NIS 2 status in Italy
What the directive requires, how Italy transposes it, and where ACN and CSIRT Italia sit inside the picture.
Overview
The NIS 2 directive is the EU layer. It binds every member state, including Italy, with one cybersecurity floor for essential and important entities. Italy must put that floor into Italian law and run a supervision regime under it.
Italy transposes NIS 2 through Decreto Legislativo 4 settembre 2024, n. 138. The decree was published in the Gazzetta Ufficiale on 1 October 2024 and entered into force on 16 October 2024, on the EU transposition deadline.
ACN (Agenzia per la Cybersicurezza Nazionale) is the single competent NIS authority, the single point of contact for the EU cooperation group, and the host of the national CSIRT (CSIRT Italia). Nine ministries act as sector authorities under ACN coordination. For the financial sector, DORA applies as lex specialis.
EU directive
La presente direttiva stabilisce misure volte a garantire un livello comune elevato di cibersicurezza nell'Unione in modo da migliorare il funzionamento del mercato interno.
Directive (EU) 2022/2555 (NIS 2), Article 1. Sets the obligations every member state must transpose, including the size and sector tests for essential and important entities.
EU implementation
Commission Implementing Regulation (EU) 2024/2690
Technical and methodological measures for digital infrastructure providers. Directly applicable in Italy without national transposition.
Italian transposition
Decreto Legislativo 4 settembre 2024, n. 138
The Italian NIS 2 transposition. Published in the Gazzetta Ufficiale on 1 October 2024, in force since 16 October 2024. The decree confirms ACN as competent authority, expands the functions of CSIRT Italia, lists ten security measure areas, and details the incident notification process and management body accountability.
Decreto Legislativo 138/2024
Carries the NIS 2 obligations into Italian law. Defines essential (soggetti essenziali) and important (soggetti importanti) entities, the supervisory powers of ACN, incident reporting duties, and administrative sanctions. Operational detail sits in ACN determinations and sector annexes.
ACN and CSIRT Italia
ACN is the single competent NIS authority and single point of contact. CSIRT Italia operates within ACN and receives significant incident notifications. Sector ministries (interior, energy, transport, health, justice, culture, research, digital transformation, environment) act as sector authorities under an ACN-chaired implementation board.
Registration and reporting
The ACN registration platform opened on 1 December 2024. Entities in scope had to register or update their data by 28 February 2025. Significant incidents follow the directive cadence: 24-hour early warning, 72-hour incident notification, one-month final report, sent through CSIRT Italia.
Local law applies inside Italy
Operations on Italian territory follow the Italian transposition. A German Geschäftsführer running an Italian subsidiary reads Decreto Legislativo 138/2024 for that subsidiary, not the German BSIG. The directive obligations are the same. The procedure, the registration platform and the sanctions live in Italian law and run through ACN.
Italy cannot go below the EU floor
The directive is a minimum harmonisation instrument. Italy can go stricter, and on scope it has done so by adding public administrations, local public transport providers, research entities and entities of cultural interest above the directive baseline. Italy cannot drop below the directive on essential and important entity duties, incident reporting deadlines or management body accountability.
ACN
Single competent NIS authority and single point of contact. Conducts audits, requests documentation, imposes administrative sanctions and issues binding regulatory measures. Chairs the NIS implementation board that coordinates the nine sector ministries.
CSIRT Italia
The national CSIRT, hosted by ACN. Receives significant incident notifications from entities in scope, provides technical guidance and incident handling support, and coordinates cross-border with peer CSIRTs through the EU CSIRTs network.
ENISA
The EU cybersecurity agency. Publishes guidance, manages the European vulnerability database, and supports cross-border coordination. Not a supervisor for Italian entities; ACN is.
We do NIS 2 the way our German parent does it.
The directive obligations are the same, but the procedure is not. An Italian subsidiary registers on the ACN platform, files incident notifications to CSIRT Italia, and answers to ACN supervision. References to BSIG, the German BSI portal or German sector authorities do not carry over. The internal compliance work can be shared across the group; the national filings cannot.
There is no Italian registration obligation yet.
The ACN registration platform opened on 1 December 2024 and the first registration window closed on 28 February 2025. Updates of registration data follow the directive's two-week rule. An entity in scope that never registered is not exempt; it is in breach, and ACN has both administrative sanction and binding measure powers.
Our sector regulator is in charge, not ACN.
Italy chose a single competent authority model. ACN supervises across all NIS 2 sectors and is the single point of contact for the EU cooperation group. Sector ministries act as sector authorities and contribute domain expertise under an ACN-chaired implementation board, but the binding NIS 2 supervision and sanction power sits with ACN. For finance, DORA applies as lex specialis and the financial sector regulator runs that channel.
Most Italian small and mid-cap operators we see still read NIS 2 through the lens of the old D.Lgs. 65/2018 NIS 1 perimeter, in which only a handful of named operators were in scope. The new decree expands the perimeter by an order of magnitude, brings in public administrations, local public transport and research entities, and shifts the accountability onto the management body. The amministratore delegato or legale rappresentante is personally on the hook for risk-management approval and training.
The practical move is the same as everywhere else in the EU. Confirm scope under the directive and the decree, register on the ACN platform, set up the four continuous obligations (registration upkeep, incident reporting through CSIRT Italia, supply chain risk, management body oversight), and document the minimum. ACN sector annexes refine the detail; they do not replace the obligation register.
We build the NIS 2 obligation register on the EU layer, not on any single national transposition. The same checklist works for an Italian subsidiary using Decreto Legislativo 138/2024, a German parent using BSIG, a French sister using Ordonnance n° 2024-1093 and a Dutch one using the Cyberbeveiligingswet. Article references switch per locale; the substantive obligations do not.
For Italian scope you start with the applicability check, then move to incident reporting cadence through CSIRT Italia, supply chain clauses and management body sign-off. Where ACN publishes determinations or sector annexes, we reference them; we do not duplicate them.
- Directive (EU) 2022/2555 (NIS 2) — EUR-Lex
- Commission Implementing Regulation (EU) 2024/2690
- Decreto Legislativo 4 settembre 2024, n. 138 — Gazzetta Ufficiale 1 ottobre 2024
- ACN — Agenzia per la Cybersicurezza Nazionale, official site (acn.gov.it)
- CSIRT Italia — National Computer Security Incident Response Team (csirt.gov.it)
- European Commission — NIS 2 directive transposition tracker, Italy
- Banca d'Italia — competent authority for DORA in the financial sector