NIS2 Directive: The Second Phase of the Implementation Process Begins

On April 10, 2025, the National Cybersecurity Agency (NCA) launched the second phase of the NIS2 Directive implementation process, notifying organizations that registered in the first phase of the classification assigned to them.

Based on over 30,000 registrations, NCA identified more than 20,000 organizations in Italy as NIS entities. Among them, over 5,000 have been classified as essential entities.

In this article, I’ll clarify the notifications, what they contain, and the timelines for the organizations involved.

The information and data in this article refer to the Italian context.

Next Steps for NIS Entities

Organizations that received a notification from NCA were informed of their classification as either important entities (a new category introduced by NIS2) or essential entities (which are subject to additional obligations, closer supervision, and higher penalties).
In this second phase, all NIS entities—regardless of classification—are required to comply with the basic provisions of the regulation defined by NCA. This includes:

• Developing internal procedures for sending incident notifications to CSIRT by January 2026.

Implementing the basic security measures outlined in the National Cybersecurity and Data Protection Framework, which includes:

• 37 measures, broken down into 87 requirements, for important entities;
• an additional 6 measures and 29 requirements for essential entities, totaling 43 measures and 116 requirements.

One more administrative deadline is approaching: by May 31, 2025, organizations must update their annual registration data.

What Changes in Incident Notification

The first implementation deadline concerns incident notifications, which takes effect nine months after receiving the NCA’s official communication.
With the start of this new phase, NCA has defined the scenarios in which NIS entities are required to report an incident to CSIRT.

• Loss of confidentiality, externally, of digital data owned or partially controlled by the organization.
• Loss of integrity, with an external impact, of data owned or partially controlled by the organization.
• Disruption of expected service levels in relation to the organization’s services and/or activities.

An additional scenario applies to essential entities:

• Unauthorized access, or misuse of granted privileges, to digital data owned or partially controlled by the organization.

These notification obligations complement any other regulatory requirements an organization may be subject to (DORA, NIS-1, OES, FSD, TELCO, national cybersecurity perimeter, etc.). In the case of overlap, a single notification will fulfill multiple obligations.

Contents of the Notification

In Italy, incident notifications required under the NIS2 Directive must be submitted via the CSIRT Italia Incident Reporting Portal, which already serves as the centralized platform for both mandatory and voluntary incident reports.
The portal integrates the notification process for NIS-related incidents with the requirements of previous regulations and national laws (OES/FSD/TELCO entities).

Although not yet updated to reflect NIS2, the current CSIRT Incident Notification Guide remains valid. It outlines the information that must be provided, including:

• Number of affected users;
• Incident duration, measured from the time of the first complete or partial service interruption to the moment of recovery, or—if the incident is still ongoing—to the estimated recovery time;
• Geographical spread, based on the location of users, individuals, and legal entities impacted by the incident;
• Estimated impact on service users, expressed as a percentage of the national user base for that service;
• Date and time of incident detection;
• Impacted assets;
• Additional incident details (e.g., IOC – Indicator of Compromise);
• Evidence collected (e.g., malware samples, ransom notes).

Under NIS2, a detailed incident report must also be submitted. This report should include a full description of the causes and sequence of events, along with the mitigation measures adopted.

Notification Timelines

NIS2 requires prompt incident notification, often to be carried out in parallel with incident handling activities. Once an incident is identified, the organization must report it without undue delay.
If the full scope of the incident is not immediately clear, a preliminary notification must still be submitted. This should then be updated as soon as possible in the following hours with the results of ongoing analysis.

For this reason, it’s essential to have an incident response plan in place, define a clear strategy, and provide internal training so that all stakeholders are familiar with the procedures to follow in the event of an incident.

Preparing for NIS2

To comply with the directive and be ready to carry out notification and incident response activities quickly, organizations must prepare through a set of preliminary actions:

• Catalog all sensitive assets and regularly check their status.
• Perform threat modelling to define the impact and priority of potential scenarios.
• Assess the IT infrastructure.
• Develop internal policies and appoint designated contacts.
• Establish a communication plan and maintain an up-to-date contact list.
• Prepare crisis management tools and define a recovery strategy.