IT EN
Client Portal →
sales@10punto10.eu · 02 87176855
· 10punto10

The European Cybersecurity Landscape

cybersecurityCybersecurity Europea / ENISAeuropea
The European Cybersecurity Landscape

Why European cybersecurity regulations matter for your business

Over the past five years, the European Union has rolled out an ambitious wave of cybersecurity legislation that is reshaping how companies of every size handle digital risk. For small and medium businesses operating in Italy and across Europe, these regulations are no longer something only large corporations need to worry about. They directly affect your operations, your supply chain relationships, and ultimately your bottom line.

According to the European Union Agency for Cybersecurity (ENISA), cyberattacks targeting SMBs increased by over 60% between 2021 and 2024. The reason is straightforward: attackers know that smaller companies often lack the defenses of larger enterprises, yet they frequently hold access to the same sensitive data and critical supply chains.

The EU’s response has been to create a regulatory framework that raises the security baseline for everyone — not just the big players.

The key regulations shaping the landscape

NIS2 directive

The Network and Information Security Directive 2 (NIS2), which EU member states were required to transpose into national law by October 2024, represents the single biggest shift in European cybersecurity compliance for SMBs. Unlike its predecessor, NIS2 dramatically expands the scope of businesses that fall under mandatory cybersecurity obligations.

Italy transposed NIS2 through Legislative Decree 138/2024, and the national cybersecurity agency ACN (Agenzia per la Cybersicurezza Nazionale) is the designated authority overseeing compliance. If your company operates in sectors like manufacturing, food production, waste management, digital services, or postal services — among many others — you are likely now classified as an “important entity” under NIS2.

The practical requirements include implementing risk management measures, reporting significant incidents within 24 hours of detection, and ensuring your supply chain partners meet adequate security standards. Non-compliance can result in administrative fines of up to €7 million or 1.4% of global annual turnover for important entities.

DORA — Digital operational resilience act

If your business provides services to the financial sector or operates within it, the Digital Operational Resilience Act (DORA) has been fully applicable since January 2025. DORA sets strict requirements for ICT risk management, incident reporting, resilience testing, and third-party risk oversight.

What catches many SMBs off guard is the third-party dimension. Even if you are a small IT service provider or software vendor with financial sector clients, those clients are now obligated to ensure you meet DORA’s standards. This creates a cascading compliance effect that reaches well beyond banks and insurance companies.

Cyber resilience act

The Cyber Resilience Act (CRA), adopted in late 2024, targets manufacturers and distributors of products with digital elements. If your company develops software, sells IoT devices, or manufactures connected products, you will need to meet new security-by-design requirements throughout the product lifecycle.

The CRA introduces mandatory vulnerability handling processes and security updates for the entire expected lifetime of a product. For Italian SMBs in the manufacturing and technology sectors — which represent a significant portion of the national economy — this regulation demands a fundamental rethink of product development practices.

What this means in practice for Italian SMBs

The combined effect of these regulations creates a new operating reality. Here is what business owners and IT managers should focus on.

Risk assessment is no longer optional

Every regulation in the new European framework starts from the same premise: you must understand your risks before you can manage them. Conducting a formal cybersecurity risk assessment is now a baseline expectation, not a best practice reserved for security-conscious organisations. For many Italian SMBs, this means moving from informal, ad-hoc security measures to documented, repeatable processes.

Supply chain security is your responsibility

One of the strongest themes running through NIS2, DORA, and the CRA is supply chain accountability. Your cybersecurity posture is only as strong as your weakest vendor. European regulators now expect companies to assess and monitor the security practices of their suppliers and service providers. If a supplier’s breach affects your operations, the regulatory spotlight will fall on both parties.

For Italian SMBs that form part of larger European supply chains — particularly in automotive, aerospace, fashion, and food — expect your larger clients to start imposing contractual cybersecurity requirements backed by these regulations.

Incident reporting has strict timelines

Gone are the days when a company could quietly handle a breach without telling anyone. NIS2 requires an early warning within 24 hours of becoming aware of a significant incident, followed by a full notification within 72 hours. DORA imposes similar timelines for the financial sector. This means you need an incident response plan that your team can actually execute under pressure, not a document gathering dust in a shared folder.

Governance starts at the top

European regulators have made it clear that cybersecurity is a boardroom issue. Under NIS2, management bodies can be held personally liable for failing to oversee and approve cybersecurity risk management measures. Italian business owners and executives should ensure they receive regular cybersecurity briefings and understand the risks their organisations face.

How to start preparing today

The good news is that the European framework, while demanding, follows a logical structure. Here are concrete first steps for SMBs that have not yet started their compliance journey.

Determine which regulations apply to you. Map your business activities against the sectoral scope of NIS2, DORA, and the CRA. Many companies fall under more than one regulation.

Conduct a gap analysis. Compare your current security practices against the requirements. Focus on the areas with the largest gaps first — typically incident response, access management, and supplier oversight.

Invest in people, not just tools. Security awareness training for all employees remains one of the most cost-effective measures available. ENISA’s 2024 threat landscape report confirmed that human error continues to be involved in the majority of successful attacks.

Leverage national resources. ACN provides guidance and support specifically designed for Italian organisations adapting to the new regulatory environment. The CSIRT Italia (Computer Security Incident Response Team) also offers threat intelligence and incident support.

The European cybersecurity regulatory landscape is not going to simplify any time soon. But for SMBs that take a structured, proactive approach, compliance is entirely achievable — and the security improvements it drives will protect your business far beyond what any regulation requires.

Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.

Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.

💬

Need support on this topic?

Let’s assess your company’s situation together. First consultation is free.

Contact us
📩

Stay updated every week

Cybersecurity, AI and technology for SMBs. No spam, only useful content.

Subscribe to newsletter