Compliance. Credibility. Competitiveness.

NIS2 Directive: it's time to get compliant

The NIS2 Directive is not just an obligation: it's an opportunity to make your business more secure and trustworthy. Since January 2026, the operational obligations are in effect: acting now is essential. AtWorkStudio, based in Piacenza, guides you through compliance with dedicated consulting and a free assessment based on NIST CSF 2.0, backed by a management system certified to ISO/IEC 27001, 27017, 27018 and ISO 9001.

Request NIS2 consulting Learn more

Free online assessment

Is your business ready for NIS2?

Find out in 15 minutes with our assessment based on the NIST Cybersecurity Framework 2.0, the international standard for cyber risk management.

106 questions · Instant report · No commitment

Start the free assessment

2026 Operational Deadlines

NIS2 obligations are in effect: what to do now

Since 1 January 2026, the operational obligations of the NIS2 Directive are active. Organisations classified as essential or important entities must comply immediately. Full compliance is required by October 2026. Penalties can reach 10 million euros or 2% of global turnover for essential entities, and 7 million euros or 1.4% for important entities.

Incident notification

Pre-notification within 24 hours to ACN/CSIRT Italia, formal notification within 72 hours and a final report within 1 month of the incident. Timelines are binding and violations are sanctionable.

Governance and accountability

The board of directors and management must directly approve and supervise cyber risk management measures. Responsibility is personal and cannot be delegated.

Business continuity

Business continuity and disaster recovery plans are mandatory, not optional. Organisations must ensure the resilience of essential services even in the event of a serious incident.

Supply chain risk

Organisations must assess risks from digital service providers and third parties. Supply chain security is an explicit requirement of the directive.

Expanded scope

NIS2 covers many more sectors and now includes medium-sized enterprises. Energy, transport, healthcare, digital infrastructure, public administration and many others must comply.

October 2026 deadline

Full compliance with all directive requirements is required by October 2026. Time to comply is limited: starting today means avoiding penalties and protecting your business.

EU Directive 2022/2555

What is the NIS2 Directive and who needs to comply

The NIS2 Directive is the European regulation that broadens cybersecurity obligations for organisations in essential and important sectors. Italy transposed it through D.Lgs. 138/2024, introducing requirements on risk management, incident reporting and security governance. Penalties can reach 10 million euros or 2% of global turnover.

NIST CSF 2.0 Assessment

We start with a free assessment based on the NIST framework to capture your current cyber maturity level. 106 questions, an instant report and a concrete action plan to close the gaps.

Consulting and implementation

We support you through risk analysis, security policy definition, incident management and staff training. A tailored path, from gap analysis to full compliance.

ISO 27001 Certifications

Our management system is certified to ISO/IEC 27001, 27017, 27018 and ISO 9001. We support you in achieving the certifications that demonstrate compliance and strengthen the trust of clients and partners.

NIS2 as an opportunity: strengthen your business and stay ahead of change

Contact us for dedicated consulting on NIS2 Directive compliance. We will guide you step by step through the compliance journey.