Diritto al Digitale
Diritto al Digitale is the must-listen podcast on innovation law, brought to you by Giulio Coraggio, data and technology lawyer at the global law firm DLA Piper. Each episode explores the cutting-edge legal challenges shaping our digital world—from data privacy and artificial intelligence to the Internet of Things, outsourcing, e-commerce, and intellectual property.
Join us as we illuminate the legal frameworks behind today’s breakthroughs and provide insider insights on how innovation is transforming the future of business and society.
You can contact us at the details available on dlapiper.com
Diritto al Digitale
NIS 2 in Italy: Is Your Company Ready? The Cybersecurity Rules You Can't Ignore
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Is your organization truly ready for NIS 2? Italy transposed the NIS 2 Directive through
Legislative Decree 138/2024 — but implementation is complex, obligations are strict, and
the criticalities are real.
In this episode of The Legal Break, Giulio Coraggio, location head of the Italian Intellectual Property and Technology department at the global law firm DLA Piper and the journalist Antonio Ravenna give a clear, practical breakdown of what NIS 2 means for companies operating in Italy today.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📌 KEY TOPICS COVERED
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✔ NIS 2 Directive (EU 2022/2555) — what changed vs. NIS 1
✔ Italian transposition via Legislative Decree 138/2024
✔ 18 sectors in scope, including 11 "highly critical" sectors
✔ Essential vs. important entities: how to determine your category
✔ Registration obligations with ACN (Agenzia per la Cybersicurezza Nazionale)
✔ Technical and organizational security measures
✔ Incident notification timelines and requirements
✔ Supply chain and third-party vendor risk
✔ Management body accountability and personal liability
✔ Sanctions up to 0.1% of global turnover for essential entities
✔ Remaining open questions and compliance roadmap
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
👥 SPEAKERS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔹 Giulio Coraggio — Partner, Technology & Data, DLA Piper Italy
LinkedIn: / giulio-coraggio
Blog: https://www.gamingtechlaw.com
🔹 Antonio Ravenna — Legal Journalist
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🔗 USEFUL RESOURCES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📄 D.Lgs. 138/2024 (Official text): https://www.normattiva.it
🌐 ACN – Agenzia per la Cybersicurezza Nazionale: https://www.acn.gov.it
🌐 DLA Piper Technology & Data practice: https://www.dlapiper.com
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🎙️ ABOUT THE LEGAL BREAK
━━━━━━━━━━━━━━━━━━━━━━━━━━━━
The Legal Break is DLA Piper's podcast series where legal experts decode the most relevant regulatory and legal developments for business — clearly, concisely, and without the jargon.
🔔 Subscribe so you never miss an episode.
👍 Like this video if you found it useful.
💬 Have a question about NIS 2 compliance? Drop it in the comments.
📌 You can find our contacts 👉 www.dlapiper.com
Hello everyone, I'm Giulio Coraggio from GLPR. And I'm Antonio Ravenna, a journalist. We're here to talk about the implementation in Italy of NIST2 where we are at the moment.
SPEAKER_00And we're gonna make it during the time of a coffee break. So, Giulio, let's talk about the implementation of the NIST2 directive. Where are we?
SPEAKER_01Well, uh Antonio, it's kind of um interesting where we are because it's one of the situations where Italy was uh among the fastest implementators of NIST II. And even in this situation, it was criticized because we were much faster than France, Germany, all the big um countries uh across Europe because um the legislation came into place more than a year ago, and then we already have um the first year of registration with the cybersecurity authority. We have already in place uh the provisions on the notification of um incidents under NIST II that uh became applicable from January of this year. So companies, if they suffer an incident, already need to report to ACN, the Italian Cybersecurity Authority, an incident. They already need to have in place a policy in order to assess incidents. But then we have other approaching deadlines, and we have uh the cybersecurity authority that is generating so much volume of documentation on obligations that need to be fulfilled.
SPEAKER_00So, what companies should do and should know actually about the NIST 2 implementation?
SPEAKER_01Well, first of all, they need to understand whether they are in and out, which uh after a year seems a given, but it's not because we still have uh clients that um tell us, am I within the perimeter of uh NIS2? Then also the fact that uh Dora became applicable during the same period, there are is lots of confusion of what is covered by Dora and what is left out and might be covered by NIS2. So, first of all, you need to understand whether you are within the perimeter. Secondly, you need to understand in relation to which services we are within the perimeter NIST 2, and um, it's relevant that uh the Italian Cybersecurity Authority required very recently a categorization of services that the company provides within the NIST 2 perimeter. So basically, it's not just a one-off exercise, then you need to map all your services and understand what is covered by each category of NIST 2 services. So it's a mapping exercise that needs to be done on a yearly basis and it's really time-consuming because it requires to analyze your actual operations.
SPEAKER_00So, Julio, you mentioned the dollar regulation. So, once again, there's a lot of stratification within Europe regulations. Do the digital omnibus actually have any impact also in the NIST 2 directive?
SPEAKER_01The provisions that have been agreed uh introduced some minor changes. There is an attempt by the European Union to create some kind of uh harmonization across NIST 2 as well, because uh what we've been noticing over the last months is that uh NIST II is a directive and it was uh implemented um quite differently across the European Union. The one-stop shop principle applies uh in very limited circumstances when there are digital services, and then the requirements and uh the guidelines from local cybersecurity authorities are often inconsistent. So having a pan-European approach to NISTIL in some cases is not feasible. It requires to put on the ground different documents, it requires to give evidence to authorities in a different manner.
SPEAKER_00So let's be practical as always. I have a company, what should I do? I don't know, in the next three months.
SPEAKER_01First of all, if you are not sure whether you are in or out or in relation to which services you are in and out, you need to do an institution assessment exercise on your services. Secondly, if you reach the conclusion you are in, then you need to understand which services are covered and then put on the ground the policies that shouldn't be just some additional paper, but they should be embedded in the actual operations. Let's bear in mind that NIST II is one of the limited legislation that in some countries like Italy provides for a direct liability of board members, which is in line with the DNA of the NIST 2 that wants to create a higher level of accountability of the top management in relation to cybersecurity compliance.
SPEAKER_00Thank you, Giulio. This was very clear and very useful as always.
SPEAKER_01Thank you, Antonio. I hope it helps. Arrivedercies.