. Arrivedercies.