
Air Tech Italy recently took center stage at The Cyber Security Event, held from 21–23 May 2025 at Piacenza Expo. During the panel discussion titled “Cybersecurity in the NIS2 Era: Risks and Opportunities in the Airport Sector,” leading figures from the aviation and cybersecurity sectors came together to examine how well airport infrastructure is preparing for evolving European regulations.
We sat down with Marco Labricciosa Gallese, Air Tech Italy Member and Board Member, as well as Founder and Operations Director at A-ICE, who moderated the session.
The panel featured a distinguished lineup of experts: Simona Citrigno and Andrea Nacuzi from ENAC, Alessandro Mancarella of Leonardo Cyber & Security, Luigi Ricchi of Bologna Airport, Alberto Torresan of SAVE S.p.A., Gabriele Ruggieri and Matteo Boccacci of Custom Group, and Cosetta Masi, a leading authority on Cybersecurity & GDPR.
Marco, why was the focus of the panel centered on NIS2 and its implications for airports?
Marco: “NIS2 is more than a directive — it’s a paradigm shift. It places direct responsibility on airport operators, specifically the board, rather than just IT departments. Many board members aren’t cybersecurity experts, so there’s a pressing need for education at that level. It’s about making cybersecurity a governance issue, not just a technical one”.
How prepared do you feel the sector is for NIS2 compliance?
Marco: “There’s strong awareness and a definite sense of urgency, especially among more structured players like ENAC and major airport groups. But the real challenge lies in aligning various regulations — NIS2, EASA Part-IS, the Cyber Resilience Act, GDPR — and ensuring consistency in how they’re implemented. It’s also about evolving how we work with suppliers. Many contracts still lack essential cybersecurity clauses. Since the airport holds ultimate responsibility, these documents need to clearly define roles and expectations.”
Can you describe how you structured the panel discussion?
Marco: “We divided it into two parts. The first addressed the regulatory landscape and legal experts. We explored how leadership accountability intersects with compliance and how regulations overlap. The second part focused on real-world implementation — managing supply chain risks, conducting audits, establishing training, and reconciling cybersecurity with operational continuity. We also tackled the Cyber Resilience Act and its implications for hardware security.”

What role do human factors play in all this?
Marco: “A massive one. Cybersecurity goes beyond technical controls: it hinges on organizational culture, continuous training, and clear accountability at every level. From frontline staff to executives, everyone must undergo ongoing, targeted training. If people disregard what they’ve learned, even after being trained, organizations need mechanisms to respond. Awareness and accountability must go hand in hand.”
How should organizations respond when a breach occurs?
Marco: “Quickly and transparently. Breaches must be reported promptly to the national authority for cybersecurity, the ACN in Italy, and, where required, to other competent bodies, following predefined incident response procedures. There’s no room for hiding incidents — predefined response plans are critical.”
Were there any challenges raised around the interplay between GDPR and cybersecurity technologies?
Marco: “Absolutely. Biometric verification offers powerful tools, but GDPR requires strict safeguards — including data minimization, purpose limitation, and explicit consent — that must be carefully integrated into any deployment strategy. Legal and technical teams need to work in sync. Otherwise, even effective tech gets stalled by compliance constraints.”

What about suppliers? How are they being brought into this framework?
Marco: “Many suppliers are still not sufficiently aware of the cybersecurity standards required under NIS2, and this lack of alignment introduces risk. Given their responsibility, airport operators must take an active role in fostering awareness, providing structured requirements, and enforcing compliance through governance frameworks, dedicated training initiatives, and binding contractual clauses. Cybersecurity is a shared obligation across the entire ecosystem.”
If you had to summarize the single biggest takeaway from the session, what would it be?
Marco: “That cybersecurity isn’t just about compliance — it’s a cultural transformation. It requires alignment across technology, law, governance, and people. Achieving cybersecurity resilience under NIS2 requires a systemic shift: leadership must take an active role, fostering a culture where compliance, awareness, and operational continuity are inseparable pillars of governance.”
Many thanks Marco!
Follow us here to understand more about upcoming cybersecurity events and get news updates!