Operating in Italy? NIS2 Is Now Law — Here’s What ACN Requires from Your Business
The April 15, 2025 notifications from ACN were not informational — they were the starting gun. With formal notification of inclusion in Italy’s NIS2 entity lists, thousands of Italian companies saw their compliance countdown begin in real time. Organizations that registered on portale.acn.gov.it between December 2024 and February 2025 now have confirmed deadlines: incident reporting obligations from January 2026, and full security measure compliance expected by October 2026.
Italy transposed NIS2 (Directive 2022/2555) via Legislative Decree No. 138/2024, making the National Cybersecurity Agency (ACN — Agenzia per la Cybersicurezza Nazionale) the single competent authority, national CSIRT host, and single point of contact for all matters under the Directive. The Italian framework broadly follows the EU baseline but adds Italy-specific scope expansions through four annexes — covering municipalities, local transport operators, and cultural organizations that the EU directive does not reach.
This guide covers every stage of the Italian NIS2 process: who is in scope, how to register on the ACN portal, what ACN and CSIRT Italia require, what security measures must be in place, and the full compliance timeline through October 2026.
Italy’s NIS2 Legislative Framework: Decreto Legislativo 138/2024
Italy adopted Legislative Decree No. 138 on September 4, 2024, published in the Gazzetta Ufficiale on October 1, 2024, and entering into force on October 18, 2024. The Decree is Italy’s full transposition of EU Directive 2022/2555 and replaces the previous NIS1 framework established under Legislative Decree 65/2018.
One distinction matters immediately: the Decree became law in October 2024, but the real compliance clock started on April 15, 2025, when ACN formally notified registered entities of their classification as essential or important. That notification date is the reference point for all subsequent deadlines — nine months to incident reporting obligations, eighteen months to full security measure compliance.
A supplementary measure — the Decree of the President of the Council of Ministers (DPCM) of February 10, 2025 — established safeguard clause criteria under Article 3 of the Decree, allowing certain entities to seek out-of-scope determinations based on specific criteria ACN publishes annually. Organizations relying on this clause must document their reasoning and cannot simply self-exclude without justification.
Who Does Italian NIS2 Cover? Essential and Important Entities
Italy uses the EU’s two-tier classification — essential entities and important entities — but extends scope through four national annexes instead of the EU directive’s two. Understanding where your organization falls determines both your obligations and your penalty exposure.
NIS2 scope in Italy covers eighteen sectors: eleven highly critical (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space) and seven important (postal services, waste management, chemicals, food production, manufacturing, digital services, and research).
Classification Thresholds
| Category | Size Threshold | Size-Independent Entities |
|---|---|---|
| Essential (Annex I) | ≥250 FTE or >€50M global revenue | CER-regulated operators, DNS providers, TLD registries, qualified trust service providers, telcos serving ≥1% national users |
| Important (Annex II) | ≥50 FTE or >€10M global revenue | Digital service providers, food distributors, postal operators |
| Italy-specific (Annexes III/IV) | Sector-dependent | Municipalities ≥100,000 residents, metropolitan cities, local transport operators, universities and research institutions, cultural heritage organizations |
Italy’s Annex III and IV additions are the most significant departure from the EU baseline. Local transport operators, higher education institutions, and cultural organizations are not covered under the EU directive — Italy chose to bring them within scope under national law.
Does Italian NIS2 Apply to Your Organization?
Work through this sequence:
- Does your organization operate or provide services in Italy? Coverage is based on where services are delivered, not where the organization is headquartered. A non-Italian company providing covered services in Italy must comply.
- Do you operate in any of the 18 covered sectors? If not, check Annexes III and IV for national-scope additions.
- Are you ≥250 FTE or >€50M revenue? Essential entity.
- Are you ≥50 FTE or >€10M revenue? Important entity.
- Are you a municipality ≥100,000 residents, a local transport operator, a university, or a cultural organization? Check Annex III/IV applicability.
- Below all thresholds? Self-assess as out of scope and document the decision. Size-independent categories apply regardless of headcount or revenue.
Entity Registration: Step by Step on the ACN Portal
All in-scope organizations must register on ACN’s digital platform at portale.acn.gov.it. Registration is mandatory and annual — the standard window runs from January 1 to February 28 each year.
For the initial 2024–2025 cycle, ACN opened registrations on December 1, 2024. The deadline for most entities was February 28, 2025; digital service providers, cloud providers, and managed security service providers faced an earlier deadline of January 17, 2025.
The Four-Step Registration Process
- SPID authentication: The designated point of contact logs in using personal SPID credentials (Italy’s national digital identity), CIE (Carta d’Identità Elettronica), or CNS (Carta Nazionale dei Servizi). This is an individual login — not a corporate one — as it verifies the identity of the designated representative personally.
- Point of contact association: The PoC links their account to the organization by entering the company’s codice fiscale (tax identification code). The portal automatically retrieves the company’s registered name, address, and PEC (certified email) address from Italy’s business register. These pre-filled details must be reviewed and confirmed.
- Entity data submission: The organization provides sectoral activity per Annexes I–IV, financial metrics (FTE headcount, global revenue), group affiliations, public IP address ranges, and domain names.
- Self-assessment declaration: The PoC declares whether the organization is essential, important, or out of scope. ACN validates this declaration, publishes the entity list by March 31, and notifies organizations of their confirmed classification by April 15 via PEC.
The May 31 Annual Update Deadline
Registration alone is not sufficient. Between April 15 and May 31 each year, all registered entities must submit updated information through the ACN portal:
- Current IP address ranges and domain names
- The EU Member States where services are provided
- Contact details for responsible persons and their deputies
Any change to this information outside the annual window must be reported within 14 working days of the change occurring. ACN’s continuous monitoring makes unreported changes immediately visible.
ACN and CSIRT Italia: Italy’s Competent Authority and National CSIRT
ACN holds three simultaneous roles under Italian NIS2 — and understanding all three matters for how compliance is structured.
Competent national NIS authority: ACN has full enforcement powers — it can conduct digital and on-site audits, request documentation, impose administrative sanctions, and issue binding regulatory measures. Unlike many EU member states that operate periodic audit cycles, Italy’s ACN runs continuous digital monitoring through the portal. Every registration update, incident log, and role assignment is timestamped and visible to ACN in real-time. ACN can trigger audits immediately when it detects gaps — no advance notice required.
Single point of contact: ACN is Italy’s official liaison with other EU member states’ NIS authorities and with ENISA for cross-border coordination. If a significant incident in Italy has cross-border impact, ACN manages the notification flow to other national authorities.
Host of CSIRT Italia: Italy’s Computer Security Incident Response Team operates within ACN, receiving significant incident notifications, providing threat analysis, and coordinating responses. Upon receiving an incident notification, CSIRT Italia acknowledges receipt within 24 hours and may provide mitigation guidance and technical support on request.
The Dual-Authority Model: Sector-Specific Addenda
ACN is not the only authority Italian organizations answer to. Italy operates a layered governance system in which sector-specific regulators — the Ministry of Health for healthcare, energy regulator ARERA for energy, financial supervisory authorities (Banca d’Italia, CONSOB, IVASS) for financial services, and the Ministry of Digital Transition for public administration — issue sector-specific addenda to ACN’s national baseline requirements.
These addenda are mandatory supplementary law, not guidance. An energy company operating in Italy must satisfy both ACN’s national requirements and the additional measures required by the energy sector authority. When conflicts arise between ACN’s baseline and sector-specific addenda, ACN holds ultimate enforcement authority.
Parallel GDPR Reporting
Organizations should note that personal data breaches triggering NIS2 incident reporting also require a separate parallel notification to the Italian Data Protection Authority (Garante Privacy). The two notifications use different channels, different forms, and potentially different timelines. Both obligations may be triggered simultaneously by the same incident — organizations must manage both notification streams without assuming one satisfies the other.
Security Obligations Under Article 24 of the Decree
Article 24 of Decreto Legislativo 138/2024 — Italy’s transposition of Article 21 of Directive 2022/2555 — requires essential and important entities to implement proportionate, risk-based security measures across ten categories. The standard is “proportionate to the risk” — not absolute — but proportionality must be documented and defensible.
- Risk analysis and information security policies — documented methodology, updated after significant changes or at defined intervals
- Incident handling — response procedures, escalation paths, post-incident review processes
- Business continuity and disaster recovery — BCPs covering backup protocols, system redundancy, and documented recovery time objectives
- Supply chain security — assessment of direct suppliers’ and service providers’ cybersecurity practices; supplier security clauses in contracts
- Network and information systems security — across acquisition, development, and maintenance phases
- Personnel security, access controls, and asset management — background checks where appropriate, need-to-know access, ICT asset inventory by criticality
- Multi-factor authentication and encryption — MFA required for remote access, sensitive systems, and administrative accounts; encryption for data in transit and at rest
- Vulnerability management — coordinated disclosure programs, documented patch management processes, and tracking of known exploited vulnerabilities
Board-Level Obligations — Personal Liability Applies
Article 24 places obligations directly on management bodies, not just IT departments. Boards must formally approve the cybersecurity risk management policy, monitor its implementation, and undergo specific cybersecurity risk training. Individual board members face personal liability for documented failures to fulfil these obligations.
In practice, this means board meetings must formally address cybersecurity governance — with minutes documenting who reviewed what and when. ACN’s portal tracks board-level role assignments in real-time; organizations that have not logged a responsible board-level person are flagged immediately.
| Obligation | Primary Owner | Supporting Role |
|---|---|---|
| Risk assessment policy | CISO | IT Security Team |
| Board cybersecurity approval | Board / C-Suite | CISO |
| Supply chain assessment | CISO / Procurement | Legal |
| Incident response plan | CISO | IT + Legal |
| MFA implementation | IT Security | CISO |
| ACN portal registration and updates | Compliance Officer | IT / Legal |
| Board and employee training | HR | CISO |
Full compliance with Article 24 is required by October 2026 — eighteen months after ACN’s April 2025 notifications. Incident reporting, a subset of Article 24, starts earlier: January 2026.
Incident Reporting to CSIRT Italia: The 24/72/30 Cascade
Italy implements the NIS2 three-stage reporting cascade with one addition: monthly progress updates for ongoing incidents.
What Qualifies as a Significant Incident?
Under Article 25 of the Decree, an incident is significant if it causes or risks serious operational disruption or financial losses to the entity, or causes tangible or intangible losses to third parties. Four specific scenarios trigger the obligation:
- Loss of data confidentiality held by the entity
- Integrity loss affecting third parties who depend on the entity’s services
- Service level violations against expected standards
- Unauthorized access to systems or data (essential entities only)
The trigger is when the organization “acquires objective elements” confirming the incident — not mere suspicion. The clock starts from that moment of confirmed awareness.
Reporting Stages
| Stage | Deadline | Content Required |
|---|---|---|
| Early warning | Within 24 hours | Incident confirmed; indication whether cause appears malicious; whether cross-border impact is possible |
| Formal notification | Within 72 hours | Updated situation assessment; initial severity rating; expected operational impact; relevant metrics |
| Progress update | Monthly (if ongoing) | Status update while incident remains unresolved |
| Final report | Within 30 days of initial notice | Full incident description; root cause and threat analysis; mitigation actions taken; cross-border impact assessment |
All reports are submitted to CSIRT Italia’s reporting portal. CSIRT Italia acknowledges receipt within 24 hours and may offer technical support and mitigation guidance on request.
CSIRT Representative Appointment — December 31, 2025 Deadline
By December 31, 2025, all essential and important entities must appoint a designated CSIRT representative through the ACN portal. The appointment window opens November 20, 2025. The requirement is one primary representative and at least one deputy, with the combination ensuring 24/7 availability for emergency contact. Both must have relevant technical expertise in cybersecurity incident management.
This deadline sits between the May 31, 2025 annual data submission and the January 2026 incident reporting start — and is frequently overlooked by organizations focused on the larger milestones.
When Do Obligations Start?
For most entities notified in April 2025, incident reporting obligations commence nine months after notification — effectively January 2026. Exceptions are entities already subject to the National Cybersecurity Perimeter (Perimetro di Sicurezza Nazionale Cibernetica), previous NIS1 essential service operators, and telecommunications providers serving ≥1% of national users, whose reporting obligations were already active under prior legislation.
Penalties and ACN Enforcement
Italy implements the NIS2 penalty floors in full and adds an explicit penalty regime for public administrations — a detail not uniformly included across EU member states.
| Entity Type | Maximum Penalty |
|---|---|
| Essential entities (non-public) | €10,000,000 or 2% of total global annual turnover, whichever is higher |
| Important entities (non-public) | €7,000,000 or 1.4% of total global annual turnover, whichever is higher |
| Public administrations | €25,000 – €125,000 |
| Lesser violations (failure to register, failure to update ACN platform, failure to cooperate with ACN) | Up to 0.1% of turnover (essential) / 0.07% (important) |
Minimum fines are set at one-twentieth of the maximum for essential entities and one-thirtieth for important entities — a non-trivial floor for first violations. Escalation applies for repeat failures, systemic negligence, and chronic non-compliance. ACN calibrates its largest sanctions to “ongoing” negligence rather than isolated errors — a distinction that rewards organizations that document their compliance efforts even when they fall short.
Board members and designated compliance officers face individual personal accountability under the Decree. Given ACN’s real-time portal monitoring, failures to update contact details, missed incident notifications, or board minutes that do not address cybersecurity governance are immediately visible to the regulator without requiring a formal audit trigger.
Italy NIS2 Compliance Timeline: Full Picture
| Date | Event | Action Required |
|---|---|---|
| October 18, 2024 | Legislative Decree 138/2024 enters into force | Begin NIS2 applicability assessment |
| December 1, 2024 | ACN portal opens for registration | Begin registration process |
| January 17, 2025 | Registration deadline — digital/cloud/MSSP providers | Digital service providers must complete registration |
| February 10, 2025 | DPCM — safeguard clause criteria published | Review out-of-scope criteria if applicable |
| February 28, 2025 | Registration deadline — all other entities | Complete registration on portale.acn.gov.it |
| March 31, 2025 | ACN publishes entity list | Verify classification status |
| April 15, 2025 | ACN notifies entities of essential/important status | Compliance countdown officially starts |
| May 31, 2025 | Annual data update deadline | Submit domain names, IP ranges, compliance officer details via ACN portal |
| Nov 20 – Dec 31, 2025 | CSIRT representative appointment window | Appoint primary + deputy CSIRT contact via ACN portal |
| January 2026 | Incident reporting obligations commence | CSIRT Italia reporting active for all notified entities |
| Jan 1 – Feb 28, 2026 | Annual registration renewal | Update entity registration for 2026 cycle |
| June 30, 2026 | ACN categorization submission | Submit activity macroarea mapping via ACN portal |
| October 2026 | Full Article 24 security measure compliance required | Complete security programme — all 10 categories operational |
Key Takeaways for Organizations Operating in Italy
Three features of Italy’s NIS2 implementation distinguish it from the EU baseline:
Continuous oversight, not periodic audits. ACN’s real-time portal monitoring means compliance gaps are visible immediately. There is no annual audit cycle that provides a warning window — organizations must maintain accurate portal data continuously.
Four annexes, not two. Italy’s scope extensions pull in municipalities, local transport operators, universities, and cultural organizations not covered by the EU directive. Sector-specific organizations should not assume EU baseline scope applies without checking Italian Annexes III and IV.
Dual-authority complexity. Sector-specific regulators issue mandatory addenda — not guidance — that supplement ACN’s national requirements. Organizations in regulated sectors (energy, finance, health) must reconcile both sets of obligations.
For most organizations notified in April 2025, the immediate priorities are: the May 31, 2025 portal data submission, the November–December 2025 CSIRT representative appointment, and building the incident detection capability needed to meet the January 2026 reporting start.
Frequently Asked Questions
Does Italian NIS2 apply to non-Italian companies operating in Italy?
Yes. Coverage is based on where services are delivered, not where the organization is incorporated. Any organization providing covered services in Italy must comply with Decreto Legislativo 138/2024, regardless of its country of establishment.
What if my company missed the February 28, 2025 registration deadline?
Organizations that failed to register should register through the ACN portal as soon as possible. Failure to register is a lesser violation subject to fines of up to 0.1% of annual turnover for essential entities and 0.07% for important entities. Proactive registration and contact with ACN reduces penalty exposure compared to non-engagement.
What is SPID, and what if our point of contact does not have one?
SPID (Sistema Pubblico di Identità Digitale) is Italy’s national digital identity system. The ACN portal also accepts CIE (Carta d’Identità Elettronica) and CNS (Carta Nazionale dei Servizi). Non-Italian point-of-contact representatives may need to obtain a compatible electronic identity credential before registration can proceed.
When do incident reporting obligations actually start for my organization?
For entities notified by ACN in April 2025, incident reporting obligations start nine months after notification — January 2026 for most. Entities already subject to the National Cybersecurity Perimeter (PSNC) or the prior NIS1 framework had active obligations before that date.
Is NIS2 compliance the same as GDPR compliance?
No. NIS2 and GDPR are separate frameworks with separate obligations and separate enforcement authorities. Personal data breaches may trigger parallel reporting obligations to both CSIRT Italia (under NIS2) and the Garante Privacy (under GDPR) — using different forms, different channels, and potentially different timelines. Organizations must manage both independently.
Legal Disclaimer
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- Directive (EU) 2022/2555 (NIS2 Directive) — EUR-Lex
- La normativa NIS — Agenzia per la Cybersicurezza Nazionale (ACN)
- Registrazione NIS — ACN
- Italy — EU NIS2 Directive — Eversheds Sutherland
- EU NIS2 in Italy — OpenKRITIS
- Incident Reporting Obligations in Italy under NIS2 — SWOT Legal
- Italy NIS2: scope, obligations, compliance — NIS2Certification.eu
- NIS2: The Countdown to Compliance Has Started — GamingTechLaw
- NIS2 Categorization — ACN Operational Guidance — GamingTechLaw
- Italy NIS2: ACN, Sectoral Evidence, Living Compliance — ISMS.online
