1. Introduction: a complex regulatory framework

Managing cybersecurity in accordance with a complex, fragmented and constantly evolving regulatory framework is one of the most complex and significant challenges today. In fact, the digitalization of production processes, the interconnection of infrastructures and the continuous proliferation of new cyber threats have led to the emergence of different regulatory sources – both at national and European level – which, while pursuing the same purpose, involve a certain fragmentation of the obligations set forth and, in general, of the applicable regulatory framework. This can sometimes make it difficult for the operators to outline a unitary organizational and operational model that allows them to fulfil the applicable regulatory obligations in a coordinated and efficient manner.

2. Areas of overlapping and divergence between legislative sources

2.1. NIS 2 Decree: starting point for a compliance model

Italian Legislative Decree No. 138/2024, which transposes Directive (EU) 2022/2555 or NIS 2 Directive into Italian law, introduced measures aimed at ensuring a high level of cybersecurity at national level for public and private entities operating in sectors considered essential or important.

The NIS 2 Decree represents the essential regulatory basis for operators in the development of a common cybersecurity strategy. In fact, the centrality of this decree lies in its horizontal nature, which makes it applicable to a plurality of sectors considered strategic or essential, outlining a minimum and uniform set of obligations for important and essential operators, such as the adoption of risk management measures, the notification of incidents, the implementation of security controls and the preparation of business continuity plans. Therefore, due to the general scope of the NIS 2 Decree, the latter must be the starting point for the development of a compliance model, which must be integrated and coordinated with the obligations arising from any additional regulations applicable to the individual operator, in order to ensure consistent and systematic cybersecurity management.

2.2. CER Directive: resilience of critical entities

Directive (EU) 2022/2557, transposed into national law by Italian Legislative Decree 124/2024, although at first sight it might appear to be distinct from the NIS discipline as it concerns another aspect of cybersecurity, i.e. the physical protection of critical infrastructures, is actually closely linked to the NIS 2 discipline. Both regulations in question, in fact, share some common points, such as the multi-risk approach, the governance of safety measures, and methods of managing incidents. Furthermore, confirming the partial overlap and convergence between the two regulations, Article 3 of the NIS 2 Decree highlights how this decree applies to all subjects identified as critics according to CER Decree. For these subjects, therefore, during the implementation of the obligations referred to in the regulatory sources in question,a joint reading of the implementing decrees, both two NIS 2 and CER directives, and a common and integrated approach to the management of the IT and physical security of their ICT infrastructures will be necessary.

2.3. The National Cyber Security Perimeter

The National Cyber Security Perimeter is the regulatory framework aimed at ensuring the protection of networks, information systems and IT services of strategic national security interest. Some subjects, both public and private, may therefore be required at the same time to fulfil the obligations under both this framework and NIS2. In this regard, the legislator, in order to avoid redundancies or overlaps between the disciplines and to facilitate the regulatory adaptation process, has provided for a general exemption from NIS2 obligations for the subjects included in the Cyber Security Perimeter. However, the networks, information systems and services of these operators not specifically included in the Perimeter list do not benefit from the abovementioned exemption and are subject to the discipline of Legislative Decree 138/2024. Therefore, the operators included in the Perimeter may still be required to comply with the obligations provided for by the NIS2 regulations, at least for some of their ICT systems. If on the one hand this guarantees the reduction of gaps in the security systems of important or critical subjects, on the other hand it also entails for these operators the need to coordinate the fulfilment of the two disciplines under analysis, in order to achieve an efficient compliance process.

2.4. DORA: lex specialis

The coordination between the NIS2 discipline and that of Regulation (EU) 2022/2554 or DORA, which regulates digital operational resilience in the financial and insurance sector, appears more straightforward. In fact, since these are sectoral provisions, the DORA Regulation is considered to be the lex specialis of the NIS2 discipline, and only the obligation to register on the platform made available by the ACN pursuant to Legislative Decree NIS2 applies to DORA subjects.

Notwithstanding the foregoing, it is the same DORA Regulation in Recital 16 that highlights the need to maintain a strong relationship between the financial sector and the EU’s horizontal cybersecurity framework to ensure consistency with the cybersecurity strategies adopted by Member States and to allow financial supervisors to become aware of cyber incidents affecting other sectors relevant under NIS2.

3. Building a common cybersecurity strategy

The regulatory framework outlined above represents the result of an articulated legislative process aimed at the progressive consolidation of cyber security in areas considered strategic for the protection of the public interest.

It is therefore appropriate for operators who fall within the scope of application of cybersecurity legislation to adopt a compliance model that is based on an integrated and holistic approach, capable of combining the specific obligations imposed by the various disciplines on the subject. In fact, the aim must be to build an organizational system suitable for ensuring, on the one hand, the correct identification of the applicable regulatory obligations in relation to the nature and activities of the operator in the specific case and, on the other hand, the adoption of security measures proportionate to the specific risks. Such a model, if correctly implemented, can represent not only a regulatory compliance tool, but also a strategic element in protecting the reliability and reputation of the operator, contributing to the protection of the public interest underlying cyber security. Indeed, the adoption of a structured and integrated model as described above and of safeguards capable of guaranteeing a high level of cybersecurity can represent, especially in the current context characterized by a high exposure to cyber risks, a significant competitive advantage for the operator compared to its competitors. In this perspective, the implementation of adequate and effective cybersecurity management models by some companies operating in a given sector may firstly represent a strategic investment for the company capable of generating an economic return, and secondly trigger a broader evolutionary process of improvement, involving other operators and/or competitors, who will in fact be called upon to comply with increasingly higher security standards, driven by market dynamics that reward resilience and reliability in cyber risk management.

In practical terms, first of all, cybersecurity legislation gives corporate management bodies a central role in the governance of cybersecurity, going beyond the traditional competence of IT. These management bodies are called upon to approve and supervise cyber risk management measures, as well as to participate in specific training courses. In addition, it will be necessary to structure a cybersecurity governance system based on clearly defined roles and responsibilities – including, for example, the appointment of a Chief Information Security Officer (CISO) – and on the establishment of a dedicated decision-making center, such as an internal cybersecurity committee.

An essential element of this model is the timely and constantly updated mapping of critical IT assets and relevant ICT infrastructures, to be correlated with the regulations applicable from time to time, in order to outline a clear framework of compliance obligations and measures to be taken. On this basis, companies will be required to develop an IT risk management system that provides for periodic risk assessment activities, accompanied by the implementation of technical and organizational security measures calibrated to the levels of risk identified, suitable for ensuring the protection of information systems and business continuity. In addition, this IT risk management system should consider the level of risk associated with the entire supply chain.

In order to increase the efficiency of the management of the above-mentioned safeguards, it is best to prepare a single set of documents, constantly updated and easily accessible for all personnel, containing, for example, security policies, incident response plans, access management procedures and protocols for reporting to the competent bodies. Finally, continuous training at all levels of the company, and not limited to technical staff, is particularly important, with the aim of spreading a culture of cybersecurity across the entire organization.

For the above-mentioned reasons, the implementation of a common and integrated compliance model, which takes into account the entire regulatory framework applicable to a company from time to time, is not only a strategic investment for the company, but also necessary to ensure timely and efficient compliance with existing regulatory obligations, and to face the challenges arising from the constantly evolving cyber threats.