IPRA
NIS2 Questionnaire
The NIS2 Directive (Network and Information Security Directive 2) strengthens cybersecurity requirements for organizations providing essential or important services, promoting a risk-based approach to the protection of information and digital assets.
Within the context of Politecnico di Milano, this questionnaire aims to collect information about research activities in order to identify any aspects that may be relevant from the perspectives of confidentiality, strategic value, and information security.
The information collected will be used exclusively to support internal assessments related to compliance with the NIS2 Directive and to identify any protection measures appropriate to the level of risk associated with the research activity.
The questionnaire takes only a few minutes to complete.
Please answer the questions with reference to the specific research project or activity being assessed.
A1 – Confidentiality or protection constraints
Does the activity involve making the research results public upon completion of the research, and is it free from specific restrictions regarding the dissemination of the information produced or used?
A2 – Technology Readiness Level (TRL)
Does the activity have a TRL > 3?
Technology Readiness Levels (TRLs):
TRL1 Basic principles observed
TRL2 Technology concept formulated
TRL3 Experimental proof of concept
TRL4 Technology validated in a laboratory
TRL5 Technology validated in an (industrially) relevant environment
TRL6 Technology demonstrated in an (industrially) relevant environment
TRL7 Demonstration of a system prototype in an operational environment
TRL8 System complete and qualified
TRL9 Actual system proven in an operational environment (competitive manufacturing, commercial deployment)
A3.1 – Critical aspects of the research area
Does the project involve, even partially, one or more of the following areas?
- advanced materials and low-observability technologies;
- high-performance explosives, initiation systems, high-energy pulses;
- underwater acoustics, sonar, hydrophones, acoustic signature reduction;
- advanced decryption technologies, offensive information security;
- guidance, navigation, and control systems for delivery vehicles or similar platforms;
- space technologies, including launch vehicles, propulsion, and re-entry systems;
- nuclear technologies, isotopes, or sensitive fissile materials;
- advanced instrumentation for diagnosing extreme or high-energy phenomena;
- other technological areas falling under similar sensitive categories.
A3.2 – Strategic value
Does the activity involve knowledge, technologies, prototypes, processes, algorithms, materials, or results with potential applications of high strategic value?
The aim of the question is to identify research activities that generate knowledge, technologies, or results potentially relevant to economic, industrial, infrastructural, or national security interests.
You should answer “Yes” if the activity produces or utilizes technologies, algorithms, materials, prototypes, processes, or results that:
- could be employed in strategic sectors (e.g., energy, transport, telecommunications, space, defense, health, advanced manufacturing);
- possess significant potential for technology transfer or industrial exploitation;
- could provide a significant competitive advantage to public or private organizations.
The mere scientific or academic relevance of the activity does not necessarily imply an affirmative answer.
A3.3 – Scientific or technological sensitivity
Does the activity produce or utilize knowledge, data, methods, models, or experiments that, if misappropriated, altered, or disclosed, could cause significant harm to the university or its partners (for example, because they are subject to NDAs or regulatory restrictions)?
You should answer “Yes” if the activity:
- is subject to non-disclosure agreements (NDAs) or other contractual obligations;
- uses or generates non-public data, models, methods, or results where unauthorized access could cause significant harm to the University or its partners;
- is subject to specific statutory or regulatory requirements;
- involves the handling of proprietary information, trade secrets, or highly sensitive data.
In general, consider whether the disclosure, alteration, or misappropriation of the information could have significant scientific, economic, reputational, or legal consequences.
A3.4 – Strategic External Stakeholder Involvement
Does the activity substantially involve or concern major strategic companies or critical infrastructure operators?
The question aims to identify activities that directly or indirectly involve organizations considered strategic for the economic system or for the operation of essential services.
It is suggested to answer “Yes” if the activity:
- is carried out in collaboration with large companies operating in strategic sectors;
- has as recipients, users, or beneficiaries operators of critical infrastructure or essential services;
- produces results intended for applications relevant to these entities.
For example, this category includes operators in the energy, telecommunications, transportation, finance, healthcare, space, water, and digital infrastructure sectors.
A3.5 – External collaborations with potentially critical countries
Does the activity involve collaboration and sharing of data and knowledge with entities outside the European Union or operating in sensitive geopolitical contexts, or receiving funding from such entities?
This question aims to highlight any potential risk factors associated with the international sharing of knowledge, data, and research results.
You are advised to answer “Yes” if the activity involves:
- scientific collaborations involving the substantial sharing of data, research results, or knowledge with institutions, universities, or companies located outside the European Union and operating in geopolitically sensitive contexts;
- funding provided by public or private organizations located outside the European Union and operating in geopolitically sensitive contexts
International collaborations are not inherently negative; the sole purpose of the question is to enable an accurate assessment of the activity’s criticality level for the purposes of NIS2 compliance.
A3.6 – Data processed as part of the research
Does the research involve the direct handling, processing, or archiving of special categories of personal data or sensitive data (e.g., special categories of data under Art. 9 GDPR, critical financial data, confidential documents)?