Today I’d like to explore how OSINT can help companies, especially small and medium-sized enterprises (SMEs), comply with the European NIS2 directive—a regulation designed to boost cybersecurity standards across the continent. We will also delve into insights from Mirko Lapi’s comprehensive guide published on LinkedIn, which offers practical advice and thought-provoking highlights on integrating OSINT into corporate risk management and compliance strategies.

What is OSINT?

Open Source Intelligence (OSINT) is the practice of gathering, analyzing, and leveraging information that is available publicly. Unlike traditional intelligence methods, which might rely on covert or classified data, OSINT harnesses the wealth of data freely accessible on the internet—from social media and blogs to public records and specialized databases. This approach not only democratizes access to critical insights but also empowers organizations to monitor their digital footprint and anticipate potential threats.

Imagine having a tool that allows you to see how your organization is perceived online, identify any exposed vulnerabilities, and even predict emerging risks. That’s OSINT in action. It provides an intelligence-driven edge by transforming scattered data into actionable insights. Whether it’s spotting early signs of cyberattacks or gathering competitive market intelligence, OSINT serves as a robust instrument for making informed decisions.

An overview of NIS2

The NIS2 Directive, formally known as the EU Network and Information Security Directive, represents a significant upgrade from its predecessor. Enacted to harmonize and elevate the cybersecurity standards across the European Union, NIS2 expands its scope to include additional sectors deemed critical for national and economic security. The directive mandates that organizations—particularly those of medium and large size—adopt rigorous risk management practices and robust technical and organizational measures to safeguard their networks and information systems.

For businesses, especially SMEs, this means transitioning from a reactive to a proactive cybersecurity posture. NIS2 requires companies to not only protect themselves from potential cyberattacks but also to integrate cybersecurity into their overall governance and operational processes. It encourages regular monitoring of the threat landscape and promotes the adoption of innovative tools like OSINT to anticipate, detect, and mitigate risks. By doing so, NIS2 doesn’t just enforce compliance—it also pushes companies to become more resilient and informed in the face of evolving cyber threats.

The mind behind the guide

Mirko Lapi is not just an expert in the field of OSINT; he is a seasoned professional whose background lends him exceptional credibility. With over 27 years of service in the Italian Armed Forces—including 16 years in a specialized intelligence unit—Lapi has honed his skills in security, intelligence analysis, and critical decision-making. His military experience, particularly within the Italian Defense’s intelligence center, laid a robust foundation for his later work as an OSINT consultant and trainer.

Today, Mirko Lapi is a respected academic and practitioner. He holds teaching positions at prestigious institutions, including the University of Foggia and the Università Campus Bio-Medico in Rome, where he instructs on OSINT and Cyber Security. Through his work, Lapi has become a trusted voice in the realm of open source intelligence, offering practical insights that bridge the gap between traditional security paradigms and modern digital challenges. His guide, which we are discussing today, is a testament to his deep expertise and his commitment to making cybersecurity both accessible and actionable for businesses of all sizes.

Key highlights from the guide

Mirko Lapi’s guide is a treasure trove of insights, offering both a strategic perspective and practical recommendations on how OSINT can be effectively leveraged in the context of NIS2 compliance. Below, we explore some of the most compelling highlights from his document.

1. OSINT as a Proactive Cybersecurity Tool

One of the core messages in the guide is the transformative potential of OSINT in moving from reactive to proactive cybersecurity strategies. Lapi explains that by continuously monitoring publicly available sources—ranging from technical forums to social media—organizations can detect vulnerabilities and signs of potential attacks long before they escalate into serious incidents. This early-warning capability is critical for companies operating under the NIS2 directive, as it supports the implementation of timely, data-driven interventions that can prevent or mitigate cyber incidents.

2. Enhancing Risk Management

NIS2 emphasizes a deep and structured approach to risk management. Lapi’s guide highlights how OSINT can feed into this process by providing up-to-date, real-world intelligence. Companies can use OSINT to track trends, identify sector-specific threats, and even monitor the digital footprint of their competitors. By incorporating this intelligence into risk assessment frameworks, businesses can develop a more accurate understanding of their vulnerabilities and take proactive steps to fortify their defenses.

3. The Dual Nature of OSINT: Opportunities and Risks

While the benefits of OSINT are significant, Lapi also provides a balanced view by discussing the inherent risks. The same data that can help organizations strengthen their defenses can also expose sensitive information if not managed carefully. For example, improperly configured systems or inadvertent disclosures on social media can be exploited by cybercriminals. Lapi stresses the importance of implementing robust internal policies and training programs to ensure that OSINT activities are conducted ethically and within legal boundaries. This balance is crucial for companies striving to comply with both the letter and the spirit of NIS2.

4. Sector-Specific Applications

The guide offers insightful case studies on how OSINT can be applied in various sectors. Two examples prominently featured include:

  • The Energy Sector:
    In industries where infrastructure is critical, such as energy, an attack on a power grid or a distribution network can have devastating consequences. OSINT tools, such as specialized search engines that scan for vulnerable IoT devices, help energy companies identify and secure potential entry points for attackers. This proactive approach not only mitigates risks but also ensures that these companies meet the stringent requirements of NIS2.

  • The Banking and Financial Sector:
    Financial institutions are prime targets for cybercriminals, making OSINT an invaluable asset. Lapi describes how banks and insurance companies can monitor dark web forums and social media channels to identify early signs of fraud or data breaches. By integrating OSINT into their Security Operations Centers (SOC) and Computer Security Incident Response Teams (CSIRT), these institutions can respond swiftly to potential threats, safeguarding both their assets and their reputation.

5. Implementing OSINT in SMEs

Recognizing that SMEs often operate with limited resources, Lapi dedicates a section of his guide to practical steps for implementing OSINT cost-effectively. He recommends a focused approach: select a few reliable and user-friendly tools that align with the company’s specific needs, such as vulnerability scanners and social media monitoring services. He also underscores the importance of training internal staff or collaborating with external OSINT experts to ensure that the organization can make the most of the insights generated. These recommendations are particularly pertinent for SMEs aiming to meet NIS2 requirements without overextending their budgets.

6. Best Practices and Ethical Considerations

A recurring theme throughout the guide is the need for ethical and responsible use of OSINT. Lapi advises companies to establish clear policies that delineate what constitutes acceptable data collection and analysis practices. This includes adherence to data privacy regulations such as the GDPR and ensuring that any personal data is handled with the utmost care. By setting these guidelines, organizations can leverage OSINT while minimizing the risks of legal complications and reputational damage.

7. Looking to the Future

Finally, the guide casts a forward-looking perspective on the evolution of OSINT. With advancements in artificial intelligence and machine learning, the potential for automating the collection and analysis of open-source data is immense. Lapi envisions a future where OSINT becomes even more integrated into business processes, not only for cybersecurity but also for strategic decision-making. This trend, he argues, will encourage a more resilient, agile, and informed business environment, ultimately transforming compliance challenges into opportunities for innovation and growth.

Mirko Lapi’s guide is both a practical manual and an inspiring call to action. It challenges companies—regardless of their size—to harness the power of publicly available data to build a robust and proactive cybersecurity framework. With the NIS2 directive setting higher standards across Europe, the integration of OSINT is no longer optional but a strategic imperative.

For SMEs, in particular, OSINT represents a way to level the playing field against larger competitors who may have more extensive security budgets. By adopting OSINT practices, these companies can achieve a better understanding of their digital footprint, identify vulnerabilities before they are exploited, and ultimately ensure compliance with NIS2 requirements. Moreover, the insights gained through OSINT extend beyond cybersecurity; they offer a window into market trends, competitive intelligence, and even customer sentiment.

The key takeaway is that knowledge truly is power. In an era where data is abundant, the ability to filter, analyze, and act on that information can be the difference between thriving in a digital economy or falling prey to cyber threats. As Lapi’s guide so eloquently illustrates, the future of business resilience lies in embracing transparency, continuous monitoring, and ethical data practices.

As companies continue to navigate the complexities of modern cybersecurity, integrating OSINT into their operational strategy can transform compliance obligations into strategic opportunities. It encourages a culture of continuous improvement—one where every piece of publicly available information is seen not as a risk, but as a stepping stone towards a more secure, informed, and competitive future.

In summary, Mirko Lapi’s guide not only demystifies the technical aspects of OSINT but also provides a clear roadmap for leveraging it within the framework of the NIS2 directive. His balanced approach—highlighting both the benefits and the risks—ensures that businesses are well-prepared to take full advantage of the opportunities presented by open source intelligence. For any organization looking to stay ahead of cyber threats and regulatory demands, embracing OSINT is a smart and necessary step.

By transforming the way businesses approach risk and compliance, OSINT is not just a tool for the present but a beacon for the future. Whether you are a cybersecurity professional, a business leader, or simply someone interested in the evolving landscape of digital intelligence, the insights shared by Mirko Lapi offer a compelling case for making OSINT an integral part of your strategy.