Opinions

Cybersecurity and the NIS 2 nodes

For two years a spectre had been hovering over Europe, until last October when it suddenly took shape

3' min read

3' min read

For two years, a spectre had been hovering around Europe, until it suddenly took shape last October. In Italy it manifested itself in the form of Legislative Decree No. 138 of 4 September 2024, which transposed European directive NIS 2 'on measures for a high common level of cybersecurity throughout the Union'. The breath given by the regulation to the scope will lead to the direct involvement of tens of thousands of organisations, for which cyber security will become a pressing issue. This can be seen from the four annexes to the Decree, which indicate the different product categories and public administrations that will fall within the scope of applicability. However, the exact number of operators will be known after an initial census phase. The rule, in fact, provides that from 1 January to 28 February 2025, the subjects that fall within the identified categories will register on the digital platform that will be made available by the competent national authority (in Italy, the National Cyber Security Agency), which will draw up the list of essential and important subjects by 31 March. That said, a number of non-trivial questions arise. The first. Many organisations believe, wrongly, that not being among the categories exempts them from the measure. In reality, much emphasis is placed within the measure on the control that critical and important operators will have to put in place with respect to their supply chain. It could be enough to have a company in the energy sector, health sector or public administration among one's customers to see a list of demands not different from those contained in the regulation. This means that in the not too distant future, all those operators who are unable to demonstrate adequate security of their systems could climb the competitive ladder backwards and end up being excluded from tenders and supplier lists. This brings us to the second issue. To verify the adequacy of their suppliers, the typical tool used by organisations consists of a series of more or less structured questions. Consequently, in the coming months tens of thousands of SMEs could find themselves in the position of answering dozens, in some cases many dozens, of similar but not identical questionnaires. This would result in an extraordinary production of cyber security paper. It seems strange that if a company is suitable for hospital X, it is not suitable for hospital Y. If the critical and important operators do not find a way to make their requirements uniform, they will end up crushing their suppliers under an unnecessary bureaucracy. The third issue is somewhat the reverse of the above. Cybersecurity costs money and many SMEs cannot afford it. It could make a difference if once so many, especially small businesses, would make a 'system' (something that has always been talked about in our country without ever succeeding). The cyber market is no different from any other. To trivialise to the utmost: one licence of an anti-malware at a given price, but if you buy 10,000 of them, the unit cost will not be the same. Let us come to the fourth issue. Our National Agency will have to supervise thousands of organisations and in the case of critical operators it will have to do so 'ex-ante'. This would mean deploying highly qualified personnel in no small quantity. Checking a large operator such as ENI, Enel, Leonardo, to give a few examples, could require weeks of work by several people with different specialisations. The task might exceed the available forces. Perhaps it might be worth considering qualifying third parties, for example by selecting them from Accredia (the single national body appointed by the Italian government to certify the competence and impartiality of certification, inspection, verification and validation bodies), to contribute to the audits. Finally, the last point, but perhaps in perspective the most relevant. This Directive is a great opportunity for SMEs to tackle the issue of cyber security and do some 'training', also because before long the EU will approve the Cyber Resilience Act, which will get to grips with the issue of cyber security of products, dictating stringent rules on the subject. In other words, that CE mark, which allows a product to be placed on the market, will be subordinate to the digital security of the product itself. This represents an unprecedented challenge for what is considered Europe's second largest manufacturer.

*President DI.GI. Academy S.r.l.

Loading...
Copyright reserved ©
Loading...

Brand connect

Loading...

Newsletter

Notizie e approfondimenti sugli avvenimenti politici, economici e finanziari.

Iscriviti