In recent years, for many industrial companies, digital transformation has not just been a matter of efficiency or automation: it has redefined the entire operational architecture. ERP, MES systems, real-time monitoring platforms, connectivity for logistics, smart devices, and IoT: everything integrates into a single digital network. But with the increase in the exposed surface area, the cyber risk grows—in parallel. And today, that risk no longer concerns only the IT department: it involves the supply chain, production, logistics, and operational continuity.
In 2024, Italy recorded over 3,500 serious cyberattacks, the highest number ever detected. The CLUSIT 2025 report makes it clear: cyber risk is real, growing, and no longer concerns only IT; it has direct effects on operational continuity, market trust, and the responsibility of administrators. The question is as simple as it is uncomfortable: if an attack blocks company systems for two days tomorrow, who is accountable? And can we demonstrate that we did everything possible to prevent it?
What is the NIS 2 Directive?
The NIS 2 Directive (Network and Information Security) is the new European regulatory framework that significantly raises cybersecurity requirements for many essential sectors: energy, healthcare, logistics, transport, digital services, manufacturing, and public administration. The objective? To reduce regulatory fragmentation between Member States and ensure a high common level of security across the EU. But the true paradigm shift is another: cybersecurity is no longer an IT problem but is fully placed among the strategic responsibilities of corporate governance.
Direct Responsibility of Administrators
NIS2 requires top management bodies to:
approve security policies;
oversee their implementation (with documented evidence);
follow periodic training to understand cyber risks and make informed decisions;
appoint key roles (CISO, Point of Contact, CSIRT Representative);
establish procedures for risk management, incident handling, business continuity, and supply chain security.
In the event of serious non-compliance, high penalties are foreseen, which in some European legal systems may also include personal liability (up to disqualification).
What Happens When Cybersecurity Fails?
The Capita plc Case (UK, 2023) In 2023, Capita plc, one of the leading professional service providers in the United Kingdom, suffered a large-scale ransomware attack. The incident led to the compromise of critical business systems and the exfiltration of personal data belonging to approximately 6.6 million individuals. The consequences were severe: the temporary blocking of numerous corporate services and a deep reputational crisis. According to official estimates, the sole cost of remediation and incident management reached approximately 25 million pounds. This event showed how even consolidated organizations, national service providers, can prove vulnerable to cyberattacks. It also underscores the importance of including cyber security among the evaluation criteria for external partners, and not just among internal protection measures.
Ransomware on Italian Companies (2024–2025) In the two-year period 2024-2025, several large Italian companies in the manufacturing and logistics sectors were victims of particularly aggressive ransomware attacks. The consequences were severe: production plants halted, orders blocked, serious delivery delays, and, in many cases, the loss of sensitive data and strategic projects. These attacks demonstrate how fundamental it is for businesses to have updated backup systems, segmented networks, and a solid culture of security at all levels of the organization. A single weak point is enough to transform a cyberattack into a corporate crisis with relevant economic and reputational impacts.
Organizational Culture Change
To be NIS 2 compliant, introducing new protective technologies is not enough: it is necessary to promote a pervasive security culture, starting from the top and involving the entire organization. Cybersecurity must become a stable element of decision-making processes: in the evaluation of new projects, in procurement choices, in operational continuity plans, and in innovation strategies. This culture change requires clear and consistent delegation models: administrators retain overall responsibility, but they must assign defined roles, tasks, and powers to technical and organizational figures, ensuring they receive comprehensible and timely information. The questions become very concrete: are our critical processes protected? Do we know which suppliers represent a risk? Are people trained to recognize a phishing attack or suspicious behavior?
Delegations, Organizational Models, and Processes
Compliance with NIS 2 implies the adoption of organizational models that make responsibilities, processes, and security decisions traceable. Among the requirements are, for example, risk analysis policies, incident management procedures, business continuity and disaster recovery plans, supply chain security measures, and structured training programs. In this context, the definition of effective operational delegations becomes central: top management must appoint referents and structures (e.g., CISO, Point of Contact, CSIRT Representative) with clear responsibilities, adequate resources, and a direct reporting flow to the governing bodies. The entire system must be documented, periodically reviewed, and adapted to the evolution of threats and the technological context.
In a context where every system is connected and every corporate function is exposed, the ability to react to a cyberattack does not depend solely on technology. It depends on the preparation and the clarity with which roles, responsibilities, and priorities have been defined. True resilience is not built in an emergency, but in everyday life. It is made of conscious choices, targeted investments, and a leadership that knows how to look beyond momentary efficiency to protect value over time. Because today, more than ever, security is not just a cost to be contained: it is a distinctive element of credibility and solidity.
