I deal with IT security at a procedural level, based on ISO 27001:2005 guidelines and techniques for prevention and protection against IT threats.

The ISO 2700X standard establishes that information security is characterized by integrity, confidentiality and availability.

The guidelines are organized into different sections, each section is dedicated to a specific part:

  • security policies (Security Policy), provide management directives and support for security information.
  • organizational security (Security Organization):
    control of information security within the company;
    monitor information security when responsibility for information processing has been outsourced.
  • Asset Classification and Control:
    maintain protection of the organizational structure and ensure that the information structure receives an appropriate level of protection.
  • Personnel Security:
    Reduce risks of error, theft, fraud or abuse by operators;
    ensure that users are informed of possible threats and concerns about information security and are equipped to support the company’s security policy during their normal work;
    to minimize damage from security events and malfunctions and learn from such events.
  • Physical and Environmental Security:
    prevent unauthorized access, damage and interference within the business information flow;
    prevent loss, damage or system compromise and interruption of business activities;
    prevent tampering or theft of information.
  • Communications and Operations Management:
    ensure correct operation and ease of information processing;
    minimize the risk of system failures;
  • Access Control:
    to control access to information;
    to prevent unauthorized access to information systems;
    to detect unauthorized activities;
  • System Development and Maintenance:
    maintain security of software and system data.
  • Business Continuity Management:
  • Compliance:
    avoid non-compliance with civil, criminal laws and any security requirements;

NIS2 Igniting Cyber Security the Regulation (Legislative Decree No. 138/2024)

Compliance and digital resilience, we help you achieve compliance

The NIS2 Directive, which came into force in mid-October and was transposed into Italian law with a specific legislative decree (Legislative Decree No. 138/2024), aims to strengthen IT security and digital operational resilience of organizations that offer services within the European Union in specific sectors (called “high criticality sectors” and “other critical sectors”).

The Directive replaces the previous one from 2016, expanding its scope of application and introducing more stringent requirements for the protection of networks and information systems.

While compliance with NIS2 is mandatory for security reasons, it also offers companies the opportunity to:

  • encourage internal innovation, modernizing their IT infrastructure and increasing the security and efficiency of processes;
  • strengthen corporate credibility and the trust of customers and partners;
  • enhance competitiveness and access broader markets.

Who the NIS2 Directive applies to

The Directive requires public and private organizations, operating in 18 sectors considered particularly relevant (because they are deemed fundamental for the functioning of European society and economy), to raise their IT security levels.

The ACN (National Cybersecurity Agency) appointed as the competent Italian authority for the application of the Directive by the transposition legislative decree, has identified these critical sectors in accordance with the Directive itself, including:

  • energy
  • transport
  • healthcare
  • digital infrastructure (data centers, cloud, telecommunications)
  • ICT services
  • Public Administration

Regarding private organizations, only large and medium-sized companies are required to comply. For small and micro enterprises, it depends on their relevance in the reference sector.

Organizations affected by NIS2 must implement appropriate technical, operational and organizational measures to manage risks related to IT security, including:

  • implementation of measures for risk management and protection of systems from emerging cyber vulnerabilities and threats;
  • obligation to notify incidents with significant impacts within 24 hours of discovery, to ensure a rapid and coordinated response; notifications must be made to the competent CSIRT Italy (Computer Security Incident Response Team), the internal structure of ACN that has the responsibility to monitor, intercept, analyze and respond to IT incidents;
  • adoption of advanced security measures, such as multi-factor authentication, encryption and ciphering, to increase data protection and prevent unauthorized access;
  • continuous training of the top management of the companies involved (administrative and management bodies), and promotion of training for all involved personnel, in order to create, from a preventive perspective, a corporate security culture.
  • The details of obligations and measures will be defined by ACN during 2025 and, according to the timeline shared by the Agency itself, the implementation of new obligations will be gradual and progressive:
  • new notification obligations will apply from January 2026;
  • new cybersecurity measures must be implemented starting from September 2026.

The ACN portal for NIS2 compliance (www.acn.gov.it), portal for the registration of organizations to which the NIS2 Directive applies.

Future Touch provides companies with targeted solutions that help them achieve the level of compliance required by the NIS2 Directive:

  1. IT security with advanced encryption solutions, essential for protecting sensitive data and ensuring that communications and business processes are secure and compliant with European standards;
  2. certified cloud and hosting services. The infrastructure and cloud services are secure and also qualified by ACN for providing services to the PA, and offer a protected environment for storing and managing business data;
  3. digital identity management with solutions for strong authentication, such as SPID and digital signature, which guarantee secure access to business resources and help increase protection from identity theft and unauthorized access;
  4. backup and disaster recovery solutions to ensure operational continuity in case of cyber attack or IT incident.
  5. Path to ISO/IEC 27001:2022 certification

It is important to emphasize that the solutions are designed to support companies in the adaptation process, but do not guarantee automatic compliance with the regulation. The assessment of the actual adequacy of the solutions can only be performed by the individual company, case by case.

I am alongside your company in adapting to NIS2 with its advanced technological solutions, I am the ideal strategic partner to support your company in every phase of the adaptation process, and achieve compliance with European regulations efficiently. By relying on our team, you can focus on growing your business, while managing the challenges related to IT security and data protection with peace of mind.

The NIS2 Directive offers companies the opportunity to modernize and strengthen their digital infrastructure. Not just a regulatory obligation, therefore, but also a decisive step towards greater resilience and competitiveness in the long term.

Do not miss the opportunity to adapt your company to NIS2 compliance, contact me to best address the path towards digital operational resilience.

Official Sources: