NIS 2 came into force in Italy on 16 October 2024, following transposition through Legislative Decree No. 138 of 4 September 2024, published in the Official Gazette on 1 October 2024. To date, the results are mixed and seem to go in two opposite directions.
Failure and opportunity
Those who thought, even for a moment, that NIS 2 would solve the IT crisis situation afflicting many public and private actors, were needlessly deluded. We continued to have illustrious victims among organisations.
| Date | Target | Category | Threat |
|---|---|---|---|
| 01/2025 | Conad Cooperative Society | Food chain | Lynx |
| 03/2025 | AMA Roma S.p.A. | P.A. | Unknown |
| 04/2025 | Lambert SpA | Chemistry | Akira |
| 04/2025 | Tralfo S.r.l. Shipping | Logistics | Sarcoma |
NIS 2, much hailed on portals, social networks, and podcasts, has not solved the computer security problem that, in reality, no circular, directive, decree, law, or good intention can solve. Computer security requires concrete facts and objective measures that have been known for more than two decades and that, certainly, will not be applied merely because they have been written into a legislative decree. It is a failure because the ‘do-gooder’ approach is evidently not delivering the desired results and is not being followed by the checks and sanctions that are actually needed: the recent data breach against the company Mooney Servizi S.p.A. is a clear example. It is a failure because the do-gooder approach is based on the idea that companies sincerely want to implement security measures and invest the necessary capital to adapt their IT security. Perhaps this is true for a residual percentage of cases, because in the majority of situations, the approach is quite different: they simply pretend nothing is happening. Yet computer security is important and on this, at least conceptually, we all agree.
The recipe of the ‘good father of the family’, as it was presented even years ago publicly by the institutions, has not worked, producing aberrant results. Many companies, which over the years have taken charge of personal data, some of them very sensitive, have suffered data breaches that revealed mostly domestic security measures.
NIS 2 is, in my opinion, a great opportunity; it is clear to everyone that the approach indicated by this Directive translates into concrete actions: specific security measures, specific controls, specific monitoring activities must be implemented. For those who are serious about cybersecurity, the NIS 2 Directive does not tell anything new, but it certainly represents an opportunity to focus one’s efforts on the salient points of cybersecurity and to implement them correctly. It must be said that NIS 2 is as concrete as Circular 2/2017 was at the time, which, in terms of details, regulates many technical security aspects of public administration (and other) systems. There are few companies that, frankly speaking, have moved towards implementing such controls, and some have also done so as a response to the need to take out a cyber-risk policy with affordable amounts. NIS 2 should, therefore, be a real opportunity to fix one’s cybersecurity status, and yet according to ANSA
In March, 81 cyber incidents with a confirmed impact were recorded in Italy, 33 more than in February: central and local public administration were the most affected sectors. The figure is contained in the monthly report of the National Cybersecurity Agency. […] There were 28 ransomware attacks (with ransom demands). In March, an increase in the number of potentially compromised assets was detected following an analysis conducted by Csirt Italia, a body of the Agency. [Source:‘In March, 81 cyber incidents in Italy, 28 ransomware attacks‘].
Conclusions
This begs the question, seven months after the entry into force of the Directive, how are we reacting to cybersecurity? What is the attitude of organisations and their suppliers? Is there a healthy and constructive principle of collaboration in incident management as, precisely, NIS 2 would like?
In essence, was NIS 2 intended as an opportunity to be consciously ridden or was it perceived as yet another regulatory adjustment to be fulfilled with as little effort as possible? Readers will have to make the hard judgment (which may not be so hard).
