On 13 April 2026, the Italian National Cybersecurity Agency (“ACN”) published on its website two new determinations issued by the Director General of ACN:
List of relevant NIS suppliers
ACN Determination No. 127437/2026 introduces the obligation to indicate relevant NIS suppliers as part of the broader annual information update process.
A relevant NIS supplier is an entity that provides services or products to a NIS entity and meets at least one of the following criteria:
To comply with this obligation, NIS entities must use the “NIS Service / Annual Information Update” on the ACN Portal and indicate, for each relevant supplier:
Listing and categorization of activities and services
One of the main operational innovations concerns the obligation for NIS entities to communicate the list of their activities and services, assigning each of them a corresponding relevance category. Legislative Decree No. 138/2024 (“NIS Decree”) provides that this requirement must be fulfilled from 1 May to 30 June each year, via the ACN digital platform, starting from the receipt of the first notification of inclusion in the list of NIS entities.
ACN Determination No. 127437/2026 specifies that this activity must be carried out through the “NIS Service / Categorization” on the ACN Portal. In practice, the Point of Contact must complete the list of the organization’s activities and services and assign to each a relevance category according to the model that will be established by ACN in the coming days, with the publication of a determination containing the categorization model, together with supporting materials to assist in carrying out a simplified Business Impact Analysis (BIA).
It is important to note that, after the 30 June deadline, the categorized list of activities and services will be considered final and no longer amendable, except in cases of delay due to documented technical-operational issues not attributable to the entity.
Furthermore, financial entities subject to the DORA Regulation and also falling within the scope of NIS are exempt from this specific requirement, without prejudice to the possibility of voluntary compliance.
The categorized list of activities and services submitted by NIS entities may be subject to compliance checks by ACN, carried out on a sample basis and also by comparison with data submitted by comparable entities. ACN must provide feedback within 90 days of submission, a deadline that may be extended once by up to an additional 60 days in case of further review. Where additional information, clarifications, or amendments are requested, the NIS entity must respond within 30 days; in case of failure to respond or late response, the list may be rejected. In the absence of a negative outcome communicated within the prescribed timeframe, the list shall be deemed validated.
Deadlines for entities included in the NIS list for the first time in 2026
ACN Determination No. 127434/2026 concerns entities that were included for the first time in the list of NIS entities during 2026. For these entities, ACN has set the deadlines for compliance with obligations relating to security measures and incident notification. In particular:
An additional provision concerns top-level domain name registry operators and domain name registration service providers included in the NIS list during 2026. For these entities, ACN Determination No. 127434/2026 provides that the obligations referred to in Article 4(1) of ACN Determination No. 379907/2025 must be fulfilled by 31 July 2027.
If you need assistance and support in complying with the obligations under the NIS framework, please contact your trusted advisors.
