With the adoption of the Legislative Decree 138/2024, the implementation of the European NIS2 directive in Italy has taken effect, imposing a complex set of requirements on companies. The National Cybersecurity Agency (ACN) has already begun formal communications to entities within the scope of the directive and has simultaneously published the first binding obligations.
While the deadline for full compliance may seem distant, many of the required measures necessitate a profound review of organisational structures, governance, and operational processes, making it advisable to begin a structured adaptation plan soon.
CONTENTS
1. ACN’S OPERATIONAL REQUIREMENTS: THE FIRST PACKAGE OF OBLIGATIONS ↑
The ACN has notified companies in scope requesting, via its institutional portal, the submission of a series of data by the extended deadline of 31 July 2025.
Specifically, obligated entities must transmit:
- The identity, role, and contact details of people holding managerial or effective control responsibilities within the company, including members of the administrative bodies or anyone exercising decision-making powers;
- The name and details of the substitute point of contact;
- The ranges of public IP addresses and internet domains in use or available to the organisation;
- The EU Member State in which the company provides regulated services;
- Any voluntary information-sharing agreements in the NIS field.
These communications are not merely formal: responsibility for any omissions or errors falls directly on the administrative and control bodies of the entity.
2. THE SECOND BLOCK OF OBLIGATIONS: FULL IMPLEMENTATION OF MEASURES ↑
Few days after sending the initial communications, the ACN adopted two essential measures:
- One on the minimum security measures to be implemented;
- One on the new obligations for reporting cyber incidents.
The provisions adopted distinguish requirements based on whether the entity is classified as essential or important. The process involves two phases:
- Phase 1 (in progress): Adoption of the minimum security measures required by European legislation, to be implemented upon initial application.
- Phase 2 (expected by April 2026): Publication by the ACN of further technical and organisational obligations to complete the final regime.
The deadline for the full implementation of the currently defined measures is set for October 2026 (within 18 months of the ACN’s classification notification).
3. DETAILS OF THE REQUIRED MEASURES ↑
Companies identified as important are required to implement 37 organisational and technical measures, articulated in 87 specific requirements, defined according to the National Framework for Cybersecurity and Data Protection.
For essential entities, the number of requirements increases further: 43 total measures, divided into 116 specific requirements. All measures are developed along six pillars of cybersecurity management:
- Governance: Definition of risk management strategy, allocation of responsibilities and organisational roles.
- Identification: Inventory and classification of relevant assets, risk assessment, and management planning.
- Protection: Adoption of countermeasures and protective barriers on critical assets.
- Detection: Provision of systems capable of promptly identifying anomalies and violations.
- Response: Structuring of effective reactive processes in the event of an incident.
- Recovery: Restoration of post-incident operations, including the integration of lessons learned.
Generally, these measures must cover the entire IT and network infrastructure. However, it is possible, in certain cases, to limit the application of some measures only to systems whose compromise would have significant consequences on the confidentiality, integrity, or availability of regulated services.
4. INCIDENT NOTIFICATION OBLIGATIONS: ACTIVE FROM JANUARY 2026 ↑
From January 2026, new obligations for reporting significant incidents to CSIRT Italy will come into force. Specifically:
- For important entities, the following must be notified:
- (Total or partial) violations of the confidentiality of digital data;
- (Total or partial) compromises of data integrity;
- Interruptions or degradation of expected service levels.
- For essential entities, the following is also added:
- Unauthorised access to data, including the abuse of privileges.
Companies have to prepare updated procedures for monitoring, analysing, and communicating incidents, integrating these processes with those already adopted under the National Cybersecurity Perimeter legislation, as the two regimes remain complementary.
5. A COMPLIANCE JOURNEY REQUIRING PREPARATION ↑
With the concrete start of NIS2 implementation, companies in scope will necessarily have to undertake a complex and multidisciplinary process, involving both the IT component, legal and corporate governance.
The responsibility of the top management remains a key topic: directors, managers, and senior executives are directly exposed to liability for any violations or deficiencies in the implementation of the required security measures. Consequently, compliance with NIS2 requires, from now onwards:
- A thorough review of internal processes;
- The redefinition of roles and responsibilities for cybersecurity;
- The implementation of updated risk management tools;
- Continuous training of involved personnel;
- Legal governance attentive to liability profiles.
6. TOWARDS SUSTAINABLE COMPLIANCE ↑
While the final implementation deadline appears distant, the volume and complexity of the requirements demand careful planning and progressive adaptation from now on by companies. These would otherwise risk concentrating unsustainable emergency efforts close to the deadlines. Caravati Pagani supports clients in identifying organisational strategies and liaising with specialised professionals, for an effective and lasting compliance journey.
