One step ahead: mapping the Italian and German cybersecurity laws against the proposal for a NIS2 directive

With the COVID-19 pandemic accelerating digital transformation of the Single Market, the European Commission also speeded up the review of the first piece of European Union (EU)-wide cybersecurity legislation, the NIS Directive. Originally foreseen for May 2021, the Commission presented the review as early as December 2020 together with a Proposal for a NIS2 Directive. Almost in parallel, some Member States strengthened (or adopted) national laws beyond the scope of the NIS Directive to respond adequately to the fast-paced digital threat landscape. Against this backdrop, the article investigates the national interventions in the field of cybersecurity recently adopted by Italy and Germany. In order to identify similarities and divergences of the Italian and German national frameworks with the European Commission’s Proposal for a NIS2 Directive, the analysis will focus on selected aspects extrapolated from the Commission Proposal, namely: i) the enlarged scope; ii) detailed cybersecurity risk-management measures; iii) more stringent supervisory measures; and, iv) stricter enforcement requirements, including harmonised sanctions across the EU. The article concludes that the national cybersecurity legal frameworks under scrutiny already match the core of the proposed changes envisaged by the NIS2 Proposal.