The contagion of trust
There is an initiation rite that any company wishing to work with a medium-sized business cannot escape: the first supply is a more or less large amount of 'paper'. This can range from a few balance sheets, a Chamber of Commerce certificate and an anti-mafia certificate, to registration in a supplier register of extraordinary complexity. It is an almost 'superstitious' ritual, which must assure the client of the fairness and honesty of the counterparty. It works more or less well if we talk about form, but when the issue is cyber security, the form is no longer enough. Because today it is not a question of asking whether a supplier 'is trustworthy', but whether its computer systems are.
The NIS 2 Directive, which will take effect next year, will come in two forms: another bureaucratic headache, but at the same time a necessary acknowledgement that cyber security is not a problem of individuals, but a supply chain phenomenon. Essential and important operators have been told that they cannot consider their suppliers 'secure' if they do not prove it. The data on cyber attacks tells us that the chain breaks at the weakest link, and from tomorrow the link of interest may be a network cable, a USB stick or a management system whose maintenance is entrusted to a small company.
For some months now, these small and medium-sized companies have been receiving the first signals: security questionnaires, tables to be filled in, requests for 'evidence' of the controls adopted. They are still few, but 'silently' every large organisation is preparing to package them according to its own taste, or its own consultant. This, if someone does not intervene first, will result in a Babel of formats: all similar, but never the same. The respondent, often an entrepreneur who thinks about budgets at night and looks for customers during the day, will find himself inundated with questions about patch management policies, role segregation, control of and backup systems, and perhaps the results of the latest penetration test. Maybe some or all of these things he does, but he will need time and, above all, someone who is able to understand what his customer is asking him. Yet he will have to do it, because trust, in the new digital world, is also paid for in PDF attachments.
With a certain bitterness one could ironically say that an obligation has arisen to trust only those who can prove themselves trustworthy. The risk is that NIS 2, born to strengthen the system, will turn into a colossal compilation exercise. The big ask the medium ones, the medium ones the small ones, and the small ones get desperate: everyone sends questionnaires, receives questionnaires, files questionnaires. Cybersecurity, reduced to formal complacency, becomes the new national sport.
However, a way out can be imagined and probably comes from those who are in charge of the system: the National Cybersecurity Agency. On its portal - it is clearly stated in the section dedicated to the NIS directive - it is 'the NIS Competent Authority'. If the goal is 'a common high level of security of networks and information systems in the Union', then it is not enough to regulate the main players: trust must be normalised throughout the whole chain.

