In 2026, the NIS2 Directive will become a priority not only for those operating in strategic sectors, but also for many companies working as digital service, technology, and infrastructure providers.
The reason is simple: the directive shifts the focus from “formal compliance” to operational capability, i.e., the ability to demonstrate that the organization is capable of preventing incidents, responding quickly and ensuring the continuity of essential services.
What is NIS2?
NIS2 is the new European directive on cybersecurity: the name comes from the acronym NIS (Network and Information Systems), and the “2” indicates that it is an evolution of the first NIS directive of 2016. Its objective is to raise the level of digital security in the European Union in a concrete and uniform manner, especially for organizations that provide essential services or play a critical role in the technology supply chain.
To this end, it aims to strengthen aspects such as governance, accountability, risk management, supply chain control, and incident response capabilities, shifting the focus from formal compliance to operational resilience. From a regulatory point of view, NIS2 is Directive (EU) 2022/2555 and has been transposed in Italy by Legislative Decree 138/2024.
For many entities, 2026 is the year in which the implementation phase will begin in earnest: the ACN (National Cybersecurity Agency) has published pages and operational guidelines dedicated to ‘basic methods and specifications’, which are useful for understanding how to translate obligations into measurable, verifiable, and therefore easier to manage activities, also from an evidence perspective.
NIS2 and why it is a key issue in 2026
NIS2 applies directly to organizations defined as “essential” or “important” in various sectors. However, its broader effect also extends to the supply chain: when a company is subject to NIS2, it tends to require minimum security standards from its suppliers as well, because partners become part of the overall risk.
When a company falls within the scope of NIS2, it tends to require minimum requirements from suppliers and technology partners as well, because overall security also depends on external services, remote access, the cloud, and third-party software components.
This is one of the reasons why 2026 is a pivotal year: many companies, even those not directly affected, are beginning to receive requests for compliance from customers, large companies, and public administrations.
The NIS2 directive therefore makes one thing very clear: cybersecurity must not be left to improvisation. That is why it pushes for an organized and verifiable model based on five pillars.
NIS2 applies directly to organizations classified as “essential” or “important” in various sectors, but its broader impact is seen throughout the supply chain.
Governance and responsibility
Cybersecurity is not just a technical issue: it is also about organization. In the event of an incident, it must be clear:
- who decides on urgent actions;
- who coordinates operational activities;
- who communicates with the outside world and with the authorities;
- who carries out technical activities.
Risk management
“Risk management” means identifying what really matters and setting priorities. It means understanding which services must remain available (or restart quickly), which data are most critical, which external dependencies are indispensable, and which accesses pose the greatest risk, especially administrative and privileged accesses.
Basic technical and organizational measures
NIS2 requires a consistent and verifiable minimum level of security. This is where the concept of baseline comes into play, i.e., a set of basic measures to be implemented as a starting point (governance, risk management, access control, continuity, etc.).
Incident management and notification
Security is not just about prevention: it is about the ability to detect, contain, recover, and learn. NIS2 reinforces the focus on the ability to detect and contain an event, restore systems, and perform final analysis for improvement.
This is where tools and processes that are often mentioned but poorly structured in reality become central:
- Incident response: the incident management plan, which includes detection, containment, recovery, and final analysis;
- Playbook: a ready-made operating procedure (e.g., “what do we do if we suffer a ransomware attack?”);
- Logging: the recording of events (the “logs”), i.e., the collection and storage of traces useful for understanding what happened.
ACN has also published guidelines on the incident management process from a NIS2 perspective, which are useful for structuring roles and response phases.
Supply chain security
The supply chain is the set of suppliers, partners, and external services that enable an organization to operate. Many incidents originate from third parties: unprotected remote access, outdated software, or incorrectly configured cloud services.
This is why NIS2 pushes for minimum contractual requirements, supplier access control, and shared procedures in the event of an incident.
High-yield actions: where to start
To start a credible process without turning it into a never-ending project, it is useful to begin with a few high-yield actions:
- map critical services and key dependencies (cloud/suppliers/OT, if applicable);
- define roles, responsibilities, and availability (including after hours) with a clear escalation chain;
- prepare essential playbooks for the most common scenarios (ransomware, compromised credentials, data leaks);
- verify backup and recovery with a real test;
- strengthen logging and monitoring to reduce detection times and produce useful evidence;
- perform a tabletop simulation: a guided test, with no impact on systems, to verify decisions and communications.
How NIS2 came about
NIS2 is the evolution of the first NIS Directive (2016). In the years that followed, three factors prompted Europe to raise the bar on cybersecurity:
- accelerated digitalization (online and cloud services becoming
- increasingly central);
more interconnected supply chains (suppliers and partners integrated into processes); - growth in high-impact attacks, such as ransomware and third-party compromises.
Directive (EU) 2022/2555 therefore expanded the framework, strengthening governance, risk management, and incident response capabilities. In Italy, this framework was transposed into national law with Legislative Decree 138/2024.
What to expect from the future
Over the next two years, it is realistic to expect:
1) Greater focus on evidence: procedures, tests, drills, and recovery times will become increasingly important: it is not enough to “have a document”; you need to demonstrate that the processes work.
2) More demands on suppliers: even companies not directly within the scope of NIS2 may receive requests for minimum requirements from customers and public administrations (questionnaires, security SLAs, access controls).
3) A more “continuous” approach to cyber resilience: resilience becomes a cycle: assess, protect, monitor, respond, and improve. This reduces the gap between regulation and operational reality.
Compliance with NIS2 means building sustainable security over time, combining organization and technology.
In this scenario, Olidata supports companies and public administrations with operation-oriented services: NIS2 assessment and compliance paths, governance support and strengthening incident detection and management capabilities.