NIS2 in Italy: ACN Registration and Compliance Guide

Italy's NIS2 Transposition: D.lgs. 138/2024

Italy was among the first EU member states to transpose the NIS2 Directive into national law. Legislative Decree 138/2024 (Decreto Legislativo 4 settembre 2024, n. 138) was published in the Gazzetta Ufficiale on 1 October 2024 and entered into force on 16 October 2024 — one day before the EU transposition deadline.

This placed Italy in a small group of early transposers alongside Belgium and Croatia. The speed of transposition reflects the strategic importance Italy places on cybersecurity — the country has invested significantly in its national cybersecurity architecture since establishing the Agenzia per la Cybersicurezza Nazionale (ACN) in 2021.

For Italian organisations, the transposition is not a distant regulatory development. It is an active compliance obligation with defined registration windows, supervision mechanisms, and penalty structures that are already operational.

Who Is in Scope Under Italian NIS2?

D.lgs. 138/2024 mirrors the EU directive's scope with some notable Italian expansions.

Essential Entities (Soggetti Essenziali)

Organisations meeting size thresholds (250+ employees or EUR 50M+ turnover) in the following sectors:

• Energy (elettricita, petrolio, gas, idrogeno, teleriscaldamento)
• Transport (aereo, ferroviario, per vie d'acqua, su strada)
• Banking (enti creditizi)
• Financial market infrastructures
• Health (prestatori di assistenza sanitaria, laboratori, dispositivi medici)
• Drinking water and waste water
• Digital infrastructure (DNS, TLD, cloud, data centres, CDN, trust services)
• ICT service management (B2B managed services and security services)
• Public administration (central and regional)
• Space

Important Entities (Soggetti Importanti)

Organisations meeting the medium-size threshold (50+ employees or EUR 10M+ turnover) in:

• Postal and courier services
• Waste management
• Chemical production, manufacturing, and distribution
• Food production, processing, and distribution
• Manufacturing (medical devices, computers, electronics, machinery, motor vehicles)
• Digital providers (online marketplaces, search engines, social networks)
• Research organisations

Italian-Specific Expansions

D.lgs. 138/2024 goes beyond the minimum NIS2 scope in several areas:

• Public administration: Italy includes not only central government but also regional and certain municipal administrations, significantly expanding the public sector scope compared to the directive's baseline.
• Size-independent inclusions: Consistent with NIS2 but explicitly enumerated — trust service providers, DNS service providers, TLD registries, electronic communications network providers, and sole providers of essential services are in scope regardless of size.
• Critical supply chain entities: ACN has the authority to designate specific entities as in-scope based on their role in the national critical infrastructure supply chain, even if they fall below the standard size thresholds.

Estimating the Impact

Based on ISTAT data and the sector definitions in D.lgs. 138/2024, estimates suggest approximately 15,000–18,000 Italian organisations fall within NIS2 scope. This is a substantial expansion from the roughly 500 operators identified under the original NIS Directive (D.lgs. 65/2018).

ACN: Italy's NIS2 Competent Authority

The Agenzia per la Cybersicurezza Nazionale (ACN) is Italy's designated NIS2 competent authority and single point of contact. Established by Decree-Law 82/2021 and elevated to full national cyber authority status, ACN handles:

• Entity registration and classification — determining whether entities are essential or important
• Supervision and enforcement — conducting audits, issuing corrective measures, and imposing sanctions
• Incident reporting — receiving and processing incident notifications under Article 23
• CSIRT Italia — operating the national Computer Security Incident Response Team as part of the EU CSIRTs Network
• Guidance and support — publishing implementation guidelines, sector-specific standards, and compliance resources

ACN reports directly to the Presidency of the Council of Ministers (Presidenza del Consiglio dei Ministri), giving it significant institutional weight.

The Registration Process: Italy's Unique Annual Window

Italy's most distinctive NIS2 implementation feature is its annual re-registration requirement. Unlike most member states, which require a one-time registration followed by updates when material changes occur, Italy mandates that all in-scope entities re-register annually through ACN's digital portal.

Registration Timeline

Phase	Period	Activity
Initial registration window	1 January – 28 February 2025	First mandatory registration for all in-scope entities
ACN classification	March – April 2025	ACN reviews registrations and classifies entities as essential or important
Entity notification	April 2025	ACN notifies entities of their classification
Obligations communication	By 15 April 2025	ACN communicates the specific obligations applicable to each entity category
First compliance deadline	1 January 2026	Governance measures and incident reporting must be operational
Second compliance deadline	1 October 2026	Full Article 21 technical and organisational measures must be implemented
Annual re-registration	1 January – 28 February 2026	Second annual registration window (and every year thereafter)

What the Registration Requires

The ACN registration portal (accessible at the ACN institutional website) requires:

1. Legal entity identification — fiscal code (codice fiscale), VAT number (partita IVA), legal representative details
2. Point of contact designation — a named individual responsible for NIS2 matters, reachable for incident coordination
3. Sector classification — self-assessment of which Annex I or Annex II sector(s) the entity operates in
4. Size confirmation — employee count and turnover data to determine essential vs. important classification
5. Services description — the specific essential or important services provided
6. Geographic scope — member states where services are provided (relevant for cross-border entities)
7. ICT infrastructure summary — high-level description of critical information systems supporting the services

Annual Re-Registration: Why It Matters

The annual re-registration is not merely an administrative renewal. It serves several purposes:

• Scope verification — entities may move between essential and important categories as their size or services change
• Updated contact information — ensures ACN always has current point-of-contact data for incident coordination
• Sector evolution — captures entities that have entered new sectors or changed their service profile
• Compliance baseline — provides ACN with an annual snapshot of the regulated population

Failure to re-register within the January–February window is a compliance violation that can trigger sanctions.

Compliance Requirements and Deadlines

D.lgs. 138/2024 implements the NIS2 requirements in two phases:

Phase 1: Governance and Incident Reporting (by 1 January 2026)

• Management body accountability — the governing body (consiglio di amministrazione, organo di gestione) must approve and oversee cybersecurity risk-management measures. Members must undergo training.
• Incident reporting — entities must be capable of reporting significant incidents to CSIRT Italia within the Article 23 timelines (24h early warning, 72h detailed notification, 1 month final report).
• Point of contact — the designated contact must be operational and capable of receiving and responding to ACN communications.

Phase 2: Full Technical Measures (by 1 October 2026)

All 10 Article 21 measures must be fully implemented:

1. Risk analysis and information system security policies
2. Incident handling procedures
3. Business continuity and crisis management (including backup, disaster recovery)
4. Supply chain security — including direct supplier and service provider relationships
5. Security in network and information systems acquisition, development, and maintenance
6. Vulnerability handling and disclosure
7. Effectiveness assessment policies and procedures
8. Cyber hygiene practices and cybersecurity training
9. Cryptography and encryption policies
10. Human resource security, access control, and asset management

Sector-Specific Requirements

ACN has the authority to issue sector-specific guidelines that supplement the baseline Article 21 measures. These guidelines are being developed in consultation with sector regulators:

• Energy: Coordination with ARERA (Autorita di Regolazione per Energia Reti e Ambiente) for energy sector entities
• Finance: Coordination with Banca d'Italia and CONSOB for entities also subject to DORA
• Health: Coordination with the Ministry of Health for healthcare providers
• Telecommunications: Coordination with AGCOM for electronic communications providers

The Penalty Framework

D.lgs. 138/2024 transposes the NIS2 penalty framework with Italian-specific enforcement mechanisms:

Financial Penalties

Entity Type	Maximum Fine
Essential entities	EUR 10,000,000 or 2% of total annual worldwide turnover (whichever is higher)
Important entities	EUR 7,000,000 or 1.4% of total annual worldwide turnover (whichever is higher)
Failure to register	Administrative sanctions separate from the above

Administrative Measures

ACN can impose:

• Binding instructions — requiring specific remediation actions within defined timelines
• Warning notices — formal notices requiring the entity to address deficiencies
• Public disclosure — making non-compliance public, which carries significant reputational impact in Italy's relationship-driven business culture
• Temporary management bans — for essential entities, individuals responsible for compliance failures can be temporarily banned from management functions
• Activity suspension — in extreme cases, ACN can request suspension of specific activities or services

Proportionality

ACN must apply sanctions proportionally, considering:

• The gravity and duration of the infringement
• The number of affected users
• Damage caused (financial, operational, reputational)
• Whether the infringement was intentional or negligent
• Previous infringements
• The entity's cooperation during the investigation
• Adherence to approved codes of conduct or certification schemes

Italy's Cybersecurity Landscape: Context for Compliance

Understanding Italy's broader cybersecurity context helps frame why NIS2 transposition is treated as a national priority.

Threat Landscape

ENISA's Threat Landscape Report 2025 highlights Italy as one of the most targeted EU member states:

• 26.3% of public administration incidents in the EU involved Italian entities — the highest share for any single member state
• Ransomware attacks on Italian organisations increased 65% year-over-year in 2024–2025
• The healthcare sector in Italy experienced a 40% increase in cyber incidents
• Supply chain attacks affecting Italian organisations rose significantly, with several high-profile cases involving compromised IT service providers

National Cybersecurity Strategy

Italy's National Cybersecurity Strategy 2022–2026 established four pillars that align directly with NIS2:

1. Protection — strengthening cyber defences across critical infrastructure
2. Response — enhancing incident detection and response capabilities
3. Digital development — securing digital transformation initiatives
4. Research and awareness — building cybersecurity skills and public awareness

The NIS2 transposition is explicitly framed as an implementation mechanism for this strategy. ACN's budget has increased substantially to support supervision of the expanded regulated population.

ECSO Maturity Assessment

The European Cyber Security Organisation (ECSO) NIS2 Transposition Tracker assigns Italy a maturity level of 4 (out of 5) — reflecting both the speed of transposition and the sophistication of the institutional framework. Only a handful of member states received equivalent ratings, placing Italy among the EU leaders in NIS2 implementation readiness.

From Registration to First Audit: A Timeline for Italian Organisations

If You Have Already Registered (January–February 2025)

When	What to Do
Now	Review your ACN classification notification. Confirm whether you are classified as essential or important.
Q2 2025	Conduct a gap assessment against the specific obligations communicated by ACN (due by 15 April 2025). Map your current controls to all 10 Article 21 measures.
Q3 2025	Prioritise remediation. Focus on governance (board training, risk management approval) and incident reporting capability — these are due by 1 January 2026.
Q4 2025	Complete Phase 1 obligations. Board training done, incident reporting to CSIRT Italia operational, point of contact verified.
Jan–Feb 2026	Annual re-registration. Update any changed information (contact, size, services).
Q1–Q3 2026	Implement all Phase 2 technical measures. Supply chain security programme, effectiveness assessments, cryptography policies, access control, BCP testing.
1 October 2026	Full compliance with all Article 21 measures.
Q4 2026 onwards	Audit readiness. ACN may begin supervisory activities — proactive for essential entities, reactive for important entities.

If You Have Not Yet Registered

You are already non-compliant. The first registration window closed on 28 February 2025. Contact ACN immediately to register outside the standard window and demonstrate good faith. Non-registration does not exempt you from NIS2 obligations — it simply adds a registration violation to your compliance deficit.

Compliance Checklist for Italian Organisations

Registration and Classification

• [ ] Registered on ACN portal within the January–February window
• [ ] Received and reviewed ACN classification notification (essential or important)
• [ ] Designated NIS2 point of contact (available for CSIRT Italia coordination)
• [ ] Calendar reminder set for next annual re-registration (January–February 2026)

Phase 1 — Governance and Incident Reporting (by 1 January 2026)

• [ ] Governing body (CdA) has formally approved cybersecurity risk-management measures
• [ ] Board minutes document the approval with discussion and rationale
• [ ] Board members have completed cybersecurity training (documented with dates and content)
• [ ] Incident reporting procedure to CSIRT Italia established (24h/72h/1m timelines)
• [ ] Internal escalation process defined (who detects, who classifies, who reports)
• [ ] CSIRT Italia contact details and reporting channels verified
• [ ] Communication templates prepared for early warning and detailed notification

Phase 2 — Full Technical Measures (by 1 October 2026)

• [ ] Risk analysis framework operational with documented methodology
• [ ] Information system security policies approved and communicated
• [ ] Incident handling procedures tested (tabletop or live exercise)
• [ ] Business continuity plan tested with documented results
• [ ] Disaster recovery procedures tested with RTO/RPO metrics validated
• [ ] Supply chain security programme operational (vendor classification, risk assessment, contracts)
• [ ] NIS2 contractual clauses included in critical vendor contracts
• [ ] Network and systems acquisition security requirements defined
• [ ] Vulnerability handling and coordinated disclosure process established
• [ ] Effectiveness assessment procedures defined and initial assessment completed
• [ ] Cybersecurity training programme operational for all employees
• [ ] Cyber hygiene practices documented and implemented
• [ ] Cryptography and encryption policies approved
• [ ] Access control policy implemented with MFA for privileged access
• [ ] Asset inventory maintained with classification
• [ ] HR security procedures (joiners, movers, leavers) documented and operational

Evidence and Audit Readiness

• [ ] All Phase 1 and Phase 2 evidence organised in a structured repository
• [ ] Evidence mapped to specific Article 21 requirements
• [ ] Board oversight evidence compiled (minutes, training records, reports)
• [ ] Incident response evidence available (procedures, test results, past incident handling)
• [ ] Supply chain evidence ready (vendor assessments, contractual clauses, monitoring records)

Practical Tips for Italian Organisations

1. Use the ACN Guidelines

ACN publishes implementation guidance through its institutional website and Determina del Direttore Generale publications. These guidelines provide Italian-specific interpretations of NIS2 requirements and are what supervisors will measure compliance against.

2. Leverage Existing Frameworks

Many Italian organisations already hold ISO 27001 certification or follow AGID (Agenzia per l'Italia Digitale) guidelines. These provide a strong foundation:

• ISO 27001 covers approximately 70–80% of NIS2 Article 21 requirements
• AGID's "Misure Minime di Sicurezza ICT per le Pubbliche Amministrazioni" aligns closely with NIS2's technical measures for public sector entities
• Organisations with DORA obligations (financial sector) will find significant overlap

3. Plan for the Annual Cycle

Italy's annual re-registration requirement means NIS2 compliance is not a one-time project. Build an annual compliance calendar:

• January–February: Re-registration on ACN portal
• March–April: Review ACN classification and any updated obligations
• May–June: Annual effectiveness assessment and gap analysis
• July–September: Remediation of identified gaps
• October–November: Board training refresh and governance review
• December: Audit preparation and evidence packaging

4. Coordinate with Sector Regulators

If you are subject to both NIS2 and sector-specific regulations (DORA for finance, NIS/energy for utilities), coordinate your compliance activities. ACN works with sector regulators to avoid duplication, but the onus is on the entity to manage its obligations efficiently.

5. Consider AI-Powered Compliance Tools

With 15,000+ Italian organisations now in scope, the demand for compliance expertise far exceeds supply. AI-powered platforms that understand NIS2 specifically — mapping evidence to Article 21 requirements, automating vendor assessments, generating board reports — can reduce the compliance effort by 80% compared to manual approaches. ArvexLab was built for exactly this use case: NIS2-first compliance automation for European organisations.

Conclusion

Italy's NIS2 transposition through D.lgs. 138/2024 is comprehensive, operational, and enforced by an empowered competent authority. The annual re-registration requirement, the phased compliance deadlines, and ACN's supervisory powers make this a regulation that demands sustained attention — not a one-off compliance project.

For Italian organisations, the path forward is clear: register (if you have not already — do it immediately), assess your gaps against ACN's published obligations, implement governance and incident reporting by January 2026, complete all technical measures by October 2026, and build the annual compliance rhythm that Italy's unique re-registration cycle demands.

The organisations that start now will find the task manageable. Those that wait until the enforcement deadline approaches will face a compressed timeline, a competitive market for compliance expertise, and a regulator that has made clear its intention to supervise actively.

Sources and References

• D.lgs. 138/2024 — Full Text (Gazzetta Ufficiale)
• ACN — Agenzia per la Cybersicurezza Nazionale Official Portal
• ACN — NIS2 Registration Guidance and FAQs
• ECSO — NIS2 Transposition Tracker: Italy (2026)
• European Commission — NIS2 Transposition Status by Member State
• ENISA — Threat Landscape Report 2025
• Italian National Cybersecurity Strategy 2022–2026 (Presidency of the Council)
• NIS2 Directive — Full Text (EUR-Lex)
• AGID — Misure Minime di Sicurezza ICT per le PA