The European Commission approved an important implementing act on cybersecurity on 17 Octobermarking a further step in protecting digital infrastructure and essential services within the Union. This Implementing Regulation, issued under the NIS2 Directive (Directive on the Security of Network and Information Systems), evaluates a set of specific rules for managing cyber risk and reporting significant incidents, introducing a uniform and structured approach to cybersecurity across Europe.
The NIS2 Directive and its implementing regulation have a direct impact on a wide range of critical entities and networks, in particular on those infrastructures that provide digital services essential to the economic and social continuity of Member States.
The regulation was adopted close to the deadline set for the transposition of the NIS2 Directive into the national law of each Member State, establishing a clear model for ensuring a high level of security and resilience for digital infrastructures. Starting from 18 October 2024, the Member States, in fact, are required to adopt and apply the necessary measures to ensure full compliance with the provisions of the Directiveincluding supervisory and enforcement rules, through close collaboration between national authorities and private entities. This is an ambitious and complex commitment, which places the European Union as a global reference model for cybersecurity policies.
The Implementing Regulation provides detailed guidance on the risk management measures that businesses and digital service providers must take to strengthen their resistance to cyber attacks and to minimize potential vulnerabilities in their systems and networks. The text requires that each organization involved carry out a periodic and complete assessment of the risks associated with its digital infrastructure, and provide precise parameters to evaluate when a cyber incident should be considered “significant” for the purposes of reporting to competent authorities. This integrated approach to risk management aims to ensure greater uniformity in the measures taken by Member States and to reduce the possibility of regulatory divergences that could weaken the effectiveness of common cyber defence.
The implementing act applies to a number of categories of companies working in critical sectors and providing digital services of strategic importance. These include cloud computing service providers, which manage data and applications for a wide range of users; data centers, which offer data storage and management services for multiple industrial sectors; online marketplaces, which constitute essential channels for commercial transactions in Europe and around the world; search engines, fundamental tools for accessing information and knowledge, and social networking platforms, which play an increasingly important role as vehicles of communication and social interaction.
The regulation also specifies in detail the criteria that must be met for an accident to be considered “significant”. This primarily concerns the impact of the incident on services and its potential influence on national security, the continuity of essential services or public trust. An incident is considered significant when it causes prolonged interruptions in the functioning of a network or an essential digital service, when it poses a risk of serious damage to the security of personal data or when it significantly compromises the availability of and trust in the services offered by an digital enterprise. The regulation states that such incidents must be promptly reported to national cybersecurity authorities, who will be responsible for monitoring and managing incident responses in collaboration with the entities involved. This reporting mechanism is designed to ensure that authorities have a comprehensive view of cyber threats and can intervene in a timely and coordinated manner.
The implementation of these regulatory provisions will require institutions and companies to review and strengthen their security systems, adopting advanced technologies and risk mitigation strategies to protect their digital infrastructures from increasingly sophisticated and persistent attacks. The NIS2 directive and the implementing regulation in fact emphasize the importance of adopting a proactive approach to the management of IT security, which includes not only reactive measures in the event of an incident, but also preventive strategies to reduce the probability of attacks. Operators of essential services and digital infrastructure providers are called upon to implement constant monitoring systems to promptly detect suspicious activity, as well as develop incident response plans to ensure the rapid restoration of services.
With the entry into force of the Implementing Regulation, Member States will also have to establish and strengthen their national cybersecurity authorities, ensuring they have the resources and expertise necessary to carry out their role effectively. These authorities will be responsible not only for supervising compliance with regulations by companies and digital service providers, but also for facilitating the exchange of information and collaborating with their counterparts from other Member States’ defense institutions to create a European framework of coordination. This collaboration will also extend to joint cyber incident simulation exercises, with the aim of testing and improving joint response capabilities in the event of a large-scale attack.
The adoption of these rules marks a significant turning point for cybersecurity in the European Union, making the EU an example for the world in terms of cybersecurity regulation. The NIS2 directive in fact represents a global reference model for cybersecurity policies, emphasizing the importance of a coordinated approach and the integration of cyber defense strategies at a European level. Thanks to this new regulatory framework, the EU will be able to tackle cyber threats more effectively, improving the resilience of critical infrastructures and ensuring greater security for citizens and businesses.
The adopted implementing regulation therefore represents not only an immediate response to current challenges, but also a strategic investment for Europe’s digital future. With technological progress and the expansion of AI, cyber threats are expected to grow in number and complexity, making a preventative and integrated approach to cybersecurity essential. The NIS2 Directive, together with the Implementing Regulation, constitutes a solid foundation for building a secure and resilient digital ecosystem, which can support the economic and social development of the EU in an increasingly competitive and interconnected global context.
Obviously there is no shortage of critical aspects that need to be addressed and resolved. First of all, the NIS2 directive and the implementing regulation require organizations not only to equip themselves with secure infrastructures, but also with highly qualified and constantly trained personnel to manage and prevent cyber risks.
However, many European countries have a significant cybersecurity skills shortage, with demand for experts far outstripping supply.
Furthermore, the attention that the NIS2 directive places on responsibility and transparency in the management of cybersecurity could lead to further legal and compliance problems for institutions and companies.
The need to report incidents and ensure high levels of safety could impose significant sanctions on organizations for failure to comply or delays in responding to incidents. This regulatory pressure, although justified by the need for greater accountability, risks generating a culture of formal compliance that privileges the fulfillment of legal requirements rather than the actual security of systems.
Organizations may find themselves investing more time and resources in meeting the bureaucratic requirements of the directive than in implementing effective and adaptive security measures.
