The NIS2 directive (Network and Information Security 2) is the biggest regulatory change in cybersecurity Europe has seen in the last decade. It is no longer just for large critical infrastructure - NIS2 expands the scope to sectors like manufacturing, waste management, food, postal services, and many others. If you are an Italian SME in one of these sectors, this directive concerns you.
The key point: NIS2 introduces concrete cybersecurity obligations, not suggestions. Mandatory risk assessment, incident response within 24 hours for initial notification, supply chain security, staff training, and direct management responsibility. Fines can reach up to 2% of global revenue. It is no longer something you can ignore.
What to do concretely
First thing: understand if you fall within scope. NIS2 distinguishes between "essential entities" and "important entities." Classification depends on the sector and company size. A manufacturing company with more than 50 employees in the chemical sector, for example, almost certainly falls within scope. And even if you are not directly in scope, your large clients might require compliance from you as part of supply chain security.
Second thing: don't wait. The worst mistake is thinking "there's still time." NIS2 compliance is not implemented in a weekend. You need a serious risk assessment, you need to implement technical and organizational controls, you need documentation. For an SME, 6-12 months is a realistic timeline if you start from scratch.
And here is where my experience with Cipher comes in - the platform I built to translate cyber risks into business language. Too often compliance is treated as a purely technical exercise. But NIS2 requires management involvement - and management needs to understand risks in their own terms, not in technical jargon.
If you want to dive deeper into this topic or need specialized consulting, let us talk.
Let's talk →