NIS 2 Phase 2 - Second Implementation Phase Launched

The Working Group for the implementation of NIS2 met on April 10 to launch the second phase of this structured and gradual process for the adoption of EU Directive 2022/2555 (NIS2), which aims to raise the level of cybersecurity within the national production system and Public Administrations.

The National Cybersecurity Agency (ACN) has precisely defined—based on and in alignment with the National Cybersecurity and Data Protection Framework—the measures that entities (organizations and businesses operating in sectors vital to the economy and society) will be required to comply with.

The 16 areas required by the directive

Specifically, essential entities must comply with 116 requirements, while important entities are subject to "only" 87. In both cases, the requirements are divided across the following areas:

1. Risk management: identifying, assessing, and addressing cybersecurity risks by integrating them into organizational processes and regularly updating them according to emerging threats
2. Roles and responsibilities: must be formally defined, approved by management, and periodically updated to ensure accountability and efficiency in cybersecurity
3. Personnel reliability: staff must be selected based on experience, skills, and trustworthiness, with contractual security obligations even after the employment ends
4. Compliance and security audits: security policies and measures must be regularly reviewed and audited to ensure compliance with current regulations
5. Cybersecurity risk management in the supply chain: security requirements must be included in contracts with suppliers, compliance must be monitored, and risks must be assessed throughout the supply chain
6. Asset management: all relevant assets must be identified, inventoried, and managed according to their importance to business objectives and risk strategy
7. Vulnerability management: structured processes must be defined for identifying, resolving, and monitoring vulnerabilities, with prompt corrective actions implemented
8. Operational continuity: disaster recovery and crisis management. Documented plans must be developed, maintained, and tested to ensure operational resilience and quick recovery
9. Authentication, digital identity, and access control: identities and access must be managed using the principles of least privilege, separation of duties, and multi-factor authentication
10. Physical security: facilities must be protected from unauthorized access through controls consistent with risk levels
11. Staff training and awareness: all personnel, including administrators, must receive continuous training to increase awareness of cybersecurity risks and protection measures
12. Data security: data must be protected both at rest and in transit through secure encryption and appropriate backup measures
13. Development, configuration, maintenance, and decommissioning of information and network systems: all activities must follow secure practices throughout the system lifecycle, ensuring timely updates and secure disposal of obsolete technologies
14. Network and communications protection: networks and infrastructure must be protected using adequate perimeter security measures and strict remote access controls
15. Security event monitoring: continuous monitoring systems must be implemented to detect anomalies and incidents in a timely manner
16. Incident response and recovery: an operational incident management plan must be in place, including clear procedures for notification, response, and recovery

The breadth and variety of these areas are immediately apparent. This ensures comprehensive coverage of all aspects related to cybersecurity—as it should. However, it also introduces a high level of complexity that requires a heterogeneous mix of expertise: the requirements are not only technological in nature but also organizational, procedural, governance-related, and regulatory.

Identifying the involved entities

ACN has already identified the institutions, companies, and organizations that qualify as “NIS2 entities” and must therefore comply with the directive. ACN has started informing these entities of their new “selected status.”

It is known that there are more than 20,000 entities, including 5,000 classified as Essential—those operating in highly critical sectors and providing fundamental services for society and the economy. The remaining 15,000 are Important entities, operating in critical sectors and providing significant services that, while not essential, are key to the resilience and security of operations.

Additionally, as identified during the first phase of the NIS2 adoption, all companies within the supply chain of either an Important or Essential entity are also impacted. While these companies are not required by ACN to comply with the directive nor are they subject to sanctions,

Essential and Important entities are (there are 7 related requirements) obligated to manage risks arising from their supply chain and define security requirements that align with their own. Therefore, supplier companies will be directly involved in risk management processes and must periodically demonstrate compliance with the agreed-upon security measures.

The entry into force of the NIS2 directive is expected to significantly boost the cybersecurity posture of companies of all sizes. Medium and large enterprises—most of which naturally fall into the Important and Essential categories—will be primarily affected, but smaller businesses will also feel the impact because of their roles in supply chains.
According to the CYBER INDEX SME REPORT 2024 “[...] 48% of Italian SMEs report that they operate within strategic value chains—that is, those that involve critical infrastructures, multinational companies, or public administrations, or are active abroad in geopolitically unstable countries.”

So what should be done? Timeline and responsibilities

NIS entities must implement the necessary measures and requirements by October 2026. That leaves about a year and a half to define, deploy, and operationalize all procedures and technological components required to secure their organizations.
It will therefore be necessary to carefully plan all actions to be taken, identifying areas for improvement and aligning them with the requirements. A thorough analysis must be conducted, considering both organizational and governance aspects, as well as the technological ones essential for implementing effective protection, defense, and monitoring mechanisms. For all other companies: it is essential to recognize that investing in cybersecurity is no longer optional—it is a fundamental requirement to remain competitive. In a market where large and medium-sized enterprises (especially those subject to NIS2) demand increasingly higher levels of data protection and security, companies—particularly SMEs—that fail to upgrade their defenses risk being excluded from business opportunities and strategic partnerships.

How Retelit supports companies on the NIS2 journey

Addressing NIS2 compliance is not just about fulfilling a European directive—it’s an opportunity to rethink one’s security posture in a modern and structured way. Retelit positions itself as a true competence hub, offering continuous support to organizations in tackling NIS2 complexity through integrated services, combining internal expertise with that of highly specialized strategic partners (especially in the areas of compliance and governance), and with selected solutions from leading technology vendors.
We can assist customers in the preliminary phase with a Gap Analysis to define the shortest and most effective path to compliance, as well as during implementation, supporting the organization in deploying the necessary measures to cover the 16 areas outlined above.

Analysis by Andrea Priviero – Product Marketing, Retelit