September 8, 2025
The context: why finance cannot afford fragility Operational continuity is now one of the essential conditions for the banking, financial, and insurance world. A prolonged downtime […]
The NIS2 Directive came into force in Italy in October 2024. Yet, one year later, the picture remains concerning: thousands of companies have not yet started a concrete compliance plan.
Estimates indicate that over 14,000–16,000 Italian organizations are involved across finance, energy, healthcare, industry, and digital infrastructure. This highlights the systemic scope of the directive, but only a fraction of these companies have allocated budgets, skills, and governance aligned with regulatory requirements. For many, the risk is to remain unprepared at a time when digital resilience is no longer optional, but an operational obligation.
Declared optimism hides a very different reality. According to a study by Zscaler, 77% of Italian IT leaders believe they will meet compliance deadlines, but less than half (48%) state they fully understand the directive’s requirements. The gap between perception and actual awareness is evident.
Operational maturity is also critical: only 23% of Italian companies rate their security practices as “excellent,” while across EMEA 66% of organizations admit they will not meet deadlines. Italy mirrors this broader trend, where delays are aggravated by fragmented investments.
On average, companies spend around €1.4 million annually on cybersecurity, but most of this is dispersed across disconnected tools and initiatives, rather than being channeled into a structured NIS2-ready strategy. This lack of governance and integration is one of the main reasons why compliance remains out of reach.
In recent months, we have administered a questionnaire dedicated to NIS2 to the main Italian companies, with the aim of capturing the real state of progress towards compliance with respect to the specific thematic areas of the regulation.
The survey involved about 150 organizations belonging to the sectors affected by the directive, such as finance, insurance, energy & utilities, retail and manufacturing. The study did not stop at asking “are you compliant or not?”, but analyzed in detail the level of maturity in critical areas such as governance, asset management, incident response and supply chain security.
From the analysis of the responses, a clear picture emerged: many companies have started compliance paths, but the distance between “partial compliance” and “full compliance” remains significant. From this questionnaire we derived the following scenario, with a summary for each thematic area in three levels of compliance Critical, Partial and Compliant which allow an at-a-glance assessment of the current positioning of Italian companies.
Legend: 🟢 Compliant 🟡 Partial 🔴 Critical
The heart of NIS2 is risk governance, but the data show a clear delay: 77.3% of companies are limited to partial initiatives and only 13.6% have reached compliance. This means that most companies do not yet have a structured model to integrate cyber risk into strategic decisions. It is a critical gap, because without solid governance the entire organization remains vulnerable, regardless of the technical tools adopted.
Almost half of the companies (45.5%) are in an intermediate phase, but it is striking that more than a quarter (27.3%) are still in a critical state. The same value (27.3%) represents the companies already compliant, a sign that there is a strong divide in the market: some organizations have started a structured path, others instead remain exposed. NIS2 makes these measures mandatory, and their lack of implementation is not only a compliance problem, but one of overall resilience.
Supplier management is the weakest link in the chain: more than a third of companies (36.4%) are in a critical state and half (50%) have only partially addressed the issue. Only 13.6% have implemented adequate controls. This data confirms how the supply chain is a privileged entry point for cyberattacks and how the directive insists on the need to extend security beyond corporate boundaries. Ignoring this area means multiplying risks throughout the entire operational ecosystem.
The ability to detect and respond promptly to incidents is central to NIS2, but the numbers are alarming: only 4.5% of companies are compliant, while 68.2% remain at a partial level and 27.3% in full criticality. This means that, in the event of an attack, most organizations would not be able to properly manage the crisis nor comply with the notification obligations required by the directive. It is a direct risk not only for business continuity, but also for corporate credibility on the market.
Business continuity is an operational obligation imposed by the directive, but here the numbers are clear: 45.5% critical, 45.5% partial, only 9.1% compliant. Many companies still do not have continuity plans that are truly tested and updated. This is particularly serious, because a prolonged interruption of essential services does not only result in economic losses, but also in social and reputational damage, difficult to recover.
It is the area that records the best result in terms of compliance: 40.9% of companies are compliant and more than half (54.5%) are in a partial state. Only 4.5% are critical. This shows that companies have understood the importance of the human factor and are investing in awareness programs. However, training must evolve from sporadic activities to continuous paths, to transform awareness into a true culture of security.
Constant monitoring and regular audits are the basis of a resilient model. In Italy, however, the situation is still uneven: 45.5% partial, 27.3% compliant and 27.3% critical. This means that many companies have introduced control tools, but without the regularity and depth necessary. NIS2 requires a structured and systematic approach, because only through periodic checks is it possible to identify and correct vulnerabilities before they become incidents.
The difficulties in adapting to NIS2 do not depend only on technology, but above all on culture and organization. In many Italian companies, top management is still not fully aware of the strategic importance of cybersecurity, which continues to be treated as a technical issue to be delegated to IT instead of as a lever of governance capable of affecting operational continuity, reputation and competitiveness.
To this is added a lack of specialized internal skills. Translating the requirements of the directive into structured processes and keeping them updated requires qualified professionals and continuous training, resources that not all organizations already have in their workforce.
The situation is further complicated on the supply chain front, often not completely mapped. Without a clear view of suppliers and third parties involved, risk extends along the entire chain, precisely where NIS2 instead requires thorough control.
Finally, a reactive rather than proactive approach still prevails: action is taken after the incident, instead of working on prevention, constant monitoring and immediate response. An attitude that contrasts with the very philosophy of the directive, designed to build resilience before the crisis manifests itself.
Ignoring or postponing adaptation to NIS2 is not a neutral option: it means exposing oneself to consequences that can compromise the very solidity of the organization.
The first risk is economic. The directive provides for fines of up to 2% of annual global turnover for essential entities: a penalty capable of eroding margins and putting pressure on budgets, especially if compared to the, often lower, costs required to implement a structured compliance plan.
To the financial damage is added the reputational one. In a market where trust is the most fragile asset, a data breach not managed correctly or a late notification can undermine relationships built over years and compromise credibility with customers, partners and investors. Recovering this trust, once lost, is a long and uncertain process, which in many cases leaves permanent scars.
The third front is that of operational continuity. The directive was created precisely to prevent interruptions which, in critical sectors such as energy, finance or healthcare, have an immediate impact not only on the company, but on the entire economic and social system. Incidents that could have been contained with NIS2 measures risk instead turning into prolonged crises, with exponential costs in terms of productivity and service.
Ultimately, failure to comply with NIS2 does not only translate into heavy fines: it means questioning economic stability, market reputation and the very ability to guarantee continuity of services. It is a challenge that no organization can afford to underestimate.
NIS2 has moved cybersecurity from the technical perimeter to the heart of corporate governance. It is no longer an IT requirement, but a responsibility that directly involves top management, because it affects the ability to guarantee continuity, protect reputation and maintain market trust.
Acting now means reducing the risk of sanctions, but above all transforming a regulatory obligation into a competitive advantage. Organizations that know how to anticipate compliance will demonstrate solidity and reliability in a context increasingly sensitive to digital resilience.
In a landscape where interruptions are no longer exceptions but part of normality, the difference will not be between those who suffer an incident and those who do not, but between those who will be able to continue operating without stopping.
The data collected clearly show how the path towards NIS2 compliance is still incomplete and how urgent it is to close the gap. Not complying means exposing oneself to sanctions, reputational damage and operational interruptions that the directive is designed to prevent.
For this reason, we have kept our questionnaire active, a practical tool to assess the level of alignment of your organization and identify the areas on which to intervene.
By completing it, you will also be able to access a dedicated call with our experts, to transform the analysis into a concrete first step towards alignment.
ai.esra SpA – strada del Lionetto 6 Torino, Italy, 10146
Tel +39 011 234 4611
CAP. SOC. € 50.000,00 i.v. – REA TO1339590 CF e PI 13107650015
“This website is committed to ensuring digital accessibility in accordance with European regulations (EAA). To report accessibility issues, please write to: ai.esra@ai-esra.com”
ai.esra SpA – strada del Lionetto 6 Torino, Italy, 10146
Tel +39 011 234 4611
CAP. SOC. € 50.000,00 i.v. – REA TO1339590
CF e PI 13107650015
© 2024 Esra – All Rights Reserved
