Skip to main content
Redergo

NIS2 in Italy: What Changes for SMEs and Their Suppliers

5 minutes read
NIS2 in Italy: What Changes for SMEs and Their Suppliers

NIS2 is EU Directive 2022/2555, transposed in Italy by Legislative Decree 138/2024 and in force since October 2024. It extends cybersecurity obligations to around eighteen sectors. Entities in scope must register with the ACN, adopt risk-management measures, and report significant incidents within 24 and 72 hours.

A supplier sends over a security questionnaire before signing the contract. Ten pages: how we manage access, how fast we report a breach, whether our own subcontractors are vetted. A few years ago that document did not exist for a company our size. Now it lands on desks that never filed cybersecurity under "our problem". The reason has a name: NIS2.

The directive has been law in Italy since October 2024, and its obligations are phasing in through 2025 and 2026. Most of the noise around it misses the point for smaller companies. You do not need to be a bank or a power grid operator to be affected. You need to be in the supply chain of one.

What NIS2 is, without the acronym soup

NIS2 is Directive (EU) 2022/2555, the successor to the 2016 NIS directive. Italy transposed it with Legislative Decree 138/2024, in force since 16 October 2024. The supervising authority is the ACN, the national cybersecurity agency, which runs the registration platform and receives incident reports.

The aim is blunt: raise the security floor across the sectors a country depends on, and stop treating cybersecurity as an IT afterthought. Where the old NIS covered a handful of operators, NIS2 widens the net to around eighteen sectors and thousands of entities.

Whether it applies to you

Two tests decide it. First the sector: energy, transport, banking, health, water, digital infrastructure and public administration, but also manufacturing, food, waste management, postal services, chemicals and digital providers. Second the size: as a rule, medium and large entities, meaning from 50 employees or more than 10 million euro in turnover.

Entities are split into "essential" and "important". The label changes how closely you are supervised and how hard the penalties bite, not whether you must comply. Below the size threshold you are usually out, with exceptions for entities the State treats as critical regardless of headcount.

The supply chain clause is what pulls in smaller companies

Here is the part that catches software vendors, agencies and specialised suppliers off guard. An entity in scope is required to manage the security of its supply chain. In practice it pushes those requirements down through contracts. So a twenty-person company that builds software for a hospital or an energy utility ends up answering for access control, patching and incident reporting, even though NIS2 never named it directly.

We see it already in tenders and vendor onboarding. The questionnaire is not a formality. Answering "we take security seriously" without evidence is increasingly a way to lose the contract.

Server room with network cabling in a data center

What you actually have to do

The directive lists risk-management measures every entity must adopt: access control, encryption, network segmentation, backups with tested recovery, vulnerability handling and patching, and security across the supply chain. None of it is exotic. Most of it is what a well-run system should already do.

The real shift is accountability. The management body has to approve the security measures, can be held liable, and is expected to receive training. Security stops being something delegated entirely to whoever runs the servers.

Reporting: 24 hours, 72 hours, one month

A significant incident triggers a fixed sequence. An early warning to the ACN within 24 hours, a fuller notification within 72 hours with an initial assessment, and a final report within one month. Those windows are impossible to improvise during an actual breach, which is why logging and detection have to be in place before anything happens.

Where software decisions come in

Most of what NIS2 asks for is decided long before an audit, in how the software is built. Systems that log access properly, that can be patched without a rewrite, that keep data minimised and that do not trap you in a vendor you cannot leave turn compliance into a checklist. Systems that do none of that turn it into a rebuild. When we design custom software we treat these as defaults, not extras, and the same logic runs through how we handle personal data under the GDPR.

NIS2 is not a reason to panic, and the deadlines are not a marketing countdown. It is a floor. If your company sits in one of the covered sectors, or sells to someone who does, the practical move is to map where you stand now and close the obvious gaps before a client's questionnaire does it for you. If you want a second pair of eyes on the software side, talk to us.

Frequently asked questions

When did NIS2 come into force in Italy?

Italy transposed NIS2 with Legislative Decree 138/2024, in force since 16 October 2024. The concrete obligations, including registration with the ACN and the risk-management measures, are phasing in across 2025 and 2026 depending on the entity.

My company is small. Can NIS2 still affect us?

Yes, indirectly. Even below the size threshold, if you supply a company that is in scope, its obligation to secure its supply chain reaches you through the contract. Software vendors and specialised suppliers are the typical case.

What is the difference between essential and important entities?

Both must comply. The distinction affects how closely they are supervised and the maximum penalties. Essential entities face stricter, proactive supervision; important entities are supervised mainly after an incident or a report.

What are the incident reporting deadlines under NIS2?

For a significant incident: an early warning within 24 hours, a fuller notification within 72 hours with an initial assessment, and a final report within one month.

Related questions

  • Does NIS2 apply to software suppliers?
  • What penalties does NIS2 introduce?
  • How is NIS2 different from the GDPR?

Do You Have a New Project?