The Column – Cyber Security Week
It often happens like this: a regulatory obligation arrives on the calendar, makes a bit of noise, then vanishes like the intercom ringing at three in the morning. You feel it, it bothers you, but you convince yourself that someone was wrong. On the NIS 2 front, many essential and important subjects are doing exactly this: from 20 November they must update their data on the portal of our Cyber Security Agency, insert the CSIRT contact person, indicate their replacement and above all be sure that both have skills and real knowledge of their systems. A clear fulfillment, written in black and white, but which the vast majority is treating as an old memo stuck in the wrong drawer.
For large groups the problem is solved with the naturalness of those who already have structures, organization charts and skills at home. For the thousands of Italian SMEs, however, the issue is more like a balancing act. First question: who will it be? Not everyone has someone in the company who knows how the systems work in detail, much less a cybersecurity expert. Many will have to look for him beyond the company walls, hoping to find someone who is not just an “IT technician”, but also a figure capable of understanding procedures, operational continuity and incident management methods. It’s not about choosing a name: it’s about choosing a responsibility.
The second question is technical, but much more political than it seems. To be able to notify and meet the minimum requirements, a SOC worthy of NASA is not essential, but at least a proactive monitoring system and structured log recording. Elementary things in 2025, yet not to be taken for granted in a production system where security often coincides with the pre-installed antivirus and a few passwords changed “when it is really necessary”. Here we see the fundamental fracture: economic Italy, dominant for creativity and resilience, seems allergic to the culture of control, and technology does not forgive this allergy.
The truth is that NIS 2 does not come as a surprise. For three years everyone has known how it would end: a country with an Agency that pushes – perhaps too quickly – towards robust European standards, and a production system that continues to postpone, as if time were a rubber band and not a thread that gets thinner every day. The sensation is that of trying to make a leap from rags to riches in the space of a breath. Ambitious, necessary, yet unbridgeable without long and constant preparation.
Here there is no moralism, but organizational mechanics: if you don’t see the danger, you don’t prepare; if you don’t prepare, you suffer it; if you suffer it, it hurts you. The rules, after all, serve to clarify what should be obvious, but which most people reject: knowing what you manage, and knowing what to do when something goes wrong. Simple in theory, much less so in practice.
Yet, this time too, we repeat the national ritual of “postponement”: we wait until the last minute, then we run, we make amends, we try to save what can be saved with the urgency of those who treat the emergency as a form of cultural identity. To be honest, this isn’t even procrastination anymore: it’s a sort of collective superstition, as if postponing an obligation could make it less real.
In the end, NIS 2 is not the issue. The problem is that many still have a parachute in their backpack, but don’t open it, convinced that the ground will move away on its own. Instead, as always, the opposite happens.
