This article was written by Michael Davis Tira, Computer Security Incident Response Team (CSIRT) Representative, Data & Infrastructure Team Manager, and Silvia Cavallo, Senior Legal Manager, Fondazione Penta ETS. It is taken from the Penta 2025 Annual Report.
At Penta, cybersecurity in research is a core pillar of ethical, legal and scientific responsibility.
As a research foundation, Penta handles highly sensitive data and operates across a complex ecosystem of digital infrastructures that supports collaborative research across countries and institutions. Ensuring data integrity, accessibility, privacy and service continuity is therefore not merely a technical requirement, but a fundamental obligation towards research participants, partners and society at large. Responsible research depends on trustworthy digital systems, and trust must be actively protected.
In March 2025, the Foundation registered with the Italian National Cybersecurity Agency under the Network and Information Security Directive 2 (NIS2), receiving designation as an “Important Entity”. This recognition reflects the societal relevance of Penta’s mission and formally acknowledges scientific research as a strategic sector. At the same time, it strengthens the Foundation’s existing legal‑compliance framework, and elevates its overall level of cyber‑resilience.
The NIS2 legislation promotes structured coordination among national and EU‑level Computer Security Incident Response Teams (CSIRTs), reshaping European cybersecurity from a fragmented landscape into a connected, collaborative, and crisis‑ready ecosystem. Through shared procedures, harmonised reporting, common crisis‑management frameworks, NIS2 embeds cybersecurity governance into important entities’ core processes.
One of the most significant impacts of NIS2 lies in the obligation to notify relevant cybersecurity incidents. This requirement addresses a long‑standing problem in the cybersecurity domain: the under-reporting of incidents, which has often contributed to the false perception that cyberattacks are rare events. In reality, attacks are frequent, but often invisible from the outside. Mandatory reporting helps close this information gap, supports a more accurate understanding of the threat landscape and strengthens collective preparedness.
Since NIS2 combines legal and technical requirements, compliance cannot be achieved through siloed approaches. At Penta, the interpretation and implementation of the NIS2 legislation take place through the close collaboration between the Legal function and the Information Security Working Group, which brings together technical, organisational and governance expertise.
Within this framework, the Legal Manager ensures that legal requirements are correctly interpreted, contextualised and aligned with Penta’s broader legal and ethical commitments, while the CSIRT Lead and technical teams translate these requirements into concrete security controls and operational practices. To operationalise NIS2 legislation, Penta implemented a comprehensive Cybersecurity Incident Response Plan, defining clear roles, escalation pathways and notification procedures aligned with legal requirements, ensuring timely, coordinated and accountable responses to cybersecurity incidents.
Yet technology alone is not enough. Cybersecurity is also a matter of organisational culture.
Penta is therefore strengthening operational security and cybersecurity awareness among its staff. Understanding how cybersecurity works, and taking collective responsibility for it, is essential as an organisation’s overall security posture is ultimately shaped by the awareness and behaviour of its people.
Cybersecurity principles are being integrated into daily operations, research workflows, staff training and vendor management processes. This approach fosters a culture in which safeguarding information systems is understood as a collective duty.