On 16 October, Legislative Decree No. 138/2024 came into force, whereby Italy implemented Directive (EU) 2022/2555 (the so-called NIS2 Directive).
Legislative Decree No. 138/2024 generally applies to medium and large enterprises in 17 critical and highly critical sectors (besides public administrations and certain other types of entities identified directly by the National Cybersecurity Agency (ACN)) and imposes on NIS entities obligations that can be grouped into the following categories:
obligations to register and update information: every year NIS entities must register or update their registration on the ACN web portal, specifying their point of contact and providing a series of information relating, among other things, to the activities carried out and services provided;
obligations relating to security measures: NIS entities are required to adopt appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of the information and network systems used in their activities or in the provision of their services;
obligations relating to incident notifications: NIS entities must notify the CSIRT, according to a multiple-stage approach and without delay, of security incidents that have a significant impact on the provision of their services;
obligations for administrative and management bodies: administrative and management bodies, which are responsible for breaches of NIS regulations, are required to undergo training in IT security and to promote the periodic offer of IT security training for their employees.
If your organisation is an NIS entity or you assume it will become one during the course of this year, here is a calendar with the dates to remember to ensure compliance with Legislative Decree No. 138/2024.
| 15 April 2025 | If you registered on the ACN portal by 10 March 2025, you will receive confirmation from the ACN that your organisation has been included in the list of essential or important entities at the email addresses (of the organisation and the point of contact) that you provided during registration. Still on 15 April 2025, the ACN will adopt the resolutions that will define the basic obligations regarding incident notification and security measures that NIS entities must comply with starting from January 2026. |
| From 15 April to 31 May 2025 | If you have been included in the list of essential and important entities, you will have to provide, through the portal, further information relating, in particular, to the domain names in use, the Member States in which you offer services regulated by the NIS and the managers in your organisation. |
| From 1 January al 28 February 2026 | If you registered on the ACN portal by 10 March 2025, you will need to confirm the information provided or update it, if necessary. If, instead, you did not register on the ACN portal by 10 March 2025 (because you believed that you did not fall within the scope of Legislative Decree No. 138/2024 on that date) but during the course of the year you have exceeded the thresholds for medium-sized enterprises or started activities that determine the application of the NIS regulations, you will have to make your first registration. |
| From January 2026 | The basic obligations relating to incident notifications, laid down by the ACN in the resolution to be adopted by 15 April 2025 will become applicable. |
| From October 2026 | The basic obligations relating to safety measures, laid down by the ACN in the resolution to be adopted by 15 April 2025, will become applicable. |
If you need assistance and support to fulfil the obligations of the NIS regulations, please contact your reference professionals.
