NIS2 and EU Cybersecurity Regulations: The Definitive Pillar Guide for 2026

Your accountant just forwarded an email from the notary: your insurance company is demanding NIS2 certification. Your cloud provider has sent a notice: adjust your contracts within 60 days or face suspension. The bank wants to see your supplier register. Panicking? Good. It means you are taking cybersecurity seriously — and that 2026 is the year many Italian businesses discover they are not ready.

We, at Meteora Web, work with companies in Southern Italy and beyond. For years we have guided clients on compliance, security, and development. We also come from accounting: balance sheets, double-entry bookkeeping, VAT. That’s why when we talk about regulations like NIS2, the Cyber Resilience Act, or DORA, we think in terms of costs, risks, and deadlines — not theory. This is the definitive pillar guide to NIS2 and the new European cybersecurity legislation. We cover everything: who is obliged, what to do, how to document it, and which penalties to avoid. Straight to the point, no empty talk.

1. NIS2 — Who Is Subject in Italy and What They Must Do

The NIS2 Directive (Network and Information Security 2) came into force in 2024 and was transposed in Italy by Legislative Decree 48/2025 (or subsequent amendments). Note: the real deadlines for compliance started hitting in late 2025, but many companies are still receiving compliance requests from partners in 2026.

Who is subject? The directive covers two main categories: highly critical sectors (energy, transport, health, water, banking, digital infrastructure) and other critical sectors (chemical, food, manufacturing, public administration, waste, postal services). For each sector there is a size threshold: generally, enterprises with more than 50 employees and/or annual turnover over €10 million. However, many digital service providers (hosting, cloud, search engines) are obliged even below the threshold.

And SMEs? NIS2 provides a proportionate approach: SMEs in non-critical sectors may have lighter obligations. But beware: if you are a supplier to a company subject to NIS2, your compliance becomes a contractual requirement. We see this more and more: contracts that require ISO 27001 certification or at least a NIS2 self-assessment.

What must a subject company do?

• Register with the ACN (Italian National Cybersecurity Agency) with identification data and scope of compliance.
• Adopt technical and organizational security measures (see Section 2).
• Notify significant incidents within 24 hours (early warning) and full report within 72 hours.
• Maintain a supplier register and assess the supply chain.
• Conduct periodic internal audits and staff training.

Concrete example: A client of ours, a Sicilian manufacturing company with 80 employees, received a request from a large food group for which it is a supplier: “Certify your NIS2 compliance within six months, or we lose the contract.” We structured a path: self-assessment, supplier register, implementation of basic measures (MFA, backups, logs, training), and obtaining an attestation. Result: contract renewed, no penalties.

2. Mandatory Technical Measures — Checklist for Companies

NIS2 does not prescribe specific technologies, but imposes risk-based measures. Here is the minimum checklist we at Meteora Web adopt for our clients:

• Strong authentication: MFA everywhere, password policy, identity management (IAM).
• Patching and updates: Documented process, defined timelines (30 days for critical vulnerabilities, 7 for zero-days).
• Backup and disaster recovery: Off-site backups, quarterly restore tests, encryption of backups.
• Logging and monitoring: Access logs, security events, retention minimum 6 months (or 12 for critical sectors).
• Access control: Principle of least privilege, quarterly reviews, third-party access management.
• Encryption: Data in transit (TLS 1.3) and at rest (AES-256).
• Supply chain security: Vendor verification, contractual clauses, incident notification obligations.
• Training: Annual program for all employees, including simulated phishing tests.

We suggest using frameworks like CIS Controls or NIST CSF as a reference, and documenting every decision in a “Security Measures Register”.

3. Cyber Resilience Act — Obligations for Software and Hardware Manufacturers

The Cyber Resilience Act (CRA) is an EU regulation imposing security requirements for products with digital components (software, hardware, IoT). In force since 2025, the first deadlines arrived in 2026 for manufacturers.

Who is obliged? Manufacturers, importers, and distributors of digital products placed on the EU market. Excluded are open-source software developed by non-professional communities (but beware: if you contribute professionally to an open-source project, you may be considered a manufacturer).

What does the CRA require?

• Design products with “security by design” principles.
• Provide security updates for the declared lifecycle (minimum 5 years).
• Draft an EU declaration of conformity and affix CE marking.
• Notify actively exploited vulnerabilities and incidents within 24 hours.
• Maintain a Software Bill of Materials (SBOM) for each product.

If you develop WordPress plugins, themes, Laravel components, or any paid software sold to EU clients, you are involved. Penalties can go up to 2.5% of annual worldwide turnover.

Example: A company producing an IoT device for warehouse monitoring (e.g., temperature sensors) must ensure the firmware is updatable, credentials are secure, and there is a vulnerability disclosure channel. We helped a client revise their development process to comply with CRA, implementing automatic SBOMs with tools like CycloneDX.

4. EU AI Act and Cybersecurity — Intersection of Regulations

The AI Act (entered into force in 2025, staggered applicability until 2027) is not just about artificial intelligence. It intersects with cybersecurity in at least three ways:

• High-risk models: Must have robust cybersecurity systems, technical documentation, event logs, and compliance with CRA if embedded in a product.
• Transparency: Users must be informed if they interact with an AI system. This requires logging and notification mechanisms.
• Data governance: Training data must be protected with access controls and encryption.

If your company develops a chatbot, recommendation system, or automation tool, you must evaluate if you fall under the AI Act. In that case, cybersecurity measures from NIS2 and CRA add up. We recommend a single integrated framework: AI-specific risk assessment plus general security measures.

5. DORA — Digital Operational Resilience Act for the Financial Sector

DORA is an EU regulation applying to banks, insurance companies, investment firms, and their ICT providers (critical third parties). In force since 2025, initial checks started in 2026.

Main obligations:

• ICT risk management: framework, periodic testing (threat-led penetration testing every 3 years for significant entities).
• Notification of major ICT incidents: initial report within 4 hours, final report within 72 hours.
• Register of ICT providers: classification by criticality, continuous monitoring.
• Resilience testing: simulation exercises, internal audits.

If you are an SME providing services to a financial institution (e.g., developing management software, a mobile banking app, even just a website), DORA impacts you. Your financial client will ask for contractual standards, audits, and security SLAs. We have already handled such requests for clients supplying software to banks: we structured documentation, implemented advanced logging, and arranged annual penetration tests.

6. NIS2 Supplier Register — Supply Chain Security

One of the most overlooked yet most requested aspects is the supplier register. NIS2 requires every subject to map and assess its critical suppliers (IT and non-IT) and include contractual clauses that ensure security.

What should the register contain?

• Supplier identification (business name, VAT number, security contact).
• Service category (cloud, hosting, software development, maintenance, etc.).
• Criticality level (low, medium, high) based on potential impact.
• Supplier compliance status (certifications, self-assessment, audit).
• Date of last review and next review due.

We built for a client a simple structured Excel sheet (later migrated to an internal database) that allows them to track every supplier and contractual deadlines. We recommend using frameworks like NIST SP 800-161 (Supply Chain Risk Management Practices) as a reference.

7. NIS2 Incident Reporting — Timelines and Processes

Incident notification is where companies risk the most. NIS2 imposes tight timelines:

• Early warning: within 24 hours of discovering the incident, an initial notification (even with available data).
• Full notification: within 72 hours, a detailed report including cause, impact, and measures taken.
• Interim report: upon request by the authority (ACN for Italy).
• Final report: within one month of resolution.

It is essential to have a documented process: who is alerted, how to contact the relevant CSIRT (for Italy, CSIRT Italia managed by ACN), which templates to use. We have drafted an incident response playbook compliant with NIS2 for our clients, including a notification checklist and escalation procedures.

Warning: failure to notify within the deadlines can result in fines up to €10 million or 2% of annual worldwide turnover.

8. NIS2 for SMEs — Simplifications and Proportionate Approach

NIS2 recognizes that small businesses have fewer resources. Therefore, it provides a “proportionate approach”: SMEs (under 50 employees or turnover under €10 million) can apply less stringent measures, provided they are documented and risk-based.

What does this mean in practice?

• No need for a 24/7 SOC, but a basic monitoring process (e.g., centralised logging with alerts for critical events).
• No need for ISO 27001 certification, but a self-assessment using a public checklist (ACN provides a free tool).
• Training can be in-house, with free materials (e.g., ENISA courses).

We urge SMEs not to underestimate: even if you are below the thresholds, if you supply larger companies, compliance becomes a contract requirement. Better to start with a modest investment (e.g., €5,000–10,000 for an initial analysis and basic implementation) than risk losing clients.

9. ACN Italy — National Cybersecurity Agency and Obligations

For Italian companies, the competent authority for NIS2 is the National Cybersecurity Agency (ACN). ACN manages:

• The register of obliged subjects (online registration).
• Incident notifications (via dedicated portal or CSIRT Italia).
• Inspection and enforcement activities.
• Publication of guidelines and best practices.

In 2026, ACN intensified controls, especially in the energy and transport sectors. Random checks are expected on samples of registered companies. We recommend preparing a compliance folder with all required documentation: risk analysis, supplier register, evidence of adopted measures, and training records.

10. Cybersecurity Certifications — ISO 27001, ENISA, and Compliance

NIS2 compliance can be demonstrated through recognized certifications. The most common is ISO 27001 (Information Security Management System). Others: ISO 22301 (Business Continuity), CSA STAR for cloud, Cyber Essentials Plus (UK, but valid for supply chain).

ENISA (European Union Agency for Cybersecurity) is developing a European certification scheme (EUCC, EUCS) that may eventually replace national certifications. In the meantime, for SMEs, a self-assessment based on the Italian National Cybersecurity Framework (published by ACN) may suffice.

We recommend starting with a gap analysis against NIS2 requirements, then deciding whether to pursue formal certification. Be aware: the costs of ISO 27001 (preparation, auditor, maintenance) start at around €15,000 for an SME. But if your revenue depends on contracts with large groups, the investment pays off quickly.

In Summary — What to Do Now

1. Check if you are subject to NIS2 (use ACN’s self-assessment tool).
2. Register with ACN within 30 days of deciding compliance (if obliged).
3. Perform a gap analysis of technical and organizational measures (see Section 2 checklist).
4. Document everything: supplier register, incident response plan, risk analysis.
5. Train your staff at least with a basic cybersecurity awareness course.
6. If you are a software/hardware manufacturer, prepare for CRA: SBOM, security by design, disclosure channel.
7. If you operate in the financial sector, check DORA requirements and update contracts with your ICT providers.
8. Consult professionals: if you lack internal expertise, reach out to an agency like ours — we have accompanied dozens of companies on their compliance journey.

We, at Meteora Web, are available for a free initial consultation. Because cybersecurity is not a cost — it’s an investment to avoid losing clients, contracts, and reputation.

Useful links:
- NIS2 Directive (EU) 2022/2555
- Italian National Cybersecurity Agency
- ISO 27001:2022
- ENISA

Related articles:
- China’s Nuclear Expansion and the Digital Risk for Europe