NIS2¶
The EU NIS2 Directive (in force since 18 October 2024) extends cybersecurity obligations to a much broader set of entities than the original NIS — including most medium-sized businesses in critical sectors. Italy transposed it via D.Lgs. 138/2024.
NIS2 is process-heavy. Fenrir helps with the technical evidence part; the governance part (board accountability, supplier risk management, training) is your organization's responsibility.
Article 21 — risk management measures¶
Article 21(2) lists ten categories of measures every essential or important entity must implement. Fenrir covers parts of these:
| Article 21(2) measure | Fenrir contribution |
|---|---|
| (a) Risk analysis & infosec policies | Daily compliance audit + event log = inputs for the risk register |
| (b) Incident handling | AI investigation pipeline = Tier-1 incident triage |
| (c) Business continuity & crisis management | Breach tracker + alert escalation; backup/DR is your stack |
| (d) Supply chain security | Out of scope — track via your vendor management program |
| (e) Security in acquisition, development, maintenance | Out of scope — Fenrir runs on your infra, doesn't audit your SDLC |
| (f) Effectiveness of measures | Daily compliance audit produces the evidence |
| (g) Cyber hygiene & training | Out of scope — your HR/training program |
| (h) Cryptography & encryption | TLS check, disk encryption check, PII anonymizer for cloud LLM calls |
| (i) HR security, access control, asset management | Partial — auth_monitor, baseline_monitor for users; not a full IAM |
| (j) MFA, secure communications | Out of scope — your IAM stack (Authentik, Keycloak, Okta, ...) |
Roughly: Fenrir is a strong tool for (b), (c), (f), (h) and gives you partial evidence for (a), (i). The other measures need separate processes/tools.
Article 23 — incident reporting¶
NIS2 mandates a tiered notification process for significant incidents:
- Early warning within 24h of becoming aware
- Incident notification within 72h with initial assessment
- Final report within 1 month with root cause and corrective actions
Fenrir helps you meet these deadlines via:
- Detection latency: HIGH events are flagged within seconds. The 24h clock starts when your team is aware — Fenrir's Telegram alert IS that awareness in most cases.
- Initial assessment: the AI investigation runs in 30-90 seconds and writes a structured report (severity, summary, IOCs, recommended actions). That's the substance of the 72h notification.
- Final report: the persisted
investigation_reports.raw_llm_outputplus the timeline of events gives you the audit trail for the 1-month report.
What Fenrir doesn't do (yet): submit the notification to your CSIRT directly. In Italy that's the ACN incident form (CSIRT Italia). Fenrir produces the content; you submit it.
Article 24 — voluntary information sharing¶
Fenrir's threat intelligence module already keeps a local cache of bad IPs. Future versions may integrate with MISP or AbuseIPDB for outbound contribution under Art. 24.
Penalties (in case you need to motivate the budget)¶
- Essential entities: up to €10M or 2% of worldwide turnover, whichever higher
- Important entities: up to €7M or 1.4%
- Personal liability: management bodies can be held personally accountable for non-compliance
For an Italian SMB classified as "important entity" with €5M turnover, that's potentially €70-100k in fines. For comparison, a Fenrir Premium deployment is a tiny fraction of that.
What you should do today (NIS2 readiness checklist)¶
Beyond installing Fenrir:
- Determine if you're in scope (
essentialorimportantentity) — a lawyer's call - Register with the relevant national authority (in Italy: ACN portal, deadline was 28 February 2025 for most sectors)
- Designate a security responsible person (the equivalent of the DPO for NIS2)
- Document your incident response process — Fenrir's investigation pipeline can be a pillar of this
- Run a tabletop exercise simulating a significant incident — see how fast you'd hit 24h notification (and where the bottlenecks are)
- Train management on their personal liability (Article 20)
- Verify your suppliers' security posture (Article 21(2)(d) — Fenrir's vendors are publicly documented; for others, sign DPAs and document)