NIS2 in Italy

NIS2 Italy

The original NIS1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 was introduced to strengthen cybersecurity within the EU. Due to the increasing threat of cyberattacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, which imposes stricter requirements and a broader scope to increase the resilience of critical infrastructures against cyberattacks.

The NIS2 Directive was transposed into Italian law through Legislative Decree 138/2024 of 4 September 2024, hereinafter NIS2 Act, which has been in force since 1 January 2025.

On this page you will find everything you need to know about the impact of NIS2 on your organisation and how you can prepare for the new regulations.

This page provides an up-to-date overview of the NIS2 Italy scope, obligations and compliance requirements for essential and important entities.

Do you have questions about how NIS2 applies to your organisation in Italy? Please contact us.

Scope of the Italian NIS2 Act

The Italian NIS2 Act applies to both legal entities and natural persons (collectively referred to as ‘entities’) registered in Italy that supply products and/or services in an EU country. This scope forms the basis for determining whether an organisation must comply with NIS2 Italy requirements.

For cross-border organisations, it may also be relevant to compare how NIS2 has been implemented in other Member States, such as Belgium and Germany, as sector classifications and supervisory approaches may differ.

Essential and important entities

The NIS2 Act explicitly defines which public and private entities are subject to cybersecurity obligations. A distinction is made between essential entities and important entities. The categorisation of entities takes into account the services offered, the size of the entity, and its location. In practice, entities falling within the NIS2 Italy scope typically meet all three criteria below.

  1. Your organisation provides services within a sector listed in Annex I and Annex II of the NIS2 Act, as well as Annexes III and IV;
  2. Your organisation exceeds the thresholds for medium-sized enterprises; and
  3. Your organisation is located in Italy.

Sector classification under Annex I–IV

Annexes I through IV of the Italian NIS2 Act describe the sectors that fall within its scope. It is therefore crucial to thoroughly analyse the services provided to third parties by (sub)sector. The sectors in Annexes I and II mirror those defined in the European Directive, while Annexes III and IV expand the national scope (“settori NIS2 Italia”) for Italy.

Annex I: Highly critical sectors Annex II: Other critical sectors
Energy • Electricity • District heating and cooling • Oil • Gas • Hydrogen Postal and Italian courier services
Transport • Air • Rail • Water • Road Waste management
Banking Manufacture, production and distribution of chemical substances
Financial market infrastructures Production, processing and distribution of food
Health care Manufacture • Manufacture of medical devices and in vitro diagnostic medical devices • Manufacture of computer, electronic and optical products • Manufacture of electrical equipment • Manufacture of machinery and equipment, nec. • Manufacture of motor vehicles, trailers and semi-trailers • Manufacture of other transport equipment
Drinking water Digital providers
Wastewater Research
Digital infrastructure  
ICT service management (business-to-business)  
Public administration  
Space travel  

In addition to the entities covered by the NIS2 Directive as listed in Annexes I and II, the Italian NIS2 Act also applies to central, regional, local and other types of public authorities (see Annex III), as well as to additional types of entities identified by the public authorities (see Annex IV). Examples include local public transport, research institutions and cultural organisations. Organisations offering services within these sectors may therefore fall within the expanded scope of NIS2 Italy. More information on the scope of the Italian NIS2 Act is available on the ACN website.

Company size criteria

Besides the services provided, the size of the entity is also important in determining whether your organisation falls within the scope of the Italian NIS2 Act. Click here to determine whether your organisation is a small, medium or large enterprise. In principle, NIS2 Italy requirements apply to medium-sized and large entities. In addition, the law also applies to the following specific providers, regardless of the entity’s size:

  • Providers of public electronic communications networks or services
  • Trust service providers
  • Top-level domain name (TLD) registry providers
  • Domain name registries (DNS service providers)

Furthermore, the law also applies to entities, regardless of their size, if their activities are crucial to society or the economy. This is the case if:

  • They provide services essential to critical social or economic functions that are not offered by other providers
  • A disruption of their services would have a significant impact on public order, safety or public health
  • An incident could cause systemic risks with cross-border consequences
  • They are of strategic or vital national or regional importance, for example due to dependencies in other sectors
  • They form part of the supply chain, including digitally, of important or essential entities

Establishment in Italy

In principle, the Italian NIS2 Act only applies to entities with an establishment in Italy. However, the following entities are exceptionally subject to the Italian NIS2 Act:

  • Providers of public electronic communications networks or services offering their services in Italy
  • DNS service providers, top-level domain name registries, domain name registration service providers, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engines and social networking service platforms, if they have their main establishment in Italy or a legal representative in Italy for EU purposes
  • Public authorities established by Italy

Additional designation of entities

In addition to the criteria above, a non-NIS2 organisation may still become subject to the NIS2 Italy scope if the national authority designates the entity as essential or important, or if the organisation forms part of the supply chain of a NIS2 entity. Entities can verify their status via the official guidance and explanatory notes provided by ACN. See the ACN guidance under FAQ 3.1.

Obligations under the Italian NIS2 Act

Italy’s NIS2 Act imposes several legal, organisational and technical obligations on essential and important entities. These obligations cover registration, the implementation of cybersecurity measures, incident reporting and cooperation with authorities.

Registration requirements (Art. 7)

As part of the implementation of the European NIS2 Directive, Italy has introduced a national registration procedure for public and private entities subject to the regulations. This procedure is managed by the Agenzia per la Cybersicurezza Nazionale (ACN).

Between 1 December 2024 and 28 February 2025, all organisations subject to the Italian NIS2 Act must register through the ACN digital portal. This mandatory registration is an essential component of cybersecurity oversight in critical sectors. DNS service providers, top-level domain name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, search engine providers, social networking platform providers and trust service providers must register by 17 January 2025.

If your organisation is designated as an essential or important entity based on the criteria described in the “NIS2 entities” section, you must provide the following information to ACN:

  • Company name
  • Address and contact details, including email addresses and telephone numbers
  • The designation of a contact person, including their role and current contact details
  • Where applicable, the relevant sectors, subsectors and types of entities referred to in Annexes I–IV

By 31 March each year, the competent national authority will establish the list of entities considered essential or important. Organisations will be formally notified whether they have been included on the list, whether their previous designation has been confirmed, or whether they have been removed.

Between 15 April and 31 May each year, designated entities must submit or update their information. For entities requesting support for the annual update, the deadline is extended to 31 July. At a minimum, the following information must be provided:

  • The organisation’s IP address range and domain names
  • An overview of the Member States in which services are offered within the NIS2 scope
  • Contact details of the responsible persons, including their role, email address and telephone number
  • Contact details of a replacement point of contact

Any changes to the above information must be communicated within 14 working days.

Organisations that are not government agencies must complete a self-assessment prior to registration. Further explanation and guidelines are available in ACN FAQ 3.1.

Management and technical measures (Art. 24)

If your organisation is categorised as an essential or important entity, you are responsible for implementing appropriate technical and organisational measures to ensure the security of your network and information systems. These cybersecurity controls include, at a minimum:

  • Policy for risk analysis and information system security
  • Incident management
  • Business continuity, including backup management, disaster recovery and crisis management
  • Supply chain security
  • Security in the acquisition, development and maintenance of network and information systems, including vulnerability management
  • Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
  • Cyber hygiene and cybersecurity training
  • Policies and procedures on cryptography and, where applicable, encryption
  • Security aspects regarding personnel, access policy and asset management
  • Use of multi-factor authentication or continuous authentication, and secure voice, video, text and emergency communication systems

The minimum cybersecurity measures for specific service providers (e.g. DNS providers, cloud providers, data centre operators, online marketplaces, online search engines, social networking platforms and trust service providers) are detailed in the Implementing Regulation 2024/2690.

Organisations designated as important must apply the measures outlined in Annex 1 of Resolution 164179 (14 April 2025). Organisations designated as essential must follow the measures established in Annex 2 of the same resolution.

More information on the basic measures is available on the ACN website.

Incident reporting obligations (Art. 25–26)

Essential and important entities must notify CSIRT Italia when a significant incident occurs. They must also inform service recipients if the incident affects service continuity in the sectors covered in Annexes I–IV.

An incident is considered significant when:

  • The incident has resulted or may result in serious service disruption or financial loss, or
  • The incident has affected or may affect other natural or legal persons by causing significant material or immaterial damage.

Significant incidents must be reported by email to infected@csirt.gov.it or through the CSIRT online reporting tool, following the procedure below:

  1. Within 24 hours: submit an early warning, including probable cause and any cross-border implications.
  2. Within 72 hours: submit an incident notification with updated information and an initial impact assessment. Trust service providers have a 24-hour deadline.
  3. Submit an interim report upon request from CSIRT Italia.
  4. Within 1 month: submit a final report including:
    • A detailed description of the incident, severity and consequences
    • The threat or root cause leading to the incident
    • Mitigation measures applied and ongoing
    • Any cross-border consequences
  5. If the incident is still ongoing after one month, submit a progress report, followed by a final report once the incident is resolved.

Criteria for determining a significant incident for specific providers (e.g. DNS, cloud, CDNs, online platforms, trust services) are defined in the Implementing Regulation 2024/2690, which takes precedence over national rules in case of inconsistencies.

All entities—whether or not they fall under the NIS2 Act—may voluntarily report significant incidents, cyber threats or near misses to CSIRT Italia.

Additional guidance on reporting significant incidents is available through the CSIRT reporting portal.

Management responsibilities

The management bodies of essential and important entities are responsible for ensuring compliance with the NIS2 Act and must fulfil several obligations, including:

  • Approving cybersecurity management measures and monitoring compliance
  • Undertaking training to acquire sufficient knowledge and skills to assess cybersecurity risks and management measures
  • Ensuring continuous cybersecurity training for employees

The management bodies are liable for non-compliance with the NIS2 Act.

Cooperation with authorities

Essential and important entities must cooperate with national authorities. This includes exchanging information on the security of network and information systems, reporting incidents and cooperating with supervisory inspections.

Demonstrating NIS2 compliance in Italy

Essential and important entities must undergo regular compliance audits. Following an independent conformity assessment by an accredited Conformity Assessment Body (CAB), an organisation may obtain a certificate that demonstrates its level of compliance with the Italian NIS2 Act.

National Framework for Cybersecurity and Data Protection

To demonstrate compliance with the NIS2 legislation, Italy recognises both national and international cybersecurity standards.

The Italian government developed the National Framework for Cybersecurity and Data Protection, updated in 2025 and based on NIST CSF 2.0. This framework provides a structured approach to managing cyber risks and strengthening organisational digital resilience.

The framework is closely aligned with the domains and obligations set out in the NIS2 Directive. Technical specifications will be further finalised throughout 2025 and 2026. Minimum measures will be defined by April 2025, and the long-term measures by April 2026. These requirements are part of the technical annexes published by ACN. Organisations must comply with these minimum measures no later than October 2026.

ISO/IEC 27001 as evidence of compliance

In addition to the national framework, organisations may rely on international standards such as ISO/IEC 27001, the globally recognised standard for information security management. ISO 27001 specifies the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). Although not legally mandatory under NIS2, ISO 27001 is commonly used in Italy as evidence of robust cybersecurity governance.

Steps toward certification

To obtain ISO 27001 certification, organisations typically follow these steps:

  1. Acquire the necessary knowledge about ISO/IEC 27001, for example through training courses.
  2. Implement the ISO 27001 management system in accordance with the standard’s requirements.
  3. Conduct internal audits to verify conformity.
  4. Have management review the audit results, take corrective measures where needed and formally record the organisation’s compliance status.
  5. Engage an accredited CAB to conduct the external certification audit.

Independent conformity assessment

If you would like more information about the certification process or wish to discuss the steps toward compliance, you can schedule an appointment with an expert.

How to demonstrate NIS2 compliance

The steps below provide a practical overview of how organisations can demonstrate compliance with the Italian NIS2 Act, based on the national framework, ACN requirements and internationally recognised standards.

  1. Understand the applicable NIS2 obligations
    Assess whether your organisation is classified as an essential or important entity, and review your applicable security and reporting obligations.
  2. Implement the required cybersecurity measures
    Apply the technical and organisational controls defined by ACN, including risk management, incident response, business continuity, supply-chain security and secure communication.
  3. Establish an Information Security Management System (ISMS)
    Many organisations use ISO/IEC 27001 as a baseline to structure their cybersecurity governance and ensure continuous improvement.
  4. Conduct internal audits
    Determine whether implemented measures meet NIS2 and framework requirements and identify areas requiring improvement.
  5. Perform a management review
    Management should review audit outcomes, approve corrective actions and formally confirm compliance readiness.
  6. Undergo an external conformity assessment
    A conformity assessment by an accredited CAB can confirm compliance and result in a formal certificate.

Enforcement and sanctions in Italy

The Italian NIS2 Act grants the national authority, ACN, extensive supervisory and enforcement powers to ensure that essential and important entities comply with cybersecurity obligations. Sanctions depend on the severity and frequency of violations and may include administrative measures or substantial fines.

Supervisory approach

ACN applies a differentiated supervisory model for NIS2 entities:

  • Essential entities are monitored both proactively (ex-ante) and reactively (ex-post). They are required to undergo regular conformity assessments.
  • Important entities are monitored primarily in a reactive manner, for example after an incident or when there is a suspicion of non-compliance.

This supervisory approach allows ACN to focus its oversight resources on entities whose disruption would have the highest societal or economic impact.

Administrative measures

If an entity fails to meet its NIS2 obligations, ACN may impose administrative measures. These measures may include:

  • Issuing warnings
  • Requiring the organisation to take corrective actions
  • Appointing a supervisor to monitor compliance with the Italian NIS2 Act
  • Other measures deemed necessary to mitigate cybersecurity risks

Administrative measures are typically applied before financial penalties and aim to restore compliance as quickly as possible.

Administrative fines

For serious infringements, the Italian NIS2 Act provides for significant administrative fines. These may amount to:

  • Up to €10,000,000 or 2% of the global annual turnover for essential entities
  • Up to €7,000,000 or 1.4% of the global annual turnover for important entities

For government institutions and publicly controlled entities, fines range between €25,000 and €125,000.

Administrative deficiencies—such as failing to register required information, failing to cooperate with ACN or CSIRT Italia, or failing to apply mandatory certification schemes—may also result in penalties:

  • Up to 0.1% of global turnover for essential entities
  • Up to 0.07% of global turnover for important entities

For publicly controlled organisations, these fines range from €10,000 to €50,000.

Increased penalties for repeated violations

Penalties increase if an organisation repeatedly violates the NIS2 obligations:

  • If the same violation occurs again, the fine may be doubled.
  • If different types of violations occur repeatedly, the fine may be increased up to three times.

This escalation mechanism is designed to encourage sustained compliance and discourage systemic neglect of cybersecurity obligations.

Timeline of NIS2 implementation in Italy

The timeline below summarises the key deadlines for the implementation and enforcement of the Italian NIS2 Act. These dates outline when organisations must register, provide information, and comply with the mandatory cybersecurity measures.

  • 17 October 2024: Initial deadline for EU Member States to transpose the NIS2 Directive into national law.
  • 17 January 2025: Deadline for specific providers (DNS service providers, TLD registries, cloud service providers, data centre operators, content delivery networks, managed service providers, managed security service providers, online marketplaces, search engines, social network platforms and trust service providers) to complete registration through ACN’s digital portal.
  • 28 February 2025: Final registration deadline for all other entities subject to the Italian NIS2 Act.
  • 31 May 2025: Deadline for designated entities to provide or update required information to ACN. Entities requesting support may submit updates until 31 July 2025.
  • 9 months from notification of inclusion in the NIS2 entity list (no later than January 2026): Organisations must comply with the incident reporting obligation.
  • 18 months from notification of inclusion in the NIS2 entity list (no later than October 2026): Organisations must implement the minimum security measures defined by ACN.

Competent authorities (Art. 15)

Several national authorities in Italy are responsible for implementing, supervising and enforcing the NIS2 legislation. Each authority plays a distinct role in safeguarding the country’s cybersecurity framework.

Authority Role under the Italian NIS2 Act
Agenzia per la Cybersicurezza Nazionale (ACN) Central national authority responsible for implementation, registration, monitoring, inspections and sanctions.
CSIRT Italia National incident response team managing notifications, incident coordination and communication with affected organisations.
Ministry of Defence Protects defence-related critical infrastructure and coordinates responses to cyber threats affecting national security.
Sectoral regulators Oversee NIS2 compliance within sector-specific areas such as energy, digital services and transport.

ACN

The Agenzia per la Cybersicurezza Nazionale (ACN) is the central authority responsible for implementing and enforcing the Italian NIS2 Act. ACN manages the national registration portal, maintains the official lists of essential and important entities, conducts inspections, and can impose sanctions for non-compliance. ACN also coordinates information sharing, crisis management and collaboration with sectoral regulators.

CSIRT Italia

The National Computer Security Incident Response Team (CSIRT Italia) monitors, analyses and coordinates responses to cybersecurity incidents. Entities subject to NIS2 are required to report significant incidents directly to CSIRT Italia. The team provides technical guidance, incident handling support and ensures efficient communication between organisations and the government. CSIRT Italia collaborates closely with ACN and other European CSIRTs to strengthen Italy’s digital resilience.

Ministry of Defence

The Ministry of Defence (Ministero della Difesa) plays a targeted role in the NIS2 framework, especially in relation to cybersecurity risks affecting defence-related critical infrastructure. The Ministry works with ACN and other competent authorities to support coordinated responses to national security threats and contributes to the development of national cyber resilience strategies.

Sectoral regulators

Italy also relies on several sectoral regulators, such as the Ministry of Economic Development (digital services and energy) and the Ministry of Infrastructure and Transport (transport sectors). These authorities supervise NIS2 compliance within their respective domains and cooperate with ACN to ensure consistent enforcement across all sectors.

Frequently Asked Questions about NIS2 in Italy

Which organisations fall under the Italian NIS2 Act?

Entities are included if they operate in a sector listed in Annexes I–IV, exceed the thresholds for medium-sized enterprises, or are located in Italy. Certain providers, such as trust service providers, DNS providers and cloud services, are included regardless of size.

Which authority is responsible for NIS2 supervision in Italy?

The Agenzia per la Cybersicurezza Nazionale (ACN) is the central authority responsible for implementation, monitoring, inspections and sanctions. CSIRT Italia handles incident reporting and coordination.

What are the reporting obligations for significant incidents?

Entities must notify CSIRT Italia within 24 hours (early warning), provide a full notification within 72 hours and submit a final report within one month. Additional updates may be required depending on the incident status.

Which cybersecurity measures must Italian NIS2 entities implement?

Organisations must implement technical and organisational measures such as risk analysis, incident management, business continuity, supply-chain security, cryptography, and multi-factor authentication. Additional specific measures apply to certain service providers.

How can an organisation demonstrate compliance with NIS2?

Compliance can be demonstrated through a conformity assessment by an accredited CAB. Organisations may also apply the National Cybersecurity Framework or international standards such as ISO/IEC 27001.

Need guidance on NIS2 compliance in Italy?

The introduction of the Italian NIS2 Act brings new obligations for essential and important entities, ranging from registration and incident reporting to the implementation of extensive cybersecurity measures. If you would like to understand how these requirements apply to your organisation or if you need support in preparing for compliance, our experts are available to help.

Contact an expert for more information