Back to blog

NIS2 for SMEs: What Your Business Must Do Before October 2026

March 5, 2026·Team Ivemind
Steel padlock on reflective surface with blue light, cybersecurity concept

357 serious cyberattacks in Italy in 2024, up 15% in one year. Is your SME ready for NIS2?

In 2024, Italy suffered 357 serious cyberattacks — 15.2% more than in 2023. And in the first half of 2025, the situation worsened: 280 attacks in just 6 months, a historic record averaging 15 serious incidents per day globally. The average cost of a data breach in Italy? EUR 4.37 million.

But the most alarming figure concerns SMEs: 75% of cybercrime cases in the Italian private sector target small and medium businesses. And over 50% of Italian SMEs are unprepared to face these threats.

The European NIS2 Directive, transposed in Italy through Legislative Decree 138/2024, imposes new cybersecurity obligations on thousands of Italian companies. The deadline for security measures is October 2026. In this guide, we explain what you need to do, when, and how to protect yourself — with real numbers and without unnecessary jargon.

What is NIS2 and why it concerns your SME too

NIS2 is the European directive on network and information system security. It replaces the previous NIS from 2016, enormously expanding the number of companies involved and the penalties imposed.

In Italy, it was transposed through Legislative Decree 138/2024, in force since 16 October 2024. The competent authority is the ACN (National Cybersecurity Agency), which manages the registry of subject entities and inspection activities.

Who is involved

NIS2 applies to 18 critical sectors, divided into two categories:

Essential entities (highly critical sectors):

  • Energy (electricity, gas, oil, hydrogen)
  • Transport (air, rail, maritime, road)
  • Healthcare (hospitals, pharmaceuticals, medical devices)
  • Drinking water and wastewater
  • Digital infrastructure (cloud, data centres, DNS, telecommunications)
  • Banking and financial markets
  • Public administration
  • Space

Important entities (other critical sectors):

  • Postal and courier services
  • Waste management
  • Chemical and food industries
  • Manufacturing (medical devices, electronics, machinery, vehicles)
  • Digital providers (marketplaces, search engines, social networks)
  • Research

Size thresholds

Generally, NIS2 applies to companies with at least 50 employees or EUR 10 million in turnover. But beware: smaller SMEs are still involved if they are critical suppliers to essential or important entities.

The supply chain effect

This is the point many SMEs underestimate. NIS2 requires regulated entities to assess and monitor the cybersecurity of their entire supply chain. In practice: if you supply a company subject to NIS2, you'll need to demonstrate adequate security measures — or risk being excluded from the supply chain.

For South Tyrolean manufacturing SMEs working as subcontractors — a quarter of global manufacturing attacks targeted Italian companies in 2024 — this isn't a theoretical issue.

The deadlines you need to know

NIS2 has a precise calendar of obligations. Here are the key dates still ahead.

  • January 2026 — the incident notification obligation takes effect. From this date, subject entities must notify CSIRT Italia of significant incidents within 24 hours (early warning) and 72 hours (detailed notification), with a final report within 30 days
  • January-February 2026 — annual registration window on the ACN platform for new entities
  • June 2026 — deadline for the first compliance audit
  • October 2026 — deadline for adopting security measures — technical, operational, and organisational (18 months from notification of inclusion in the entity list)

If your company is on the ACN list, the countdown has already begun.

Checklist: what your business must do

Here are the concrete actions to take to be prepared by the October 2026 deadline.

Risk analysis and gap assessment

The first step is understanding where you stand today. A gap assessment identifies current vulnerabilities in your information systems, comparing them with NIS2 requirements. Without this analysis, any security investment risks being misdirected. The assessment should cover: IT infrastructure, processes, personnel, suppliers, and emergency plans.

Website and application security

Your website and applications are the most exposed attack surface. Updated SSL certificate, DDoS protection, web application firewall, regular software updates — these are the bare minimum. If your site lacks these basic protections, it's the first intervention to make.

Data protection and backup

NIS2 requires concrete data protection measures: encryption, access controls, regular backups with recovery testing. GDPR already required many of these measures for personal data — NIS2 extends them to all critical information systems in the company.

Incident response plan

It's not a question of if, but when you'll face an attack. The response plan defines: who does what in the first 24 hours, how to contain the incident, how to notify CSIRT, how to communicate with customers and suppliers, how to restore services. Without a tested plan, a manageable incident becomes a crisis.

Staff training

86% of attacks in Italy are financially motivated — and most begin with a phishing email or human error. Training isn't optional: NIS2 makes it an explicit obligation for both employees and management. Company leadership must approve security measures and are personally responsible for their implementation.

Supply chain security

NIS2 requires you to assess and manage cyber risks across your entire supply chain. This means: verifying the security practices of your critical suppliers, including security clauses in contracts, monitoring over time. And if you're the supplier, be prepared to demonstrate your compliance to your clients.

Not sure if your business complies with NIS2? Ivemind offers a free initial consultation to assess your situation and identify intervention priorities. Let's talk →

NIS2 compliance checklist for SMEs in meeting room

Penalties for non-compliance

NIS2 penalties are severe and progressive. And unlike many previous regulations, they also affect individuals.

Financial penalties

  • Essential entities — up to EUR 10 million or 2% of global turnover (whichever is higher). Minimum fine: EUR 500,000
  • Important entities — up to EUR 7 million or 1.4% of global turnover. Minimum fine: approximately EUR 233,000
  • Repeated violations — penalties can be tripled

Personal liability of directors

This is the real novelty of NIS2 in Italy. Article 23 of Legislative Decree 138/2024 establishes that CEOs and company executives are personally responsible for compliance with security measures. This responsibility is direct and non-delegable.

In case of non-compliance, directors may face temporary suspension from exercising their functions. It's no longer just an IT issue — it's a matter of corporate governance.

GDPR and NIS2: how they connect

If your company is already GDPR compliant, you have a solid foundation for NIS2. The two regulations share many requirements — but with important differences.

  • Different focus — GDPR protects personal data; NIS2 protects the resilience of networks and information systems
  • Incident notification — GDPR requires 72 hours to the Data Protection Authority; NIS2 requires 24 hours + 72 hours + final report at 30 days to CSIRT
  • Penalties — GDPR goes up to 4% of turnover; NIS2 up to 2%, but adds personal liability for directors
  • Supply chain — GDPR requires data processing agreements; NIS2 requires comprehensive cyber risk management across the supply chain

The most efficient approach? An integrated framework satisfying both regulations: unified risk assessment, shared response procedures, common security controls (encryption, access, monitoring), centralised vendor management.

Funding for cybersecurity

Complying with NIS2 is an investment — and can benefit from significant grants. The good news: in 2026 there are more opportunities than ever.

  • Cloud and Cybersecurity Voucher 2026 — non-repayable grant up to 50%, maximum EUR 20,000, for cybersecurity and cloud infrastructure investments. The application window is open from 4 March to 23 April 2026. Available to SMEs and self-employed workers
  • Province of South Tyrol — grant up to 60% non-repayable on digitalisation projects between EUR 2,000 and EUR 15,000. From 2026 the budget rises to EUR 3.5 million per year. Cybersecurity investments qualify as digitalisation
  • Bolzano Chamber of Commerce — digitalisation vouchers for micro, small, and medium enterprises based in South Tyrol

With the national voucher, a EUR 20,000 cybersecurity project can cost you just EUR 10,000. For full details on available funding, read our complete guide on non-repayable grants for small businesses in South Tyrol.

Where to start: the first 3 steps

You don't need to do everything at once. But you need to start now. Here are the first 3 concrete steps.

1. Check if you're subject to NIS2

Verify whether your company falls within the 18 critical sectors and exceeds the size thresholds (50+ employees or EUR 10M+ turnover). Even if you're smaller, check if you're a critical supplier to subject entities — in that case you may have equivalent contractual obligations.

2. Conduct an initial assessment

Analyse your current situation: what security measures do you already have? Where are the gaps? How much time and budget are needed to address them? A professional assessment gives you a clear roadmap with priorities — instead of spending blindly.

3. Invest in the basics first

Foundations first, then the rest: secure and tested backups, regular software updates, basic staff training, incident response plan. These interventions cost relatively little and cover 80% of risks. Advanced measures can wait for the second phase.

Ivemind: your partner for digital compliance

Ivemind is a social cooperative and innovative startup based in Bolzano, South Tyrol. We help South Tyrolean and Italian SMEs build a secure, compliant digital presence — from websites to infrastructure, from cybersecurity to training.

We don't sell fear. We build practical solutions to protect your business and satisfy regulatory requirements, without disrupting how you work.

With Ivemind you get:

  • Security assessment — we analyse your systems and identify intervention priorities
  • Secure websites — development with security best practices, SSL certificates, DDoS protection
  • Protected hostingsecure infrastructure with automatic backups, monitoring, and updates
  • Training — practical sessions for your team on phishing, passwords, basic security
  • GDPR and NIS2 consulting — integrated approach to satisfy both regulations
  • Grant assistance — we guide you through accessing non-repayable cybersecurity funds

We've helped 47+ companies and organisations build their digital presence, with 100% client satisfaction. 60% of our profits are reinvested in social inclusion projects.

Contact us for a free consultation or discover our IT consulting and secure web development services.

✍️
Team Ivemind