the European Parliament has approved the text of the NIS Directive2, relating to the adoption of measures aimed at guaranteeing a high common level of cybersecurity in the Union. The NIS2 Directive approved by the European Parliament on 10 November has the task of regulating the IT security risk management measures and the deriving reporting obligations of the sectors mainly addressed by the directive. The sectors covered by the directive are those defined as strategic, such as the energy sector, transport, telecommunications, digital infrastructures and the banking and financial sector.

Specifically, the NIS2 Directive has the purpose of integrating and strengthening the actions which the member states are called to comply with. In fact, the member states will have to adopt national strategies on cybersecurity and designate or create competent national authorities, also for the management of IT crises (so-called CSIRT) considering the adoption of measures on the management of cybersecurity risks and reporting obligations for the addressees of the Directive itself. States will also have to establish rules and obligations regarding the sharing of cybersecurity information.

The Member States will then have to further specify the security obligations imposed on the addressees of the directive which provides for the common adoption of minimum measures especially with regard to the standards to be adopted in terms of policy on the risk analysis and security of information systems, in terms of incident management and business continuity systems, crisis management, supply chain security management measures as well as the implementation of basic IT hygiene practices, IT security staff training and procedures related to the use of encryption and HR security measures such as the use of multi-factor authentication or continuous authentication solutions.

However, the NIS Directive2 broadens the scope of application by identifying as recipients of the rules also companies that provide digital services, such as, for example, providers of cloud computing services, data centres, electronic communication services and electronic communication networks; pharmaceutical companies, medical device manufacturers and healthcare providers, food production, processing and distribution services, including large-scale distribution companies, without “dimensional” limits to the companies and qualifying them as “critical subjects” such as network service providers electronic communications services or publicly available electronic communications services.