NIS 2 vs PSNC: The Challenge of Taxonomy for Cyber Security in Italy

From PSNC to NIS 2: A Paradigm Shift for Italian Cybersecurity

For those operating in the cybersecurity sector in Italy, the transition from the National Cybersecurity Perimeter (PSNC) to NIS 2 represents a true paradigm shift. While the PSNC provided a detailed "instruction manual" with unique codes and nomenclature for each type of resource, NIS 2 seems to offer a blank canvas, leaving room for action but also responsibility.

The Challenge of Asset Cataloging

Before asking "how" to catalog, it is fundamental to understand "what" to catalog. The NIS 2 Directive requires obligated entities to have total visibility of their attack surface. The required inventories must cover:

• Hardware: Not just IT assets like servers and workstations, but also OT devices such as PLCs, sensors, and industrial control systems.
• Software: A granular census of applications, versions, and libraries, essential for vulnerability management.
• Network and cloud services: Everything that is externalized but critical for operations (SaaS, PaaS, IaaS).
• Supply Chain: Mapping dependencies on third-party suppliers.

Without a solid structure, these inventories risk becoming unusable data silos.

The Lack of a Unique Nomenclature

In the PSNC, there is Annex 1, which contains a rigid and codified taxonomy for creating a common language between companies and ACN. In NIS 2, however, a unique and universal nomenclature for categorizing information systems, network systems, and assets does not exist. This leads to misalignments between companies and ACN, especially with the aim of creating a common ecosystem with the NCC-IT "community".

Frameworks for Building Inventories

In the absence of a single table in the decree, ACN has indicated on its website a series of frameworks for building these inventories:

• CIS Controls v8.0 (2.1): The "gold standard" for software inventory.
• NIST SP 800-53 (CM-08): Focused on the management of information system configurations.
• NIST SP 800-221A: The reference point for managing IT/OT convergence.
• Cloud CCMv4.0 (UEM/DCS): Valid for cataloging mobile and cloud devices.
• CRI Profile v2.0 & FNCDP v2.0: Help to weigh the importance of assets for business criticality.
• GDPR (Art. 5, 17, 32): Adds the data protection dimension to the inventory.

The Importance of a Structured Inventory

Imagine a crisis scenario: a ransomware attack hits your company and ACN needs to intervene. If the inventory is based on a well-defined taxonomy, precious hours will not be lost explaining "what that server does". A structured inventory allows you to:

• Analyze lateral movements and generate readable graphs showing the paths an attacker could follow.
• Dynamically visualize the network, transforming a static Excel into an interactive map.
• Automate the response in case of an incident, automatically isolating all assets that share the same taxonomic "tag".

Taxonomy as the Nervous System of Resilience

The lack of a unique taxonomy for NIS 2 should not be read as an invitation to creativity, but as a call to responsibility. We are not just filling Excel cells to please an auditor. We are building the "treasure map" of our infrastructure. In a world where attacks move at the speed of light, having an accurate, readable, and standardized map is the only difference between controlled management of an incident and an operational disaster.

Taxonomy is not a bureaucratic constraint: it is the nervous system of your resilience.