Interventions

The contagion of trust

4' min read

Translated by AI
Versione italiana

4' min read

Translated by AI
Versione italiana

There is an initiation rite that any company wishing to work with a medium-sized business cannot escape: the first supply is a more or less large amount of 'paper'. This can range from a few balance sheets, a Chamber of Commerce certificate and an anti-mafia certificate, to registration in a supplier register of extraordinary complexity. It is an almost 'superstitious' ritual, which must assure the client of the fairness and honesty of the counterparty. It works more or less well if we talk about form, but when the issue is cyber security, the form is no longer enough. Because today it is not a question of asking whether a supplier 'is trustworthy', but whether its computer systems are.

The NIS 2 Directive, which will take effect next year, will come in two forms: another bureaucratic headache, but at the same time a necessary acknowledgement that cyber security is not a problem of individuals, but a supply chain phenomenon. Essential and important operators have been told that they cannot consider their suppliers 'secure' if they do not prove it. The data on cyber attacks tells us that the chain breaks at the weakest link, and from tomorrow the link of interest may be a network cable, a USB stick or a management system whose maintenance is entrusted to a small company.

Loading...

For some months now, these small and medium-sized companies have been receiving the first signals: security questionnaires, tables to be filled in, requests for 'evidence' of the controls adopted. They are still few, but 'silently' every large organisation is preparing to package them according to its own taste, or its own consultant. This, if someone does not intervene first, will result in a Babel of formats: all similar, but never the same. The respondent, often an entrepreneur who thinks about budgets at night and looks for customers during the day, will find himself inundated with questions about patch management policies, role segregation, control of and backup systems, and perhaps the results of the latest penetration test. Maybe some or all of these things he does, but he will need time and, above all, someone who is able to understand what his customer is asking him. Yet he will have to do it, because trust, in the new digital world, is also paid for in PDF attachments.

With a certain bitterness one could ironically say that an obligation has arisen to trust only those who can prove themselves trustworthy. The risk is that NIS 2, born to strengthen the system, will turn into a colossal compilation exercise. The big ask the medium ones, the medium ones the small ones, and the small ones get desperate: everyone sends questionnaires, receives questionnaires, files questionnaires. Cybersecurity, reduced to formal complacency, becomes the new national sport.

However, a way out can be imagined and probably comes from those who are in charge of the system: the National Cybersecurity Agency. On its portal - it is clearly stated in the section dedicated to the NIS directive - it is 'the NIS Competent Authority'. If the goal is 'a common high level of security of networks and information systems in the Union', then it is not enough to regulate the main players: trust must be normalised throughout the whole chain.

Because security requires controls, but it stems from the way in which the relationship between those who ask and those who supply is built. So let's 'throw out there' a possible solution: if there were a national register of qualified suppliers, managed by ACN, wouldn't that be an answer? After an inevitable initial panic, companies, large and small, could register voluntarily by demonstrating that they meet minimum security standards (periodic audits, basic policies, staff training, backup management), but above all perhaps they would realise that cyber security helps their competitiveness. NIS actors would no longer have to invent a thousand self-assessment forms; they could consult a public repository and know immediately who is 'cyber-reliable'. Not a stamp of digital sanctity, but a guarantee of hygiene. Like car revision: it doesn't prevent accidents, but it helps.

At that point, NIS 2 would cease to be a directive for specialists and would become a matter of 'citizenship' because, if the operators subject to the standard are around thirty thousand, their suppliers - direct and indirect - will be at least ten times as many. With such a multiplier, security would cease to be an affair for insiders and would become a collective good by right. A country in which every company, in order to continue working, must know how to protect its data, would not only be safer: it would be more aware.

Of course, the path is not easy. Certification would require shared criteria, sustainable costs and a common language between very different companies. So the real difficulty is not technical, but cultural. An act of institutional trust is needed: to recognise that ACN should not only supervise, but also enable. The Agency would be asked to 'throw its heart over the hurdle' and become the arbiter of a market that tomorrow risks imploding in the chaos of forms. After all, who better than the Agency to decide whether a company is 'safe enough' to be part of the chain that feeds vital services to the country?

2026 could be the turning point. If one has the courage to transform NIS 2 from fulfilment to cultural infrastructure, Italy could go from defending itself to organising itself. Because true security does not arise from mutual suspicion, but from verified trust. In an era when everything passes through the Net, this could be the most precious of connections: the one that holds people together before computers, because no firewall protects against a chain that no longer believes in itself.

Copyright reserved ©
Loading...

Brand connect

Loading...

Newsletter

Notizie e approfondimenti sugli avvenimenti politici, economici e finanziari.

Iscriviti