Protecting Know-How: A Strategic Urgency in the Era of Cybersecurity. The Role of the NIS2 Directive

Written By Margherita Stucchi

In an increasingly competitive and digitalised economic environment, know-how represents one of themost valuable assets for businesses. It is not just about data or technical information, but rather the combination of knowledge, skills, processes, and practices that form the beating heart of innovation and competitive advantage. However, the protection of this intangible asset is often underestimated or left to individual initiative.

The recent European Directive No. 2022/2555, better known as NIS2 (Network and Information Security Directive), transposed into Italian law through Legislative Decree 138/2024, offers a significant opportunity to rethink cybersecurity policies from a strategic perspective, and more broadly, the protection of corporate know-how.

What are the changes with the NIS2 Directive?

Compared to the previous NIS (2016), the new directive expands its scope to include a significantly larger number of entities, especially in critical sectors such as energy, transport, healthcare, water management, but also manufacturing and digital services. Affected companies are required to adopt appropriate technical and organisational measures to prevent and manage cybersecurity incidents.

Among the most relevant aspects introduced by NIS2 is the obligation to:

  • Implement risk management related to information system security;

  • Notify significant incidents to the competent authorities;

  • Adopt governance and training policies to enhance security;

  • Ensure business continuity and digital resilience.

Risks of theft or compromise of corporate know-how

Corporate know-how is exposed to various risks, not only technological but also human and organisational: data leaks, ransomware attacks, industrial espionage, negligent or malicious behavior by employees or associates.


The theft or compromise of corporate know-how—such as unauthorised access to systems, loss of strategic data, or breaches of confidentiality—may constitute a "significant incident" under the NIS2 Directive. This results in an obligation to notify the competent authorities (in Italy, the ACN – National Cybersecurity Agency) within strict timeframes (generally within 24 hours of detection).

Failure to comply with these obligations can lead to serious consequences for the organisation, including:

  • Administrative penalties of up to €10 million or, for companies, up to 2% of global annual turnover;

  • Management liability: executives may be held personally accountable in cases of inadequate preventive measures or lack of regulation;

  • Significant reputational damage, especially if the incident becomes public or affects clients/partners;

  • Obligation to implement corrective actions imposed by authorities, including the possible temporary suspension of certain activities.

These elements highlight the need for companies to integrate know-how protection into their cybersecurity risk management systems—not as a marginal aspect, but as a true pillar of compliance and corporate resilience.

How to mitigate the risks?

In order to limit the risks of theft or compromise of know-how and avoid the consequences described above, it is essential to adopt structured policies that include:

  • Classification of sensitive information, including non-patented but strategic data;

  • Access controls and activity tracking on documents and systems;

  • Ongoing staff training on security and confidentiality;

  • Contractual clauses protecting intellectual property and confidentiality;

  • Incident management and attack response plans.

Know-how protection is no longer a topic to be relegated to legal or IT departments, but it is instead a cross-cutting priority involving top management, compliance, human resources, and all operational levels.

An opportunity to seize

NIS2 should not simply be seen as a regulatory obligation but also as an incentive to invest in a culture of security and in the enhancement of the company’s intellectual capital.
Companies that successfully integrate know-how protection measures into their cybersecurity frameworks will be more resilient, more credible in the market, and better equipped to face the challenges of digital transformation.

In an era where data is the new gold, protecting your knowledge means safeguarding the future of your business.

 

 

 

Margherita Stucchi
Previous

The EU General Court on prior disclosure by the design owner
Next

"CHAMPAGNE” versus “CHAMPRICE”: “enhanced” PDO protection