NIS2 Italy

NIS2 entities  

The Italian NIS2 Decree rules apply to both private and public entities in the sectors listed in the Directive’s annexes. Specifically, the law covers the critical sectors in Annex I and II of NIS2 (Annex I & Annex II), as well as additional categories in Annex III (public administrations at national, regional or local level) and Annex IV (supplementary entities such as local public transport, research institutions, cultural organisations, in-house companies, publicly controlled companies, etc.), as mentioned in the Gazzetta Ufficiale. In practice, 18 economic sectors are affected (11 “highly critical” and 7 “critical” sectors), as seen in Annex I and Annex II  

Company sizes: NIS2-Italy generally covers medium and large organizations. Small enterprises (fewer than 50 employees or under €10M annual turnover) are exempt unless they meet specific inclusion criteria. The decree explicitly carves out small entities except when they are designated as “critical” under EU rules, provide public electronic communications networks or services, offer trust services (like digital certificates), operate DNS or domain registration (TLD operators, DNS registries), were already identified under the original NIS Directive, are the sole national provider of an essential service, or pose systemic risk (e.g. as a critical supplier in an essential entity’s supply chain). A small company can still fall under NIS2 if, say, it provides essential telecom services or is a key cybersecurity supplier to larger entities. Conversely, many micro and small firms are out of scope unless such criteria apply. Italy has also added a “safeguard clause” allowing independent subsidiaries to seek exemption from size criteria if they can prove fully autonomous operation (subject to ACN review).  

Geographical applicability: The NIS2 Decree applies only to entities under Italian jurisdiction. In other words, an organization must be legally established or operating in Italy (e.g. an Italian branch or subsidiary) to be subject to this law. Purely foreign companies without a presence under Italian law are generally not directly bound by it. Any foreign company that maintains facilities or legally operates in Italy (such as a branch of a telecoms or energy company) would be covered. In practice, any entity that “operates in the sectors” above and is under Italian jurisdiction is obliged to comply.  

What does this mean for my company?  

For Italian companies identified as “in-scope entities” (those qualifying as either essential or important under NIS2), the following requirements arise:  

1. Registration

Covered entities must register and keep their information up to date on the ACN portal. A dedicated digital platform (hosted by ACN) has been set up for this purpose. All entities within the relevant sectors must complete initial registration by 28 February 2025. Certain digital service providers (e.g. DNS and domain registries, cloud and data center providers, CDNs, managed (security) service providers, online marketplace/search/social network platforms, etc., listed in Art.42) had an accelerated deadline of 17 January 2025.Registration requires submitting basic company and contact details (name, address, email, phone), a designated point of contact, and information on the services/activities provided and relevant sectors. After initial registration, companies must update their registration annually and whenever material information changes. ACN will confirm an entity’s classification (essential or important) by e-mail once the list of registered entities is finalized (around April 2025).  

    2. Cybersecurity measures

In-scope companies must adopt appropriate technical, organizational and operational measures to manage cybersecurity risks. While the decree obliges entities to implement risk-based protections, the specific minimum requirements will be defined by ACN. According to the ACN’s April 2025 resolution, detailed “basic” and “supplementary” security requirements will apply, with a compliance deadline of October 2026. Until then, companies should follow leading frameworks. ACN has updated Italy’s National Cybersecurity and Data Protection Framework (FNCS) in 2025 (aligned with NIST Cybersecurity Framework 2.0) to serve as a national reference. Compliance with ISO/IEC 27001 (information security management) and sector-specific standards (e.g. ISO/IEC 27019 for energy) is also encouraged, as the law explicitly foresees reference to recognized frameworks. In practice, firms should implement a documented cybersecurity program (policies, risk assessments, controls, incident plans, etc.) in line with these standards. The ACN’s April 2025 determinations will formally specify exactly which measures (e.g. data backup, access controls, employee training, network security) become mandatory.  

    3. Incident reporting

Under NIS2, companies must report significant cybersecurity incidents promptly to the national CSIRT (CSIRT Italia, part of ACN). A significant incident is one that causes serious disruption to services or large financial/material losses. For example, an attack causing major service outages or exposing sensitive customer data would qualify. Reporting is multi-stage: the entity must first send a brief pre-notification to ACN (via CSIRT) within 24 hours of becoming aware of the incident. Within 72 hours of detection, a detailed incident report must follow, including an initial assessment of the incident’s severity, impact, root cause and any known indicators of compromise. If the incident is ongoing, monthly progress reports are required until resolution, and a final report is due within one month after the incident is resolved. These reports help ACN/CSIRT coordinate response and assess cross-border effects. Failing to notify a reportable incident is itself a violation under the law. Companies should therefore have internal processes to detect incidents quickly and trigger these notifications.  

    4. Governance and management responsibilities

The top management and governing bodies of the organization (boards of directors, CEOs, etc.) hold ultimate responsibility for NIS2 compliance. They are required to ensure that the company meets all obligations. Specifically, administrative or managerial bodies are legally liable for any breach of the NIS2 provisions by the organization. Management is required to undergo cybersecurity training and to promote staff awareness; ACN notes that responsible leaders must acquire adequate IT security expertise. In practice, this means boards should approve cybersecurity risk policies, ensure resources are allocated, and verify regular audits. ACN can hold individual managers directly accountable: for example, if management fails to implement the required measures or to enforce incident reporting, the authority may impose sanctions on those individuals (see below). In extreme cases, managers can be temporarily banned from office if they ignore ACN orders.  

    5. Cooperation with authorities

 Companies must fully cooperate with ACN and CSIRT Italy. This includes promptly providing information, documents or system access when requested during investigations or inspections. Under the law, ACN has broad inspection powers (it can demand documentation, conduct on-site audits, etc.). Non-cooperation or obstructing ACN/CSIRT (e.g. by hiding information) is a punishable offense. In fact, the law specifically sanctions failure to collaborate with ACN/CSIRT as a lesser violation. Firms should therefore designate a liaison to handle authority requests and maintain clear records to demonstrate compliance.  

In summary, a company in scope must register with ACN on time and keep data current; implement the required cybersecurity measures in line with forthcoming ACN rules (and general best practices); establish rapid incident detection and reporting processes; ensure top management is trained and accountable; (NIS2 Training BC) and cooperate fully with ACN/CSIRT in oversight activities.  

Demonstrating compliance  

Italy does not provide a specific NIS2 compliance certificate or label. Compliance is demonstrated through internal controls, documentation, and alignment with recognized standards. In practice, Italian entities are advised to align with the National Cybersecurity Framework (FNCS), which was updated in 2025 and maps to NIS2 requirements. The FNCS organizes security into domains that parallel NIS2’s provisions; following it helps ensure coverage of the required measures. Additionally, adopting well-known standards such as ISO/IEC 27001 (Information Security Management Systems) or sector-specific standards (e.g. ISO/IEC 27019 for power energy) can serve as evidence of due diligence. Under Article 24 of the decree, entities are even encouraged to use international/European frameworks and certifications. More generally, Italian companies can point to audits, risk assessments and documented policies as proof of compliance. While EU-level cybersecurity certification schemes exist (e.g. under the Cybersecurity Act), those mostly cover products and services rather than an organization’s NIS2 compliance. In effect, meeting the ACN-prescribed requirements and aligning with FNCS/ISO frameworks is how companies “show” they comply.  

Sanctions  

Non-compliance with NIS2 obligations carries substantial penalties under the decree. Enforcement is entrusted to the ACN. Key sanctions include:  

• Monetary fines

The law provides differentiated fines based on entity type and violation. For the most serious breaches (failure of management obligations, failure to implement required measures, or failure to report incidents), an essential entity (non-public) can be fined up to €10 million or 2% of its worldwide annual turnover (whichever is higher). An important entity (non-public) faces up to €7 million or 1.4% of turnover. There is also a statutory minimum fine (1/20th or 1/30th of the maximum, for essential/important respectively) for those breaches. Lesser violations (e.g. late registration or minor collaboration failures) carry lower penalties (typically around 0.1% of turnover). In all cases, repeat offenses can lead to fines up to three times higher.  

• Interdictions and accessory sanctions

Beyond monetary fines, ACN may impose accessory measures. For example, if a company ignores a formal ACN order to implement certain measures, ACN can temporarily suspend its operational authorizations or certificates. Notably, ACN can also sanction company directors: the law allows banning specific individuals from holding managerial roles if they have failed to ensure compliance. In essence, management can be disqualified from office as an additional sanction.  

• Inspections and enforcement powers

To enforce compliance, ACN has broad investigatory powers. It can request documents, carry out on-site or remote inspections, and examine submitted information. Non-cooperation with such oversight can itself trigger penalties. In summary, violations of NIS2 obligations can lead to heavy fines (up to millions of euros), as well as operational restrictions and penalties for responsible managers.  

Timeline and key milestones  

Key dates in Italy’s NIS2 implementation include:  

• 4 Sept 2024: Legislative Decree 138/2024 adopted by the government.  

• 1 Oct 2024: Decree published in Gazzetta Ufficiale.  

• 16 Oct 2024: Decree enters into force. From this date, the rules are officially binding, though many obligations apply progressively.  

• Dec 2024 – Jan 2025: ACN opens the online registry. As of 1 December 2024, registration began on the ACN portal. Affected entities have until 28 February 2025 to register (with the exception of certain digital providers, who had to register by 17 January 2025).  

• April 2025: ACN formalizes lists and obligations. By 15 April 2025, ACN will publish the consolidated list of essential and important entities (based on registrations). On the same date, ACN will issue implementing resolutions defining the basic obligations on incident reporting and security measures that take effect from January 2026.  

• 31 May 2025: Data update deadline. Entities on the list must update their registry information by this date, providing data such as domain names used, other EU states of operation, and management contacts.  

• January 2026: Incident reporting obligations begin. Nine months after ACN’s list is finalized, entities must be fully prepared to meet incident notification requirements.   

• October 2026: Security measures deadline. Within 18 months of finalizing the list, all in-scope entities must implement the mandatory cybersecurity measures as defined by ACN.  

• Ongoing: Periodic reporting and reviews. NIS2 requires entities to report on compliance at regular intervals (typically every two years). In Italy, companies are expected to submit periodic reports to ACN (aligned with Article 23 of NIS2) starting in 2025, and ongoing audits may occur. Compliance is thus an ongoing process, not a one-off.  

Each of these milestones is mandatory for companies to meet. The final deadline for full compliance (security measures and governance) is October 2026, after which ACN will have the authority to fully enforce the regime and impose sanctions for any breach.