NIS2: digital security of enterprises in 2025

Summary

In 2025, the European regulatory framework decided to raise the bar with the entry into force of the NIS2 Directive. This new standard not only affects large critical infrastructures and essential service providers, but involves a much wider range of businesses such as SMEs and public administration.

The NIS2 Directive is a paradigm shift and a real stance by the European Institutes on security: where we used to talk about minimum obligations, today we are thinking in terms of business continuity, risk management and top management accountability. It is no longer enough to protect against threats; it is necessary to demonstrate that you can do it well in an ongoing, transparent and structured way.

For many Italian companies, this means an organizational transformation, it means reviewing roles, processes, tools and internal policies: with the NIS2 Directive, the penalties are real and the responsibilities, including personal ones, of managers are written in black and white.

NIS2: overview and guiding principles

La NIS2 is the second version of the European Network and Information Systems Security Directive, first adopted in 2016 and revised in depth in 2022 to respond to a much more evolved and aggressive digital threat landscape. It is set to take effect in October 2024, but 2025 will be the year when companies must be fully compliant.

The objective of the directive is twofold. Improve the overall level of cybersecurity in EU countries, on the other hand Strengthen cooperation between member states in the event of cross-border incidents. But the real innovation is that NIS2 does not just ask companies to “defend themselves,” but obliges them to adopt a structured, systemic, integrated approach to cybersecurity.

This means having documented plans, clear responsibilities, ability to respond quickly, and most importantly a corporate culture that considers Digital security an integral part of operational strategy

Sectors and companies involved: who is required to comply with NIS2

One of the most notable aspects is the broadening of the scope. If the first NIS Directive applied only to a small number of essential service operators and digital providers, Today the new legislation involves many more companies.

Specifically, NIS2 applies to two main categories:

  • Essential entities: that is, companies operating in critical sectors such as energy, transportation, healthcare, water, digital infrastructure, and public administration.
  • Important entities: they are active in areas such as food production and distribution, critical manufacturing, postal services, waste and chemical management, as well as many IT companies.

But the real news is. it's no longer just the industry that matters, but also the size. In fact, the directive also includes the medium-sized enterprises (more than 50 employees or more than 10 million euros in turnover) if they operate in the above sectors. This means that. many Italian SMEs, which were not previously involved by cybersecurity obligations at the European level, today they must equip themselves to meet much higher standards.

The idea is that any weak link in a digital supply chain could jeopardize the security of an entire industry, which is why NIS2 pushes for widespread accountability throughout the value chain.

Key operational changes for companies

NIS2 introduces a number of concrete and stringent obligations that companies will have to comply with. This Directive speaks not only of implementing technologies, but of structuring an entire enterprise system capable of effectively preventing, managing and communicating cyber incidents.

Here are the main operational changes introduced by the directive:

  • Governance and accountability
    Corporate management is directly responsible for the cybersecurity. Therefore, management figures must ensure that the required measures are taken and can be held personally liable in case of noncompliance or accidents.
  • Minimum technical and organizational measures
    Companies need to take a set of measures including access management, network segmentation, encryption, backup technologies, software updates, vulnerability management, vendor control, and more.
  • Security Incident Management
    Clear processes must be implemented to identify, contain, respond to, and communicate any relevant cyber incident: this includes detailed logging of activities and tracking of actions taken.
  • Obligation to notify within 24 hours
    Any significant security incident must be reported to the appropriate authorities within 24 hours. Incomplete or late notification may result in penalties.
  • Audits and periodic checks
    Companies are subject to audits by national inspection authorities. At each inspection, companies must be able to demonstrate the minimum required level of security.
  • Continuing education and internal awareness
    As the true foundation of corporate cybersecurity, companies will need to ensure that all staff are trained and aware of the risks, best practices, and behaviors to be adopted in the event of an attack or incident.

Implementation challenges for Italian companies

For many Italian companies, adapting to the new regulations of the NIS2 Directive means facing significant challenges, both organizational and technology.

First, many enterprises still lack a clear view of their cybersecurity maturity level: structured risk mapping, clear governance, and an integrated strategy between IT and business are often lacking. In other cases, the technologies are there, but the internal skills to manage and improve them on an ongoing basis are lacking.

An additional obstacle is the supply chain. NIS2 requires that every company also ensure the security of its critical suppliers-this means establishing processes for constant control, auditing, verification, and collaboration that require time, resources, and know-how.

Finally, the human factor remains central. Even the most robust infrastructure can be compromised by human error, misconfiguration or a social engineering attack. This is why security training and culture must become a constant part of daily work.

How to prepare effectively: the role of specialized counseling 

Many companies choose to rely on specialized external consultants to ensure that they meet the new parameters of NIS2. This not only speeds up compliance time, but also ensures a level of quality and reliability that often cannot be achieved internally, especially in SMEs.

The consulting support provided by Lanpartners

Lanpartners, with more than two decades of experience in IT governance, cybersecurity and digital risk management, supports companies throughout the compliance journey, offering a modular, high-level and customized approach.

  • Initial assessment and gap analysis
    Analysis of current security level, systems mapping, risk assessment, and identification of critical points against NIS2 requirements.
  • Planning and operational roadmap
    Establishment of a concrete action plan with clear priorities, assigned responsibilities, and precise goals defined over time.
  • Support in the drafting of corporate policies
    Production of technical and organizational documentation: security policies, incident response procedures, and internal regulations.
  • Staff training and awareness
    Customized training programs for managers, technicians and employees, with attack simulations and emergency management.
  • Monitoring, auditing, and incident management
    Activation of continuous monitoring systems, support in incident management and preparation for inspections by competent authorities.

NIS2 sets new standards, But it also offers an opportunity to really rethink how your company addresses digital risk.As true partners to our clients, at Lanpartners we work hand in hand with management to build robust, scalable, and compliant processes that strengthen the IT infrastructure in a lasting way. Each company has specific needs, which is why our paths, always starting from a concrete analysis, are translated into real and verifiable operational solutions. 

If you want to make sure you fully comply with the new parameters of the NIS2 Directive, visit our site e contact us for counseling.

Related articles

Learn about our IT consulting and support services

We want to offer you a different technology experience. You can have premium IT support from a trusted partner at your fingertips whenever you need it. Whether you want one person or an entire project team, for short-term or long-term commitments, make your life easier and rely on us.

Contact us