It is crucial to get inspired by principles of consistency, comparability, proportionality, graduality, flexibility and priority to ensure a balance between national cybersecurity objectives and the financial, administrative and technical burdens required of businesses. This is what emerges from the memory of Deloitte requested by the IX Commission (Transport, Post and Telecommunications) of the Chamber of Deputies, regarding the draft legislative decree implementing Directive (EU) 2022/2555 on measures for a high common level of cybersecurity in the European Union (NIS2).
The principles indicated by Deloitte aim at the uniform application of cybersecurity measures required by companies in line with the previously adopted frameworks (consistency); to the extension of differentiation for obligations according to further criteria such as sectors, sub-sectors or categories of subjects (proportionality); to the progressive adoption of measures, initially focused on critical systems, networks and services, then extending to the rest of the organization (gradualness); the possibility for companies to adopt their own methodologies and approaches consolidated over time to manage the criticality of the systems and consequently modulate the adoption of security measures (implementation flexibility); finally, to define the different reception times, in relation to the criticality of the IT resources or services in the field (priority).
Their desirable application would imply a benefit in terms of achieving cybersecurity objectives balanced with the commitments required of companies, enhancing the strategies and programs implemented by companies in past years, avoiding imposing an additional financial and administrative burden on top of what is already foreseen.
In addition to the principles, The report highlights the importance of incentivising businesses, simplifying registration requirements and inspection activities, and harmonising the methods of adopting safety measures and reporting incidents at European level..
The Directive aims to ensure security in all strategic sectors of our economy and society, such as Energy, Transport, Financial Market Infrastructure, Drinking Water, Health, Banking, Digital Infrastructure, Digital Service Providers, to which new sectors are added such as Space, ICT Service Management, Waste Water, Chemical, Manufacturing, Food, Postal and Courier Services, Waste Management and Research.
There are tens of thousands of Italian companies that could potentially be impacted. All of this represents a challenge, but also an opportunity to start or continue the process of increasing the levels of cybersecurity of individual companies, which is essential for the resilience and digital, economic and social development of our country.