NIS2 and Disaster Recovery: the complete guide

TL;DR

The NIS2 directive (Network and Information Security Directive 2, transposed in Italy via Legislative Decree 138/2024) imposes cyber risk management and business continuity measures on a much broader perimeter than the previous NIS. For Disaster Recovery, the key point is Article 21: measurable, tested, documented continuity plans. This guide covers exactly what NIS2 demands on the DR side, with which deadlines, which fines, and how to get there with realistic effort.

What NIS2 is and who it covers

NIS2 is European directive 2022/2555, replacing and broadening NIS. Italy transposed it with Legislative Decree 138/2024, in force since 16 October 2024. The penalty regime is progressive, fully active from 2026.

The perimeter is much wider than NIS:

• 18 sectors (vs 7 under NIS) split into essential and important;
• size thresholds (medium: 50+ employees or revenue > €10M);
• supply chain: anyone providing IT services to a NIS2 entity is implicated.

ACN estimates 20,000-40,000 directly subject entities in Italy, with cascading effects on tens of thousands of suppliers.

Article 21: the technical core

Article 21 lists ten categories of measures NIS2 entities must adopt. The DR-relevant ones are:

• risk analysis and IT security policies;
• incident handling;
• business continuity, including backup and recovery;
• supply chain security;
• cyber hygiene practices and training;
• procedures to assess effectiveness of measures.

For DR this means 5 concrete pillars:

1. written DR plan (not a spreadsheet — an approved document);
2. measured RTO and RPO per critical process;
3. off-site backup with integrity verification;
4. periodic drills documented with measured times;
5. notification procedures to the authority and supply chain.

Italian deadlines that matter

Three dates are the only ones worth memorising:

• 18 October 2024 — entry into force of D.Lgs. 138/2024.
• 1 January 2025 — registration window opens at ACN for essential and important entities. Registration requires identifying a cyber lead and critical systems.
• 2026 fully effective — controls, audits and fines fully applied.

Check your status on the ACN portal. Late registration is among the first infractions to be fined.

The fines: real numbers

Administrative fines are significant:

• essential entities: up to €10 million or 2% of global revenue, whichever is higher;
• important entities: up to €7 million or 1.4% of global revenue.

The regulator can also impose service suspension or temporary disqualification of management. The latter is the one that hurts most in practice: no executive wants to be temporarily barred.

The seven DR controls NIS2 demands directly

In a compact checklist, NIS2 Article 21 asks DR-side for:

1. documented DR plan, approved by management, reviewed annually;
2. RTO and RPO defined per critical process;
3. backups verified for integrity (not just "they exist");
4. off-site backups protected from privileged access;
5. periodic restore drills, documented with measured times;
6. failover runbooks for each critical service;
7. incident notification procedure (24h, 72h, final).

Missing any of these seven, the audit fails.

Incident notification: 24h, 72h and final

NIS2 introduces a three-stage notification:

• 24 hours from the event: early warning to CSIRT-Italia;
• 72 hours from the event: full notification with known data;
• one month later: final report with root cause and corrective actions.

For DR this means having an early-warning template ready and a clear chain of responsibility for who files.

Mapping to ISO 27001:2022

Good news: organisations already ISO 27001:2022 certified have about 80% of the NIS2 controls. Mapping is almost 1-to-1 against Annex A:

• A.5.30 → business continuity (NIS2 art. 21 c);
• A.5.24-5.28 → incident handling (NIS2 art. 21 b);
• A.5.19-5.23 → supply chain (NIS2 art. 21 d);
• A.6.3 → training (NIS2 art. 21 g).

The missing 20% is usually formal documentation and notification procedures.

What to do in the first 90 days

A realistic plan to become "NIS2-ready":

• days 1-15: initial assessment, identify cyber lead, register with ACN.
• days 16-45: BIA, define RTO/RPO, draft continuity policy.
• days 46-75: backup verification, gap analysis on missing controls, draft runbooks.
• days 76-90: first documented DR drill, staff training, review of IT supplier contracts.

In 90 days a typical company reaches the sufficient level to clear an initial inspection.

Sefthy and NIS2

Sefthy is designed to directly cover points b, c, d, e of Article 21:

• encrypted, verified off-site backups (DeepVerify);
• documented failover with measured RTO at every drill;
• multi-tenant with network segregation (relevant for supply chain);
• exportable PDF evidence for audits.

Data stays in Italy, on sovereign cloud. For essential entities this is a critical point.

FAQ

Who is not subject to NIS2 in Italy?

Micro-enterprises (under 10 employees and €2M revenue) are out, except in specific sectors (public administration, telecommunications, trust services, TLD registries). Even when excluded directly, they often serve as "suppliers" to subject entities: the supply chain pulls most MSPs back in.

If I am already ISO 27001 certified, am I NIS2-compliant?

Almost. ISO 27001:2022 covers 80%. Formally missing are the CSIRT notification procedure and some specific evidence on vulnerability management.

Do I need to register if I am only a supplier?

Only if you are listed in one of the 18 sectors. Otherwise your NIS2 customer will request attestations and SLAs from you, but you do not register directly.

How much does compliance cost?

For an Italian SMB with decent existing backups, €15-30k one-off plus DR fees. Starting from scratch, €50-80k plus fees.

Want to see how Sefthy maps to NIS2 controls? Read Sefthy and NIS2 compliance or download our NIS2 audit checklist.