EU cybersecurity regulation: navigating NIS2 and DORA impacts
Veröffentlicht am 4. März 2026
1. Evolution of the EU regulatory framework
Over the last decade, the European Union has progressively elevated cybersecurity from a purely technical matter to a fundamental pillar of digital sovereignty and the stability of the EU market. While Directive (EU) 2016/1148 ("NIS1") established the initial groundwork for harmonization, the heterogeneity of national implementations and the rapid evolution of hybrid threats require a structural overhaul of the regulatory framework.
The current legislative strategy no longer aims merely at infrastructure protection; it pursues the objective of ensuring a "high common level of cybersecurity" across the Union, as enshrined in Art. 1 of Directive (EU) 2022/2555 ("NIS2"). This paradigm shift reflects the awareness that, in an interconnected ecosystem, the vulnerability of a single economic actor can reverberate across the entire value chain and, ultimately, impact national security. Consequently, the European legislator has transitioned from a fragmented sectoral approach to a horizontal discipline (NIS2) complemented by specific vertical regulations (such as the DORA Regulation for the financial sector), forming an integrated corpus juris.
2. The current legal framework: NIS2, Legislative Decree 138/2024 and DORA
The transposition of the NIS2 Directive into the Italian legal system, via Legislative Decree No. 138 of September 4, 2024 (“Decree”), represents a watershed moment for thousands of public and private entities. The Decree significantly broadens the subjective scope of application compared to the previous regime, as it introduces a classification based on two macro-categories: "essential" entities and "important" entities.
2.1. Essential and Important entities: criteria and divergences
The distinction, based on the sector of activity and organizational thresholds (the "size-cap" criterion), is crucial for both enforcement and supervisory purposes.
"Highly critical" sectors (Annex I of the Decree) include energy, transport, banking, financial market infrastructures, healthcare, water, digital infrastructure, ICT service management, public administration, and space.
"Other critical" sectors (Annex II of the Decree) encompass postal services, waste management, and the manufacturing of chemical products, food, and medical devices.
While substantive obligations regarding security measures and incident notification are substantially aligned for both categories, Essential entities are subject to ex-ante and ex-post oversight, whereas Important entities are subject to a regime primarily triggered ex-post. Furthermore, the Decree mandates a self-assessment mechanism and compulsory registration on the digital platform of the National Cybersecurity Agency ("ACN") within strict statutory windows (from January 1st to February 28th of each subsequent year).
2.2. The DORA regulation
Concurrently, Regulation (EU) 2022/2554 ("DORA"), applicable from January 17, 2025, constitutes lex specialis to NIS2 for the financial sector. DORA mandates uniform technical requirements for banks, insurers, investment firms, and – innovatively – critical third-party ICT service providers. Where DORA imposes risk management or notification obligations at least equivalent to those of NIS2, the DORA’s provisions prevail, precluding overlapping requirements while maintaining a high standard of protection.
2.3. Sanctions
The Decree provides for administrative pecuniary sanctions reaching, for essential entities, a maximum of 10 million euros or 2% of the total annual global turnover, whichever is greater. For important entities, the ceiling is 7 million euros or 1.4% of turnover. Beyond pecuniary fines, ancillary measures include compliance orders, mandatory audits, and, in severe cases for essential entities, the temporary suspension of certifications or the temporary disqualification from exercising managerial functions.
3. Operational implications for companies
Compliance with the new framework cannot be reduced to the mere adoption of technical tools like firewall. It demands a comprehensive overhaul of corporate governance and organizational processes.
3.1. Governance and liability of Management Bodies
A pivotal aspect of the Decree (Art. 7) and the NIS2 (Art. 20) is the direct attribution of liability to administrative and management bodies. It is no longer permissible to fully delegate cybersecurity accountability to the IT department or the CISO. The Board of Directors must approve risk management measures, oversee their implementation, and undergo mandatory specialized training. Failure to implement adequate measures exposes directors to direct liability for culpa in vigilando, with potential civil law consequences and risks to business continuity.
3.2. Incident management and statutory notification duties
The incident notification regime is subject to rigorous tightening. The Decree mandates a phased reporting approach to the Computer Security Incident Response Team ("CSIRT Italia"):
Early warning: within 24 hours of becoming aware of a significant incident, particularly if it has cross-border implications or causes relevant service disruptions.
Incident notification: within 72 hours, including an initial assessment of severity and Indicators of Compromise (IoC).
Final report: within one month, detailing the root cause, mitigation measures, and cross-border impact.
This necessitates 24/7 operational readiness and formalized, tested Incident Response procedures (IRP). The failure to timely detect an intrusion constitutes, in itself, a regulatory breach.
3.3. Supply chain security and third-party risk management
The security of the supply chain is a cornerstone of both NIS2 and DORA. Obligated entities must assess risks arising from ICT providers and Managed Security Service Providers (MSSP). This entails the mandatory inclusion of specific contractual clauses (security SLAs, audit rights, notification duties) and periodic due diligence. Effectively, large Essential entities will serve as regulatory drivers, imposing high security standards on their SME suppliers, creating a virtuous cascade effect.
3.4. Technical and organizational measures
The Decree enumerates minimum measures based on an "all-hazards approach". These include: risk analysis and information system security policies; incident handling; business continuity and crisis management (backup, disaster recovery); supply chain security; network security; encryption strategies; human resource security; access control; multi-factor authentication (MFA). Compliance must be verified via independent audits and periodic assessments.
4. Future perspectives within the integrated regulatory landscape
The evolving ecosystem requires a systematic interpretation integrating NIS2 and DORA with other EU regulations. Notably, the AI Act classifies AI systems used as security components in critical infrastructure as "high-risk," invoking specific monitoring and robustness duties. Similarly, the Data Act and the European Health Data Space (EHDS) introduce specific requirements for IoT security and health data interoperability. In this context, legal compliance is dynamic. Organizations must establish integrated compliance functions capable of bridging the gap between legal and technical departments, monitoring the evolution of threats and technical standards.
Conclusions
The combined effect of the Decree and DORA radically redefines the scope of corporate liability. Cybersecurity is no longer an ancillary cost but a prerequisite for legal compliance and business continuity. For professionals and undertakings, this adjustment necessitates a cultural transition from a reactive emergency logic to a structured, legally-grounded management of digital risk. Non-compliance now entails unsustainable reputational and operational risks in the contemporary market.
This article is authored by:
Martina Ortillo, Avvocato (Attorney at Law Italy), Associate Partner, Rödl Italy
Tommaso Mauri, Avvocato (Attorney at Law Italy), Associate, Rödl Italy
Vanessa Cunico, Degree in Law (Italy), Junior Associate, Rödl Italy
