Board Training NIS2
Level 1

LESSON 1 – THE REGULATORY ENVIRONMENT
This lecture explores the evolution of the cybersecurity regulatory framework from 2010 to the recent NIS2 Directive. It analyzes the key stages of regulation in Italy and highlights the shift from protecting critical infrastructure to safeguarding the entire European production system, illustrating the main differences between NIS and NIS2 and the new obligations for critical market players.

LESSON 2 – THE NIS2 DIRECTIVE (PART I)
This lecture analyzes the contents of the NIS2 Directive, which introduces new obligations for companies and public bodies, while also defining the reasons why the EU intervened to overcome some of the limitations of the previous NIS Directive, often related to the extreme discretion that was left to member states. A summary overview of regulated entities is also provided, distinguishing between essential and important entities.

LESSON 4 – THE NIS2 DIRECTIVE (PART III)
This lesson provides timely elements related to the multi-hazard approach, which includes physical, human and technological hazards. Emphasis is then placed on how incidents are reported. Finally, special attention is paid to the penalty framework, which is particularly severe, and this is for both essential and important actors.

LESSON 5 – RECEPTION OF NIS2
This lesson is devoted to an in-depth study of the provisions of Legislative Decree 138/2024, as the legislation transposing the NIS2 Directive. The lesson analyzes the elements of specificity introduced by the Italian legislature, outlines the roles and responsibilities of those involved, and illustrates the consequences for non-compliance, including the administrative sanctions provided.

LESSON 1 – THE CYBER RISK
Managing cyber risk, an integral part of business operations, requires assessing and mitigating risks from digital vulnerabilities intentionally exploited by malicious actors. Risk reduction is based on two dimensions: lowering the likelihood of an attack through prevention and awareness, and limiting the impact through resilient assets and technological best practices.

LESSON 2 – CYBER RISK ANALYSIS
Risk analysis is critical to understanding threats, probabilities and impacts, and defining countermeasures. Following standards such as ISO or NIST, it consists of six steps: identifying the context and risks, analyzing them, setting priorities, preparing responses, and continuously monitoring. The main output is the Risk Register, which maps cyber and non-cyber risks, essential for multi-risk security strategies as required by NIS2.

LESSON 4 – SECURITY CONTROLS
Security incident management relies on the analysis of logs generated by digital infrastructure to identify and prevent critical situations. The Security Operations Center (SOC) processes alerts through a structured operational flow consisting of three phases: preliminary analysis, detailed analysis, and definition of containment and remediation actions. The use of Artificial Intelligence (AI) helps reduce false positives, improving operational efficiency.

LESSON 5 – THE DAMAGE
Impact represents the damage caused by an adverse event, which can be classified into direct, liability, indirect, and consequential. In cyber risk, damages are divided into own (business interruption, systems restoration, incident management) and third-party (litigation, data breaches). While tangible damages are more easily estimated, intangible damages require complex assessments.

LESSON 2 – THE MAIN TECHNIQUES OF ATTACK
Cyber attack techniques include malware, vulnerability exploitation, and Distributed Denial of Service (DDoS) attacks. Malware, including zero-day, exploits unknown vulnerabilities, while vulnerabilities exposed on the Internet allow data to be stolen and privileged access to be gained, often through social engineering. DDoS overloads infrastructure or applications, rendering them unserviceable.

LESSON 3 – VULNERABILITIES
Vulnerabilities pose a risk only if they are not mitigated by technical or procedural controls. Their life cycle goes through four phases: discovery, disclosure, countermeasure identification, and enforcement, with the first two being particularly critical. Effective vulnerability management requires an industrialized process based on constant updates, comprehensive asset inventories, and a prioritized strategy.

LESSON 1 – CEO SCAM
A cyber criminal compromises or falsifies the email of the CEO or another Board member and sends an urgent email to the CFO or a financial executive, ordering a transfer of millions to a foreign account.

LESSON 2 – RANSOMWARE ATTACK WITH BLACKMAIL
A leading energy company suffers a ransomware attack that locks down IT systems and cripples operations. Criminals threaten to publish sensitive Board data if the ransom is not paid.

LESSON 4 – DATA BREACH
A targeted attack steals financial and personal data of Board members. The press learns about it and the company suffers reputational damage, in addition to risks for non-compliance with NIS2 and GDPR.