The NIS2 Directive represents the most significant change to the European cybersecurity landscape in a decade. It is not simply a technical update or a strengthening of IT controls: the regulation redefines the very concept of corporate responsibility for cybersecurity.

As highlighted by ENISA:

“Cybersecurity governance is no longer an IT matter, but a core management responsibility.”

This statement perfectly summarizes the new paradigm. Cybersecurity is no longer confined to the technological perimeter, but enters firmly into the sphere of strategic governance, risk management, and direct management responsibility.

For many Italian organizations classified as Essential Entities or Important Entities, 2026 represents a regulatory deadline, but more importantly an organizational turning point.

---

The current context: growing threats, uneven maturity

The numbers tell an unequivocal reality.

According to Clusit's annual report, serious cyber attacks in Italy grew by more than 65% in 2023 compared to the previous year. Italy is among the most affected European countries in percentage terms.

At the European level, the analyses of ENISA show that:

• Ransomware accounts for more than 25% of serious incidents.
• The human factor is involved in more than 70% of the attacks.
• The average silent dwell time of an attacker can exceed 200 days.
• The average cost of a data breach in Europe exceeds 4 million euros.

In parallel, the labor market suffers from a structural skills shortage: there is an estimated shortage of more than 500,000 qualified cybersecurity professionals in Europe.

The result is a glaring imbalance: the attack surface increases, complexity increases, but the capacity for governance does not evolve with the same speed.

---

What really changes

Many organizations tend to underestimate its significance by considering it an “enhanced NIS.” In reality, the leap is qualitative.

1. Direct involvement of management

The regulations state that management must:

• Approve risk management measures.
• Supervise its implementation.
• Receive appropriate training.
• Be actively involved in the management of significant incidents.

This means that cybersecurity officially enters the scope of the board's fiduciary responsibilities.

In cases of serious noncompliance, sanctions and corrective measures may also be imposed on management bodies.

---

2. Stringent reporting requirements

The directive imposes specific timelines:

• Pre-notification within 24 hours of incident detection.
• Detailed notification within 72 hours.
• Final report within one month.

These timelines assume that the organization has:

• Formalized Incident Response processes.
• Mechanisms of rapid accident classification.
• Immediate coordination between IT, Legal, Compliance and Management.
• A clear contact person to the relevant authorities.

Without proper structure, meeting these deadlines becomes extremely complex.

---

3. Relevant sanctions and reputational impact

For Essential Entities, penalties can be up to 10 million or 2% of annual global turnover.

But the real risk is not only economic. It is reputational.

As pointed out by the World Economic Forum:

“Cyber resilience is now a strategic differentiator.”

In a global marketplace, cyber resilience affects the trust of customers, partners, investors, and stakeholders.

---

The critical points emerging in organizations today

From the analysis of different industrial and corporate settings, recurring critical issues emerge.

Unformalized governance

In many realities:

• The role of CISO is not formally appointed.
• Cybersecurity is embedded in the IT function.
• The board receives sporadic and unstructured updates.
• There are no defined and monitored KPIs and KRIs.

This involves reactive, not strategic, management.

---

Gap in risk management

A structured risk assessment, including the supply chain, is required. However, it is often found:

• Absence of gap analysis.
• Lack of mapping of critical suppliers.
• Inadequately formalized documentation.
• Evidence not organized from an audit perspective.

In the event of an inspection, the organization must be able to prove not only that it has taken measures, but that it has planned and supervised them systematically.

---

Untested Incident Response

One of the most underestimated aspects is effective responsiveness.

In table-top exercises they emerge frequently:

• Ambiguity about decision-making roles.
• Delays in communication to management.
• Difficulties in assessing notifiability.
• Absence of documentary traceability of decisions.

As ENISA recalls:

“Resilience must be built before the crisis, not during.”

The difference between a managed crisis and an out-of-control crisis is preventive preparation.

---

CISO as a Service: a pragmatic response to the skills shortage

Against this backdrop, many organizations are questioning whether cyber leadership should be strengthened.

Hiring a senior CISO involves:

• Average search time between 6 and 9 months.
• Annual costs that can exceed 150,000-200,000 euros.
• High turnover risk.
• Need for cultural and organizational integration.

The CISO as a Service model enables:

• Activate structured governance in a few weeks.
• Provide direct support to board and top management.
• Define a three-year cybersecurity roadmap.
• Monitor KPIs and KRIs on an ongoing basis.
• Align the organization with NIS2, ISO 27001 and GDPR requirements.

This is not episodic counseling, but an ongoing, formalized function, calibrated to the maturity of the organization.

---

CSIRT As-a-Service contact person: the strategic node of NIS2 compliance

The designation of a CSIRT contact person is a basic requirement.

This figure must ensure:

• Formal interface with ACN and CSIRT Italy.
• Timely assessment of notifiability.
• Internal coordination during the incident.
• Documentation and audit trail management.
• H24 availability for critical escalations.

A typical example: a ransomware attack hits a secondary system. Initially, the impact appears limited. After 36 hours, effects on customers or supply chains emerge. Without a structured process, the 24-hour window for pre-notification may be compromised.

Risk is transformed from technical to regulatory.

The CSIRT as a Service model allows this process to be overseen with dedicated expertise and formal mandate, reducing the risk of procedural errors.

---

Why the As-a-Service model reduces overall risk

The advantage is not only economic. It is strategic.

• Reduces the risk of noncompliance.
• Ensures continuous updating with respect to regulatory developments.
• Provides structured reporting to the board.
• Allows scalability according to business maturity.
• Avoid dependence on individual internal resources.

In an environment where cyber risk directly affects business value, speed of activation is critical.

---

Event March 17: NIS2 in practice, between governance and real cases

To explore these issues further, the March 17 we organize an event dedicated to CEOs, board members, CISOs and compliance officers.

Professionals with direct experience in complex industrial settings will speak.

Andrea Licciardi - Tecnimont Services - MAIRE Tecnimont

Andrea Licciardi works within the MAIRE Tecnimont Services, an international group active in engineering and construction of industrial plants on a global scale.

It deals with:

• Cybersecurity governance in multinational environments.
• Protection of industrial infrastructure and OT environments.
• Alignment between security and business strategy.
• Implementation of international regulatory frameworks.

He will bring concrete testimony on integrating cyber governance in complex industrial settings.

---

Nino D'Amico - CTO of HRC and head of Cyberbrain

Nino D'Amico is an expert in cybersecurity governance and CISO as a Service models at HRC Cyberbrain.

Supports organizations in the:

• NIS2 compliance pathway.
• Structuring the role of CISO.
• Formalization of the CSIRT Contact Person.
• Definition of Incident Response processes.
• Construction of cyber resilience roadmaps.

Its focus is to accompany management in transforming cybersecurity from a technical function to a strategic lever for protecting business value.

---

Why participate

The event will offer:

• Practical analysis of the impacts of NIS2.
• Concrete directions for management.
• Sharing of real experiences.
• Operational best practices.
• Space for direct discussion with experts and peers.

👉 Register here to participate: https://eventi.hrcsrl.it/portal/Reservation/RequestReservation?eventId=1055&utm_source=brevo&utm_campaign=evento%20csirt_copy&utm_medium=email

Conclusions: turning compliance into competitive advantage

NIS2 is not just an obligation-it is an opportunity to review cybersecurity as a strategic lever, improve operational resilience, and build market confidence.

The approach CISO as-a-Service & CSIRT Support Allows for:

• Reduce operational and regulatory risk.
• Ensure continuous compliance.
• Provide clear and structured reporting to the board.
• Accelerating the transformation of cybersecurity into competitive advantage.

With the right support, the NIS2 becomes not an obstacle, but a catalyst for stronger governance, efficient processes, and faster decision-making capacity.