On 19 September, the ACN (National Cybersecurity Agency) adopted Determination ACN No. 250916, which updates and replaces the previous Determination ACN No. 333017 of 22 July 2025.
The most significant change is the introduction of the CSIRT Contact Person.
Who is the CSIRT Contact Person?
The CSIRT Contact Person is the individual responsible for managing communications with CSIRT Italia (the national Computer Security Incident Response Team) and for transmitting notifications of significant incidents (as defined in Determination ACN No. 164179) as well as voluntary reports of relevant cybersecurity information.
To ensure prompt and continuous communication with the CSIRT, the regulation allows the appointment of one or more deputies to the CSIRT Contact Person. These deputies support the Contact Person in their duties and can act on their behalf in cases of absence or impediment.
Unlike the Point of Contact and the Deputy Point of Contact, the CSIRT Contact Person (and their deputy) may also be an external individual (for example, a consultant).
In any case, designated persons must possess basic skills in cybersecurity and incident management, along with an in-depth knowledge of the information systems and networks of the NIS entity for which they operate.
The designation must be carried out by the Point of Contact through a dedicated procedure. This procedure will be active from 20 November 2025 and must be completed by 31 December 2025 via the service portal accessible through the ACN website.
At first glance, the introduction of the CSIRT Contact Person represents an important support tool for NIS entities, as it allows them to delegate the management of incident notifications to external individuals. This relieves NIS entities from particularly burdensome and time-consuming activities for which it may be preferable to rely on external consultants with specific expertise.
This is particularly useful for:
If you need assistance and support in fulfilling the obligations under the NIS framework, click here
