Italy’s NIS2 Fines Start at €500,000: ACN Enforcement Powers and What Your Organisation Faces From January 2026

Enforcement of Italy’s NIS2 obligations is no longer theoretical. Since January 2026, the Agenzia per la Cybersicurezza Nazionale (ACN) has been enforcing incident reporting requirements under Legislative Decree No. 138 of September 4, 2024 — Italy’s transposition of the NIS2 Directive. As of March 2026, over 4,800 entities had registered in Italy’s national NIS2 register. An estimated 2,000 that should have registered had not.

What sets Italy apart from other EU member states is not only the size of potential penalties — maximum fines reach €10 million for essential entities — but the precision of its minimum fine floor rules. Article 38 of D.Lgs. 138/2024 establishes a floor of one-twentieth of the applicable maximum for essential entities, and one-thirtieth for important entities. For most essential entities, that translates to a €500,000 minimum fine — the most explicitly specified minimum threshold in any EU member state’s NIS2 transposition.

This guide covers the complete penalty structure under Article 38, how the minimum floors work in practice, what ACN can do when it inspects your organisation, and which compliance deadlines are currently active.

Who Does Italy’s NIS2 Law Apply To?

Italy’s NIS2 obligations apply to organisations that meet all three of the following conditions: they operate in a sector listed in Annexes I through IV of D.Lgs. 138/2024; they meet the relevant size threshold; and they are established in, or provide services from, Italy. Whether an organisation is classified as essential or important determines the fine ceiling, the minimum floor, and the intensity of ACN supervision.

Entity type	Sector / condition	Size threshold	Fine tier
Essential entity (private)	Annex I: energy, transport, banking, health, water, digital infrastructure, space	≥250 employees OR >€50M revenue / €43M balance sheet	Max €10M; min €500K
Essential entity (size-independent)	Critical CER-designated operators, telcos, DNS providers, TLD registries, ACN-designated entities	No threshold applies	Max €10M; min €500K
Essential entity (public)	Central public administration, metropolitan cities, municipalities ≥100,000 residents	No threshold applies	€25,000–€125,000 (fixed range)
Important entity (private)	Annexes I and II: postal, food, manufacturing, chemicals, digital providers, research	≥50 employees OR >€10M revenue / balance sheet	Max €7M; min €233K
Important entity (public — Annex III)	Municipalities 50,000–99,999 residents, regional health authorities, local public transport	No threshold applies	€8,300–€41,600 (fixed range)

Italy’s scope expansions beyond the EU directive: Through Annexes III and IV, Italy extended obligations to entities the EU directive does not reach — including municipalities with more than 100,000 residents, local public transport operators, regional health authorities, cultural institutions, and certain research organisations, all without a size threshold. Organisations in these categories may be in scope in Italy even if they would be out of scope in most other member states.

Does this apply to your organisation? Start with these three questions:

1. Does your organisation operate in a sector listed in Annexes I or II of D.Lgs. 138/2024? If no, check Annexes III and IV (public bodies, cultural institutions, research entities). If none apply, you are out of scope.
2. If yes: do you meet the size threshold (≥50 employees or >€10M revenue for important; ≥250 employees or >€50M revenue for essential)? If no — and you are not a DNS provider, TLD registry, or telco — you are likely out of scope.
3. If yes to both: were you notified by ACN in April 2025 of your essential or important classification? If so, your compliance obligations are active. If you were in scope but did not register by February 2025, administrative fines may already apply.

For a detailed scope analysis, see the NIS2 scope guide and the essential vs. important entity comparison.

Italy’s NIS2 Penalty Framework: What Article 38 Establishes

Italy implemented the penalty ceilings set by Article 34 of Directive (EU) 2022/2555 and went further by specifying minimum fine floors — a detail the directive left to member state discretion. Article 38 of D.Lgs. 138/2024 creates four distinct fine categories based on entity type and violation severity. Fines must be “effective, proportionate and dissuasive” under the directive’s Article 34(1); Italy’s decree implements this through a ceiling-and-floor architecture that makes both the upper and lower limits explicit.

Entity type	Violation category	Maximum fine	Minimum fine
Essential (private)	Major: security measures, governance, incident reporting (Art. 23, 24, 25)	€10,000,000 or 2% of global annual turnover — whichever is higher	€500,000 (1/20 of €10M)
Important (private)	Major: security measures, governance, incident reporting	€7,000,000 or 1.4% of global annual turnover — whichever is higher	€233,333 (1/30 of €7M)
Essential (private)	Minor: failure to register, administrative deficiencies (Art. 38 §11)	0.1% of global annual turnover	Not specified
Important (private)	Minor: failure to register, administrative deficiencies	0.07% of global annual turnover	Not specified
Essential public administration	All violations	€125,000	€25,000
Important public administration	All violations	€41,600	€8,300

ACN must weigh several factors before setting the fine amount within the floor-to-ceiling range: the severity and duration of the violation, whether it was intentional or negligent, the financial harm caused, and whether the entity cooperated with the investigation or held approved security certifications. None of these factors, however, can reduce a major-violation fine below the statutory minimum floor for private-sector entities.

Public administration fine ranges are set by Italy directly, in line with Article 34(7) of the EU directive, which permits member states to determine their own PA fine rules. The PA caps are substantially lower than private-sector fines — a deliberate design choice reflecting the different accountability structures of government bodies.

For a broader comparison of how penalty frameworks vary across EU member states, see the NIS2 penalties overview.

Italy’s Minimum Fine Floor — The EU’s Most Specific Rule

The EU directive requires that fines be proportionate but sets no minimum. Italy’s legislature made a different choice. Article 38 of D.Lgs. 138/2024 establishes a statutory minimum below which ACN cannot impose a fine, regardless of mitigating circumstances — making Italy the most explicitly specific EU member state on this point in its NIS2 transposition.

The calculation follows directly from the applicable maximum:

Essential entities: The applicable maximum is the higher of €10,000,000 or 2% of the entity’s total global annual turnover for the preceding financial year. The minimum is one-twentieth of that maximum. For an entity whose applicable maximum is €10 million: €10,000,000 ÷ 20 = €500,000.

Important entities: The applicable maximum is the higher of €7,000,000 or 1.4% of total global annual turnover. The minimum is one-thirtieth. For an entity whose applicable maximum is €7 million: €7,000,000 ÷ 30 = €233,333.

How the floor scales for large entities

The minimum is not a fixed number for every entity in the same category — it scales with the applicable maximum. For an essential entity with €600 million in annual global revenue, 2% of turnover equals €12 million, which exceeds the €10 million monetary figure. That entity’s applicable maximum becomes €12 million, and its minimum floor becomes €600,000 rather than €500,000.

The crossover point — where the turnover-based figure overtakes the monetary maximum — occurs at €500 million in global annual revenue for essential entities (2% × €500M = €10M exactly) and the same figure for important entities (1.4% × €500M = €7M exactly). Any organisation above these thresholds faces a proportionally higher floor, scaling upward with their turnover.

Why the minimum floor matters in practice

In penalty frameworks without a defined minimum, regulators sometimes impose nominal fines — particularly where organisations cooperate fully, remediate quickly, or face a first violation. Italy’s floor prevents that outcome for major violations. Even a fully cooperative essential entity facing its first Article 23 violation still faces at least €500,000. Mitigating factors reduce the fine within the range between floor and ceiling; they cannot cross below the floor.

This design clarifies the risk calculus for boards and management teams. The €10 million maximum is a theoretical worst case. The €500,000 minimum is a realistic worst case for an organisation with strong cooperative conduct and first-violation status. CISOs and compliance officers building penalty-risk models for Italian operations should use the floor, not the ceiling, as their baseline exposure figure.

Most EU member states that have transposed NIS2 to date have specified only the maximum ceilings from Article 34 of the directive, without codifying a minimum. Italy’s decision to specify the floor ratio makes its enforcement framework more predictable — and more demanding — than most.

What Violations Trigger Fines, and How Penalties Escalate

Not every failure under D.Lgs. 138/2024 draws the same penalty. The decree draws a clear line between major violations — which carry the minimum-floor framework — and administrative deficiencies, which carry a lower, uncapped percentage fine with no statutory minimum.

Major violations (minimum floor applies — Article 38 §9):

• Article 23 — cybersecurity risk management: failure to implement the required technical and organisational security measures across risk analysis, access control, supply chain, cryptography, multi-factor authentication, business continuity, and network security
• Article 24 — management body obligations: failure to approve, oversee, or implement the required governance arrangements, or failure to ensure adequate cybersecurity training for management bodies
• Article 25 — incident reporting: failure to submit the required early warning (24 hours), detailed notification (72 hours), or final report (one month) for significant incidents

Administrative deficiencies (lower ceiling, no floor specified — Article 38 §11):

• Failure to register with ACN during the annual registration window (January 1 to February 28)
• Failure to submit or update registration information as required
• Failure to provide information requested by ACN during an inspection

For administrative deficiencies, the maximum fine is 0.1% of global annual turnover for essential entities and 0.07% for important entities. For an essential entity with €500 million in revenue, that ceiling reaches €500,000 — the same as the major-violation floor. But administrative deficiencies carry no statutory minimum, which means ACN can impose a smaller penalty where circumstances warrant.

Repeat violations (Article 38 §13):

Where the same entity commits the same category of violation within five years of a prior sanction, the applicable fine may increase by up to three times. For an essential entity, that means a repeat major violation could in principle reach €30 million (3× the €10M ceiling) or 6% of global annual turnover (3× the 2% figure) — whichever is higher. Italy’s Article 38 §13 does not explicitly state whether the minimum floor also multiplies by three, but the provision’s reference to “the applicable fine” suggests the entire sanction envelope scales upward in repeat cases.

Director and management personal liability

Under Article 23 of D.Lgs. 138/2024, management bodies are personally responsible for approving and overseeing the organisation’s cybersecurity risk management programme. Individual directors who fail to exercise adequate governance oversight can face personal sanctions — not just the organisation as a whole. This mirrors NIS2’s Article 20 on management accountability. The board and directors NIS2 guide covers management-level obligations in detail.

ACN’s enforcement escalation sequence

ACN does not typically proceed directly to maximum fines. The standard escalation follows four stages:

1. Inspection or documentation review — ACN identifies the non-compliance
2. Corrective order — a binding instruction to remedy the violation within a set period
3. Periodic penalty payments — daily compounding penalties to compel compliance with the corrective order
4. Administrative fine — imposed where violations persist after a corrective order or are serious enough to warrant direct sanctioning

The corrective-order stage is the window in which documented remediation carries the most weight. Entities that close identified gaps during this stage are more likely to receive fines near the floor rather than the ceiling — but the floor remains in place regardless.

ACN’s Enforcement Tools — What the Agency Can Actually Do

ACN functions as both supervisor and enforcement authority under Italy’s NIS2 framework, without a separate appeals body between an inspection finding and a sanction decision. The agency’s powers under Article 36 of D.Lgs. 138/2024 cover a full range of investigative tools.

Essential entities — proactive and reactive supervision: ACN may conduct ex-ante (pre-emptive) inspections without waiting for an incident or complaint. Essential entities can receive an inspection at any point in their compliance cycle. This means an organisation that has never reported a significant incident can still be subject to an ACN inspection if it meets the agency’s risk-based selection criteria.

Important entities — reactive supervision only: Important entities are supervised primarily in response to events — an incident report, a complaint, or evidence of suspected non-compliance. This does not eliminate inspection risk entirely, but it significantly reduces the probability of an unprompted inspection compared to essential entities.

Specific powers under Article 36 of D.Lgs. 138/2024:

• Require entities to provide documentation, system configurations, logs, and security records
• Conduct on-site inspections at entity premises
• Conduct remote inspections — accessing systems and records without physical presence
• Conduct random checks — ACN does not need to justify these as triggered by a specific incident or complaint
• Commission independent audits by ACN-approved external bodies
• Request security scan or technical analysis results

For essential entities, ACN can require conformity assessments at regular intervals conducted by independent bodies it approves. The cost of these assessments is typically borne by the entity being assessed.

Current enforcement activity as of March 2026:

ACN’s initial enforcement focus is registration compliance. Of the approximately 6,800 entities estimated to fall within scope, roughly 4,800 had registered as of March 2026, leaving around 2,000 that had not. ACN is pursuing non-registered entities via corrective orders and administrative fines (the 0.1% / 0.07% category) before escalating to major-violation enforcement. Systematic security measure inspections are expected to accelerate from October 2026, when the 18-month implementation period expires for most notified entities.

For more on the supervisory approach and the types of evidence ACN requests during inspections, see the NIS2 supervisory measures guide.

Italy’s 2026 Enforcement Timeline — What Is Active Now

Compliance obligations for Italian NIS2 entities are rolling out in phases. The table below shows what has passed, what is currently active, and what is approaching.

Date	Obligation	Entity type	Status
October 16, 2024	D.Lgs. 138/2024 enters into force	All	Complete
Jan 1 – Feb 28, 2025	First registration window — entities register on ACN portal	All in-scope entities	Complete
April 15, 2025	ACN notifies entities of essential / important classification	All registered	Complete
May 31, 2025	Entities submit additional required information (extended to July 31 for those requesting support)	All registered	Complete
January 2026	Incident reporting obligations active — 24h / 72h / one-month chain	All notified entities	Active
Jan 1 – Feb 28, 2026	Second annual registration window — entities update registration data	All in-scope	Active (closing)
June 30, 2026	First service categorisation deadline — impact-level classification submitted via ACN portal (ACN determination, April 13, 2026)	All registered entities	Upcoming
October 2026	Full security measures compliance required — Article 23 minimum standards must be implemented	All notified entities	Approaching

The January 2026 activation is the most consequential current milestone. Entities that received their ACN classification notification in April 2025 had a nine-month window to implement incident reporting under Article 25. That window closed at the start of 2026. Any significant incident affecting NIS2-covered services that is not reported within 24 hours (early warning) and 72 hours (detailed notification) is now a sanctionable major violation — subject to the floor-and-ceiling penalty range.

The June 30, 2026 categorisation deadline is a newer requirement. On April 13, 2026, ACN issued an operational determination requiring all registered entities to categorise their services by impact level — high, medium, low, or minimal — based on the consequences if those services were disrupted. This categorisation feeds directly into the risk-based security measures required by October 2026 and will inform ACN audit targeting going forward. Entities that deviate from ACN’s predefined impact categories will need documented justification, which ACN is likely to scrutinise during supervisory activities.

2026 compliance checklist for Italian NIS2 entities:

1. Confirm your registration status is current on the ACN portal (annual window: January 1 – February 28)
2. Verify incident reporting procedures are live and tested — 24-hour early warning and 72-hour full notification timelines from point of awareness
3. Complete the ACN service categorisation exercise and submit via the portal by June 30, 2026
4. Map the October 2026 security measure deadline against your current implementation roadmap and identify gaps
5. Confirm management bodies have formally approved the cybersecurity programme as required by Article 24 — document this approval in writing, as ACN inspections will request evidence

For detail on the incident notification requirements, see the NIS2 incident reporting guide and the Article 23 notification requirements.

Frequently Asked Questions

What is the minimum NIS2 fine in Italy for a private-sector essential entity?

The minimum fine for a major violation is one-twentieth of the applicable maximum. For an essential entity where the applicable maximum is €10 million (that is, for entities with global annual revenue below €500 million), the floor is €500,000. For entities with revenue above €500 million, the 2% turnover figure becomes the applicable maximum, and the floor scales proportionally upward — for example, €600,000 for an entity with €600 million revenue (1/20 of €12 million).

Do minimum fine floors apply to public administrations?

No. Public administration entities have their own fixed fine ranges under Article 38 §9c of D.Lgs. 138/2024. Essential public entities face fines of €25,000 to €125,000; important public entities face approximately €8,300 to €41,600. These ranges function as both floor and ceiling for public bodies. The 1/20 and 1/30 ratios apply only to private-sector entities.

What happens if my organisation has not registered with ACN?

Non-registration is an administrative deficiency under Article 38 §11. The maximum fine for an unregistered essential entity is 0.1% of global annual turnover; for important entities, 0.07%. As of March 2026, ACN is pursuing non-registered entities via corrective orders before imposing fines. Entities that have not registered are also outside the classification-notification process, which does not exempt them from incident reporting or security measure obligations that may already apply. See the entity registration guide for the registration process and data requirements.

When will ACN begin systematic inspections for security measure compliance?

The 18-month implementation period for minimum security measures under Article 23 expires in October 2026 for entities notified in April 2025. ACN retains the power to inspect essential entities at any time under its proactive supervision mandate, but broad security-measure enforcement is expected from October 2026 onward. The categorisation data submitted by June 30, 2026 will likely inform which entities receive early inspection attention.

Sources

[1] Article 34, Directive (EU) 2022/2555 (NIS2 Directive) — maximum fine ceilings for essential and important entities; “effective, proportionate and dissuasive” standard (linked inline above)

[2] Agenzia per la Cybersicurezza Nazionale — La Normativa — Legislative Decree 138/2024 authority and regulatory framework (linked inline above)

[3] OpenKritis — EU NIS2 in Italy — Article 38 provisions: minimum floors (§9a–c), minor violations (§11), repeat penalties (§13), ACN enforcement powers (Article 36)

[4] Gaming Tech Law — NIS2 Categorisation in Italy, May 2026 — June 30, 2026 categorisation deadline; ACN April 13, 2026 determination

[5] Advisera — Italian NIS2 vs. EU NIS2 Directive — Italy scope expansions under Annexes III and IV

[6] NIS2certification.eu — Italy NIS2 — incident reporting timelines, registration deadlines, compliance sequence

[7] Copla — Italy NIS2 Implementation Guide — progressive enforcement model, director liability, compliance timeline

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.