Italy's transposition of the NIS2 directive dates to 2024. But the moment a company really notices is now, when the first requests for evidence arrive. Strip away the conference noise and six concrete obligations and two dates remain. Let's look at them without waffle.
01Who's in and who's out
First question, the one that counts: does NIS2 concern you? The directive distinguishes essential and important entities, by sector and size. The base threshold is 50 employees or €10 million in turnover, but with exceptions that pull in smaller players too if they operate in critical supply chains.
In practice, if you're a manufacturing SME, a healthcare supplier, a digital service operator, or you work in the energy or transport chain, you're very likely in. Even as a supplier to an essential entity: that's the point many underestimate.
02The six obligations that matter
Article 21 lists the risk management measures. Translated into things an IT manager actually has to do:
- Risk analysis and security policy. Documented, not verbal. They must exist on paper and be kept up to date.
- Incident handling. A written process to detect, classify and respond, with roles defined before they're needed.
- Business continuity. Tested backups, recovery plans, stated time objectives. A backup never restored isn't a backup.
- Supply chain security. Assessment of ICT suppliers and their exposures.
- Basic hygiene and encryption. Patch management, multi-factor authentication, encryption where needed.
- Training and top-management accountability. The board answers for it. It's no longer just an IT problem.
03The two dates
Transposition has already happened. What changes in 2026 is enforcement: registration of entities with the competent authority, and concrete activation of the notification obligations. The notification window for a significant incident is tight and worth memorising.
If you don't have a process that lets you meet the 24 hours, formal compliance is useless: at the moment of the incident you'll be late by definition.
04What you can ignore
Good news: you don't have to become a bank. NIS2 asks for measures proportionate to risk and size. A 120-person SME doesn't have to build an in-house security operations centre with twenty analysts. It has to show that it assessed the risks and adopted reasonable measures.
You can ignore, for now, the voluntary certifications used as a bogeyman by vendors. The regulation doesn't mandate ISO 27001. It helps, but it isn't a legal obligation. Be wary of anyone selling it to you as the only way.
05Where to start, concretely
The most common mistake is starting from the policy. You start instead from the snapshot: what you have, what's exposed, where the holes are. Without that, every policy is theory. That's why we almost always propose a network audit as the first step: seven days, on-prem, and in hand a document that maps every finding to the corresponding NIS2 article.
From there compliance becomes a list of things to close in order of priority, not an indistinct monster. The hard part isn't understanding the regulation. It's knowing where you stand.