What changed from NIS1 to NIS2 in Italy?

NIS2 (Directive (EU) 2022/2555) replaces NIS1 to strengthen resilience to cyberattacks. Italy transposed NIS2 via Legislative Decree 138/2024 (in force since 1 January 2025), broadening scope, tightening security and reporting requirements, and introducing clearer supervision and sanctions.

Is my organisation in scope of the Italian NIS2 Act?

Generally yes if: (I) you operate in sectors listed in Annexes I–IV, (II) you exceed medium-enterprise thresholds, and (III) you are established in Italy. Exceptions cover specific providers (e.g., public electronic communications, trust services, TLD/DNS) and entities whose activities are crucial to society/economy. Non-NIS2 entities may still be affected via supply-chain links or by designation.

What are the registration requirements and deadlines?

All in-scope entities must register via ACN’s portal between 1 Dec 2024 and 28 Feb 2025. Specific providers (DNS, TLD, cloud, data centres, CDNs, managed services/security, marketplaces, search engines, social networks, trust services) must register by 17 Jan 2025. Each year (15 Apr–31 May, or 31 Jul if support requested) entities must submit/update data; changes must be reported within 14 working days.

What minimum security measures are required?

Essential and important entities must implement appropriate technical/organisational measures: risk analysis & IS security, incident management, business continuity (backups/DR) and crisis management, supply-chain security, secure acquisition/development/maintenance with vulnerability handling, effectiveness assessment, cyber hygiene & training, cryptography policy/encryption as applicable, personnel/access/asset security, MFA or continuous authentication and secure communications. EU Implementing Regulation 2024/2690 details measures for specific providers; Italy references Resolution 164179 (14 Apr 2025) Annex 1 (important) and Annex 2 (essential).

How do I report significant incidents to CSIRT Italia?

Notify infected@csirt.gov.it or use the online tool. Within 24h: early warning (probable cause, cross-border impacts). Within 72h: incident notification with update and initial assessment (trust services: 24h). On request: interim report. Within 1 month of the incident notification: final report (description, severity, consequences, root cause, mitigation, cross-border effects). If still ongoing after a month: progress report; final report within a month after resolution. EU 2024/2690 defines significance criteria for specific providers.

What are management obligations and cooperation duties?

Management must approve measures, oversee compliance, and undertake training to maintain sufficient knowledge and skills; continuous staff upskilling is required. Entities must cooperate with authorities (ACN, CSIRT, inspection services), including information sharing and incident reporting.

How can we demonstrate compliance?

Through periodic audits by an accredited Conformity Assessment Body (CAB) and certification. Italy recognises the National Framework for Cybersecurity and Data Protection (aligned to NIST CSF 2.0) and international standards like ISO/IEC 27001 (ISMS). Typical ISO 27001 path: gain knowledge, implement ISMS, run internal audits, management review and corrective actions, then external audit by an accredited CAB.

What sanctions apply for non-compliance?

ACN may impose administrative measures (warnings, mandated actions, appointed supervisor) and fines. Serious infringements: up to €10,000,000 or 2% of global turnover (essential) and up to €7,000,000 or 1.4% (important). Public bodies/publicly controlled: €25,000–€125,000. Administrative deficiencies: up to 0.1% (essential) or 0.07% (important); public bodies: €10,000–€50,000. Repeated infringements may double or triple fines.

NIS2 Italy: what you need to know

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 was introduced to strengthen cybersecurity within the EU. Due to the increasing threat of cyberattacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, which imposes stricter requirements and a broader scope to increase the resilience of critical infrastructures against cyberattacks.

The NIS2 Directive was transposed into Italian law through Legislative Decree 138/2024 of 4 September 2024, hereinafter NIS2 Act, which has been in force since 1 January 2025.

On this page you will find everything you need to know about the impact of NIS2 on your organisation and how you can prepare for the new regulations.

The content of this page is subject to change and will be updated as needed.

NIS2 entities

The Italian NIS2 Act applies to both legal entities and natural persons (collectively referred to as ‘entities’) registered in Italy that supply products and/or services in an EU country. The NIS2 Act explicitly defines which public and private entities are subject to cybersecurity obligations. A distinction is made between essential entities and important entities. The categorisation of entities takes into account the services offered, the size of the entity, and its location. In principle, your entity will be subject to the Italian NIS2 Act when:

Your organisation provides services within a sector listed in Annex I and Annex II of the NIS2 Act, as well as Annexes III and IV;
Your organisation exceeds the thresholds for medium-sized enterprises; and
Your organisation is located in Italy.

Criteria 1: services provided

Annexes I through IV of the Italian NIS2 Act describe the sectors that fall within its scope. It is therefore crucial to thoroughly analyse the services provided to third parties by (sub)sector. The sectors listed in Annexes I and II of the Italian NIS2 Act correspond to the European NIS2 Directive. Annexes III and IV are added to this.

Annex I: Highly critical sectors	Annex II: Other critical sectors
Energy • Electricity • District heating and cooling • Oil • Gas • Hydrogen	Postal and Italian courier services
Transport • Air • Rail • Water • Road	Waste management
Banking	Manufacture, production and distribution of chemical substances
Financial market infrastructures	Production, processing and distribution of food
Health care	Manufacture • Manufacture of medical devices and in vitro diagnostic medical devices • Manufacture of computer, electronic and optical products • Manufacture of electrical equipment • Manufacture of machinery and equipment, nec. • Manufacture of motor vehicles, trailers and semi-trailers • Manufacture of other transport equipment
Drinking water	Digital providers
Wastewater	Research
Digital infrastructure
ICT service management (business-to-business)
Public administration
Space travel

In addition to the entities covered by the NIS2 as listed in Annexes I and II, the Italian NIS2 Act also applies to central, regional, local, and other types of public authorities (see Annex III), as well as to additional types of entities identified by the public authorities (see Annex IV). Examples of this last category include local public transport, research institutions, cultural organisations, etc. If your organisation provides a service from the above list, your organisation may fall within the scope of the NIS2 Act. More information on the scope of the Italian NIS2 Act can be found here.

Criteria 2: Company size

Besides the services provided, the size of the entity is also important in determining whether your organisation falls within the scope of the Italian NIS2 Act. Click here to determine whether your organisation is a small, medium, or large enterprise. In principle, medium and large enterprises must comply with the requirements of the NIS2 Act. In addition, the law also applies to the following specific providers, regardless of the entity’s size. These are:

Providers of public electronic communications networks or services
Trust service providers
Top-Level Domain Name (TLD) Registry Providers
Domain name registries (DNS service providers)

Furthermore, the law also applies to entities, regardless of their size, if their activities are crucial to society or the economy. This is the case if:

They provide services that are essential for critical social or economic functions and that are not provided by other providers
A disruption of their services would have a significant impact on public order, safety or public health
An incident in their country could cause systemic risks with cross-border consequences
They are of strategic or vital importance at national or regional level, for example because of dependencies in other sectors
It is part of the supply chain, even digitally, of one or more important or essential entities.

Criteria 3: Established entity in Italy

In principle, the Italian NIS2 Act can only apply to entities with an establishment in Italy. However, the following entities are exceptionally subject to the Italian NIS2 Act:

Providers of public electronic communications networks or providers of public electronic communications services offering their services in Italy;
DNS service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as online marketplace providers, online search engines or social networking service platforms, if they have their main establishment in Italy or if they have their legal representative for the EU in Italy in the case that they do not have an establishment within the EU;
Public authorities established by Italy.

In addition to the three criteria above, when analysing the scope of the NIS2 Act, it should be taken into account that a non-NIS2 organisation may still be affected by the NIS2 Act because the national authority designates the entity as an essential or important entity or because the non-NIS2 organisation belongs to the supply chain of a NIS2 organisation. To determine whether your entity falls within the scope of the Italian NIS2 Act, you can conduct a self-assessment based on the explanatory notes and guidelines available on the ACN website under FAQ 3.1.

What does this mean for my company?

1. Registration (Art. 7)

As part of the implementation of the European NIS2 Directive, Italy has introduced a national registration procedure for public and private entities subject to the regulations. This procedure is managed by Agenzia per la Cybersicurezza Nazionale (ACN).

Between 1 December 2024 and 28 February 2025, all organisations subject to the Italian NIS2 Act must register through the ACN digital portal. This registration is mandatory and is an essential component of cybersecurity oversight in critical sectors. DNS service providers, top-level domain name registries, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, search engine providers, social networking platform providers, and trust service providers must register by 17 January 2025.

If your organisation is designated as an essential or important entity based on the criteria described in the ‘NIS2 entities’ chapter, you must provide the following information to ACN:

Company name;
Address and contact details, including email addresses and telephone numbers;
The designation of a contact person, stating the position within the entity and current contact details, including email addresses and telephone numbers;
Where applicable, the relevant sectors, subsectors and types of entities referred to in Annexes I, II, III and IV.

By 31 March each year, the competent national authority will establish the list of entities considered essential or important. The organisations concerned will be formally notified whether they have been included on the list, whether their existing status as NIS2 entities has been confirmed, or whether they have been removed from the list.

Between 15 April and 31 May each year, the entities concerned must submit or update their data. For entities that have requested support for the annual update, the deadline is extended to 31 July. The following information must be provided as a minimum:

The organisation’s IP address range and domain names;
An overview of the Member States offering services falling within the scope of the NIS2 Directive;
The contact details of the responsible persons, including their position, email address and telephone number;
The contact details of a replacement point of contact, including their position, email address and telephone number.

Any changes to the above information must be communicated within 14 working days.

Organisations that are not government agencies must complete a self-assessment prior to registration. Further explanation and guidelines are available on the ACN website under FAQ 3.1.

2. Management measures (Art. 24)

If your organisation is categorized as an essential or important entity, this means you are responsible for implementing appropriate technical and organisational measures to ensure the security of your network and information systems. These cybersecurity controls include, at a minimum:

Policy for risk analysis and security of information systems
Incident management
Business continuity, such as backup management and disaster recovery, and crisis management
Supply chain security
Security in the acquisition, development and maintenance of network and information systems, including the response to and disclosure of vulnerabilities
Policies and procedures to assess the effectiveness of measures for managing cybersecurity risks
Cyber hygiene and training in the field of cybersecurity
Policies and procedures on cryptography and, where applicable, encryption
Security aspects regarding personnel, access policy and asset management
Use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication and secure emergency communication systems within the entity, where applicable.

In the implementing regulation 2024/2690, the European Commission has elaborated the above minimum cybersecurity measures for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, providers of content delivery networks, managed services providers, managed security services providers, online marketplaces, online search engines, social networking services platforms and trust service providers.

Organisations designated as important must apply the measures outlined in Annex 1 of Resolution 164179 of 14 April 2025. Organisations considered essential must follow the measures established in Annex 2 of the same resolution.

More information about the basic measures can be found here.

3. Reporting obligation of significant incidents (Art. 25, 26)

Essential and important entities are required to notify the national Computer Security Incident Response Team (CSIRT), CSIRT Italia, when a significant incident occurs. They must also inform the recipients of their services if the significant incident affects the provision of services related to the (sub)sectors of Annexes I to IV.

An incident is considered significant when

The incident has resulted or may result in serious service disruption or financial loss to the affected entity or
The incident has affected or may affect other natural or legal persons by causing significant material or immaterial damage.

The significant incident is reported by the essential and important entity by email to infected@csirt.gov.it or via the online tool according to the following procedure:

Immediately and within 24 hours of becoming aware of the significant incident, the entity shall submit an early warning, stating the probable cause and any cross-border implications;
Immediately and within 72 hours of becoming aware of the significant incident, the entity must submit an incident notification containing an information update and an initial assessment of the incident. Trust service providers have a 24-hour deadline for submitting an incident report;
At the request of CSIRT Italia, the entity shall submit an interim report;
No later than 1 month after the incident report, the entity shall submit a final report stating:
1. A detailed description of the incident, as well as its severity and consequences;
2. The type of threat or root cause that likely led to the incident;
3. Risk mitigation measures applied and ongoing;
4. The cross-border consequences of the incident, if applicable.
If the incident is still ongoing one month after the incident was reported, the entity must submit a progress report, and a final report must be submitted within one month of the incident being resolved.

In Implementing Regulation 2024/2690, the European Commission has defined the criteria for a significant incident for DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, and trust service providers. These special rules take precedence over national rules in case of inconsistencies.

Finally, all entities, regardless of whether they fall within the scope of the NIS2 Act, can voluntarily report (significant) incidents, cyber threats and near misses to the CSIRT Italia.

More information about reporting significant cyber incidents can be found here.

4. Obligations and responsibilities of management

The management bodies of essential and important entities are responsible for compliance with the NIS2 Act and must fulfil various obligations, including:

Approving cybersecurity management measures and monitoring compliance with them
Undertaking training to acquire sufficient knowledge and skills to identify risks and assess management measures and their impact on their services
Continuously training the employees of the cybersecurity entity in the field of cybersecurity

The management bodies are liable for non-compliance with the NIS2 Act.

Cooperating with authorities

Essential and important entities must cooperate with the national authorities. This concerns the exchange of information on the security of network and information systems, reporting incidents, cooperation with the inspection service, etc.

How can I demonstrate that my company complies with the NIS2 legislation?

Essential and important entities must undergo frequent compliance audits. Based on an independent conformity assessment by an accredited Conformity Assessment Body (CAB), the entity can obtain a certificate demonstrating compliance with the NIS2 Act to stakeholders.

To demonstrate that an organisation meets the requirements of the NIS2 legislation, Italy recognizes both international and national cybersecurity standards.

In this context, the Italian government developed the National Framework for Cybersecurity and Data Protection, which was updated in 2025 and is based on NIST CSF 2.0. This framework provides a structured approach to managing cyber risks and strengthening digital resilience.

The Italian framework closely aligns with the domains and obligations defined in the NIS2 Directive. The modalities and technical specifications will be further developed over the course of 2025 and 2026. The basic measures will be defined by April 2025, while the long-term measures will be established by April 2026. These measures form the core of the technical annexes published by ACN. Organisations will be required to comply with the minimum measures included therein by October 2026 at the latest.

In addition to the national framework, organisations can also use international standards such as ISO/IEC 27001, which is globally recognized as the standard for information security management. It describes the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Although this standard is not legally mandated, it is often used in Italy as evidence of a robust cybersecurity policy.

To obtain ISO 27001 certification, the following steps must be taken:

Acquire the necessary knowledge about ISO/IEC 27001, for example through training courses.
Implement the ISO 27001 management system in your organisation in accordance with the standard requirements.
Conduct internal audits.
Have the management assess the results of the internal audit and take corrective measures if necessary. Record the conclusion about compliance with the requirements in the management review.
Contact an accredited CAB (Certification and Accreditation Body) to conduct an external audit.

If you would like more information about certification, you can make an appointment with an expert here.

Enforcement and sanctions (Art. 38)

The competent authority, ACN, conducts inspections on compliance of NIS2 entities with the requirements. A distinction must be made between essential and important entities:

Essential entities are monitored both proactively (ex-ante) and reactively (ex-post) and are required to have regular conformity assessments carried out.
In principle, important entities are only checked reactively, after an incident or when there is a suspicion of non-compliance with the law.

The Italian NIS2 Act provides for specific sanctions that ACN can impose on entities that fail to comply with the legal provisions. These sanctions vary depending on the nature and severity of the violation and are divided into administrative measures and administrative fines.

Possible administrative measures that may be imposed include issuing warnings, requiring the entity to take certain measures, appointing a supervisor to monitor compliance with the NIS2 Act, etc.

Penalties for serious infringements are administrative fines stipulated by law, which can amount to up to €10,000,000 or 2% of the total worldwide annual turnover of the essential entity and up to €7,000,000 or 1.4% of the total worldwide annual turnover of the important entity. For government institutions and publicly controlled entities, these fines range from €25,000 to €125,000.

Administrative deficiencies such as failing to register company information, failing to cooperate with the ACN or CSIRT Italia, and failing to apply mandatory certification schemes can also result in fines of up to 0.1% of global annual turnover for essential entities and up to 0.07% of global annual turnover for important entities. For government institutions and publicly controlled entities, these fines range from €10,000 to €50,000.

In case of repeated violations, the penalties are increased: if the same type of violation is repeated, the fine can be doubled, while if different types of violations are repeated, the fine can be increased up to three times.

Timeline

17 October 2024: Initial deadline for EU Member States to transpose the NIS2 Directive into national law
17 January 2025: Registration through ACN’s digital portal for DNS service providers, top-level domain name registries, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, search engine providers, social networking platform providers, and trust service providers.
28 February 2025: Registration via the ACN digital portal
31 May 2025: Provide data to ACN
9 months from notification of inclusion of the list of NIS2 entities (no later than January 2026): reporting obligation
18 months from notification of inclusion of the NIS2 entity list (no later than October 2026): implement basic security measures

Competent authorities (Art. 15)

In Italy, several competent authorities have been designated to be involved in the implementation of the NIS2 legislation.

Agenzia per la Cybersicurezza The Agenzia per la Cybersicurezza Nazionale (ACN) is the central national authority for the implementation and enforcement of the NIS2 legislation. This body is responsible for monitoring compliance with NIS2 obligations by both public and private organisations. The ACN manages the national registration portal, compiles lists of entities involved, conducts inspections, and can impose sanctions for non-compliance. In addition, the ACN coordinates cooperation between various sectoral regulators and promotes information exchange and crisis management at the national level.

The National Computer Security Incident Response Team (CSIRT Italia) is the national team that monitors, analyses, and coordinates cybersecurity incidents. Organisations subject to the NIS2 legislation are required to report serious cyber incidents to CSIRT Italia. The team supports organisations in handling incidents, provides technical guidance, and ensures rapid communication between affected parties and the government. CSIRT Italia works closely with the ACN and other European CSIRTs to strengthen Italy’s digital resilience.

The Ministry of Defence (Ministero della Difesa) plays a specific role within the NIS2 context, particularly when it comes to protecting critical infrastructure important for national security. The Ministry collaborates with the ACN and other competent authorities to ensure a coordinated response to cyber threats affecting the defense and security sector. In addition, the Ministry contributes to the development of national cyber resilience and crisis management strategies.

In addition to the central authorities, Italy also has sectoral regulators, such as the Ministry of Economic Development (for digital service providers and energy), the Ministry of Infrastructure and Transport (for transport sectors), and other relevant ministries. They are responsible for monitoring NIS2 compliance within their own sectors and collaborate with ACN to ensure uniform application of the regulations.