NIS2 Implementation in Italy

Current status

In Italy, the national cybersecurity agency, Agenza per la cybersicurezza nazionale (ACN), was in charge of implementing the EU NIS2 directive into national law. The Italian national legislation was passed on September 4, 2024, published in the official journal Gazzetta Ufficiale on October 1, 2024, as Law No. 138, and has been in force since October 16, 2024.

Timeline 2025 and 2026

The Italian transposition law of EU NIS 2 provides for the following deadlines Art. 42:

The Italian transposition law of EU NIS2 defines annual deadlines for registration purposes and special deadlines which apply to entities becoming NIS2-affected until December 31, 2025. The following deadlines occur on an annual basis:

January 1 to February 28: Entities affected by Art. 3 need to register on the Italian portal with the data specified in Art. 7 §1
March 31: Deadline for ACN to prepare a list of affected entities. ACN is likely to communicate inclusion, permance and removal from the list of affected entities by April 15.Art. 7 §2 - 3
April 15 to May 31 (effective from 2026): Affected entities must provide or update the data specified in Art. 7 §4 DNS providers, data center service providers, online search engines and more must provide additional data Art. 7 §5
May 31 to June 30: Affected entities must provide or update a list of their activities and services necessary for their categorization and assignment of a category of importance.

Entities becoming affected until December 31, 2025 are granted additional transition periods starting from the receipt of the affectedness notice (see Art. 7 §1 (a) and (b)) Art. 42 §42(b) and §42(c):

Within 9 months (January 1, 2026, earliest), entities must comply with the incident reporting obligations specified in Art. 25
Within 18 months (October 1, 2026, earliest), entities must comply with the provisions for cybersecurity training and governance in Art. 23, and the information security risk management obligations in Art. 24, and Art. 29 (domain name registration database).

National NIS2 differences

The Italian Cybersecurity Act introduces the following national differences which makes it unique compared to the majority of other EU NIS2 implementations:

Annual registration periods: The registration process starts in the beginning of January of every year (starting from the beginning of January 2025). During January and February, (un-)registered entities must upload required data Art. 7 §1
More Annexes and Sectors: There are four annexes, with annex I and II implementing the EU NIS2 sectors almost identically. Annex III lists central government institutions and annex IV introduces new sectors such as local transport services or entities carrying out activities of cultural interest.
NIS2 implementation committee: Italy introduces a separate committee led by ACN to ensure implementation and enforcement of NIS2.
Sector-specific authorities: Though ACN is the NIS2 national competent authority, there are several sector-specific authorities responsible for supervision in their assigned sectors.
Higher affectedness: Companies can be affected regardless of their size if they are related to essential and important entities in the meaning of Art. 6 §10
Minimum penalty fee: For essential entities the minimum penalty fee is set at one-twentieth of the maximum fine. For important entities the minimum penalty fee is set to one-thirtieth of the maximum fine Art. 38 §9
Public Administration penalty: Italy also introduced fines for public administrations listed in Annex III and for entities of the types listed in Annex IV that are involved in or subject to public control, as they are considered essential, with administrative fines ranging from 25,000 to 125,000 euros Art. 38 §9
Audit obligations: The audit obligations in Art. 34 - 37 are missing predetermined audit cycles but instead empower ACN to impose regular audits on both important and essential entities.

Entities

The following entities are covered under NIS2 in the Italian Cybersecurity Act, criteria and conditions set forth for important and essential entities are widely the same as in the EU NIS2 directive. Art. 3 Art. 6

Essential entities (sogetti essenziali) based on company size in NIS sectors of Annex I:
- Entities with ≥ 250 FTE
- Entities with > 50m EUR annual revenue or balance > 43m EUR
- Size-independent: critical entities in EU CER implementation, telco, qTSP, TLD registries, DNS service providers, public administration, annex IV entities, enterprises related to essential or important entities
Essential entities based on Annex III (soggetto essenziale):
- Metropolitan cities
- Municipalities with ≥ 100,000 residents
- Municipalities that are regional capitals;
- Local health authorities if assessed as crucial for societal or economic activities
Important entities (entità importante):
- those belonging to the sectors listed in Annexes I or II that are not classified as essential entities. These include: providers of public electronic communications networks or services, processing companies and distributors of food products, as well as digital service providers
- Entities with ≥ 50 employees
- Entities with > 10m EUR annual revenue or balance > 10m EUR

The decree expands the scope of NIS 2 by specifying that, in addition to the sectors already covered, additional types of entities must also be considered important under Annex IV, including:

Public administrations, identified based on a graded criterion that assesses their exposure to risk, the likelihood of incidents, and their potential severity.
Regardless of size:
- Entities providing local public transport services.
- Educational institutions engaged in research.
- Organizations involved in cultural activities.
- In-house companies, investee companies, and publicly controlled companies.

Affectedness thresholds for entities per annex
own data, March 2025
Type of Service	Essential Entity	Important Entity
Annex I	large enterprises (2003/361/EC)	---
Annex II	---	medium-sized enterprises (2003/361/EC)
Annex III §1a	size-independent	---
Annex III §1b et seq.	---	size-independent
Annex IV	---	size-independent
critical operators under Italian EU CER implementation, DNS, TSPs, TLDs, telco	size-independent	---
monopoly position, national importance and more Art. 3 §9	---	size-independent
related entities under Art. 3 §10	---	size-independent

Sectors

The Italian sectors specified in Annexes I and II are identical to EU NIS2, with the exception that Public administration was moved to Annex III. There are additional sectors covered under Italian NIS2, described in Annex IV not previously required by EU NIS2.

Annex I Sectors

Mapping of EU NIS2 Annex I sectors to Italian NIS2 implementation sectors
own data, February 2024
Subsector	Services	Supervising Authority
Settore Energia Sector Energy
Elettricità Electricity	Electricity suppliers Distribution system operators Transmission system operators Electricity producers Market operators Aggregators, demand response, and energy storage providers Recharging point operators	Ministero dell'ambiente e della sicurezza energetica
Teleriscaldamento e teleraffreddamento District heating and cooling	District heating and cooling operators	Ministero dell'ambiente e della sicurezza energetica
Petrolio Oil	Oil pipeline operators Oil production, refining, storage, and transport operators Central stockholding entities	Ministero dell'ambiente e della sicurezza energetica
Gas Gas	Gas suppliers Gas distribution system operators Gas transmission system operators Gas storage operators LNG system operators Natural gas companies Gas refining and treatment operators	Ministero dell'ambiente e della sicurezza energetica
Idrogeno Hydrogen	Hydrogen production, storage, and transport operators	Ministero dell'ambiente e della sicurezza energetica
Settore Trasporti Sector Transport
Trasporto aereo Air transport	Commercial air carriers Airport operators Air traffic control service providers	Ministero delle infrastrutture e dei trasporti
Trasporto ferroviario Rail transport	Rail infrastructure managers Railway companies and service facility operators	Ministero delle infrastrutture e dei trasporti
Trasporto marittimo Water transport	Passenger and freight shipping companies Port management bodies Vessel traffic service operators	Ministero delle infrastrutture e dei trasporti
Trasporto su strada Road transport	Road traffic management authorities Intelligent transport system operators	Ministero delle infrastrutture e dei trasporti
Settore bancario Sector Banking	Credit institutions	Ministero dell'economia e delle finanze
Infrastrutture dei mercati finanziari Financial market infrastructures	Trading venue operators Central counterparties (CCPs)	Ministero dell'economia e delle finanze
Settore sanitario Health sector	Healthcare providers EU reference laboratories Medicinal product R&D entities Pharmaceutical manufacturers Critical medical device manufacturers	Ministero della salute
Acqua potabile Drinking water	Water suppliers and distributors	Ministero dell'ambiente e della sicurezza energetica
Acque reflue Waste water	Wastewater collection, disposal, and treatment companies	Ministero dell'ambiente e della sicurezza energetica
Infrastruttura digitale Digital infrastructure	Internet exchange point providers DNS service providers TLD registry managers Cloud service providers Data center providers Content delivery network providers Trust service providers Public electronic communications network providers Public electronic communications service providers	Ministero delle imprese e del made in Italy
Gestione dei servizi ICT (business-to-business) ICT service management (B2B)	Managed service providers Managed security service providers	Presidenza del Consiglio dei ministri
(moved to annex III) Public administration	(see annex III)	(see annex III)
Spazio Space	Operators of ground-based infrastructure supporting space services	Presidenza del Consiglio dei ministri

Annex II Sectors

Mapping of EU NIS2 Annex II sectors to Italian NIS2 implementation sectors
own data, March 2025
Subsector	Services	Supervising Authority
Servizi postali e di corriere Postal and Courier Services	Postal service providers Courier service providers as defined in Art 2(1a) of Directive 97/67/EC	Ministero delle imprese e del made in Italy
Gestione dei rifiuti Waste Management	As defined in Article 3(9) of Directive 2008/98/EC	Ministero dell’ambiente e della sicurezza energetica
Fabbricazione, produzione e distribuzione di sostanze chimiche Manufacture, Production and Distribution of Chemicals	Enterprises engaged in the manufacture of substances and distribution of substances or mixtures (as defined in Art 3(9) and (14) of the No. 1907/2006 and enterprises engaged in the production of articles as defined in Article 3(3) of that Regulation from substances or mixtures	Ministero delle imprese e del made in Italy (after consultation with the Ministry of Health)
Produzione, trasformazione e distribuzione di alimenti Production, processing and distribution of food	Food enterprises as defined in Art 3(2) of Regulation (EC) No. 178/2002 with wholesale distribution and industrial production and processing	Ministero dell’agricoltura, della sovranità alimentare e delle foreste
Fabbricazione di dispositivi medici e di dispositivi medicodiagnostici in vitro Manufacture of medical devices and in vitro diagnostic medical devices	As defined in Art 2(1) of Regulation (EU) 2017/745 of the European Parliament and of the Council Persons who manufacture in vitro diagnostic medical devices as defined in Art 2(2) of Regulation (EU) 2017/746	Ministero della salute
Fabbricazione di computer e prodotti di elettronica e ottica Manufacture of computer, electronic and optical products	Enterprises listed in Section C, Division 26, of the NACE Rev. 2	Ministero delle imprese e del made in Italy
Fabbricazione di apparecchiature elettriche Manufacture of electrical equipment	Enterprises listed in section C, division 27, of NACE Rev. 2	Ministero delle imprese e del made in Italy
Fabbricazione di macchinari e apparecchiature n.c.a. Manufacture of machinery and equipment n.e.c.	Enterprises listed in Section C, Division 28, of the NACE Rev. 2	Ministero delle imprese e del made in Italy
Fabbricazione di autoveicoli, rimorchi e semirimorchi Manufacture of motor vehicles, trailers and semi-trailers	Enterprises listed in section C, division 29, of NACE Rev. 2	Ministero delle imprese e del made in Italy (after consultation with the Ministry of Infrastructure and Transport)
Fabbricazione di altri mezzi di trasporto Manufacture of other transport equipment	Enterprises listed in Section C, Division 30, of the NACE Rev. 2	Ministero delle imprese e del made in Italy (after consultation with the Ministry of Infrastructure and Transport)
Fornitori di servizi digitali Digital Providers	Domain name registration service providers Providers of social networking platforms Online search engine providers Online marketplace providers	Ministero delle imprese e del made in Italy
Ricerca Research	Research organizations	Ministero dell’università e della ricerca (also in agreement with other supervising administrations)

Annex III Sectors

Mapping of EU NIS2 Annex III sectors to Italian NIS2 implementation sectors
own data, March 2025
Amministrazioni centrali Central government	Amministrazioni regionali Regional	Amministrazioni locali Local	Altri soggetti pubblici Other public entities
Gli Organi costituzionali e di rilievo costituzionale Constitutional and constitutionally important organs	Le Regioni e le Province autonome The regions and autonomous provinces	Le Città metropolitane Metropolitan cities	Gli Enti di regolazione dell’attività economica The Economic Activity Regulatory Bodies
La Presidenza del Consiglio dei ministri e i Ministeri The Presidency of the Council of Ministers and ministries		I Comuni con popolazione superiore a 100.000 abitanti Municipalities with a population over 100,000	Gli Enti produttori di servizi economici Economic service-producing entities
Le Agenzie fiscali Tax Agencies		I Comuni capoluoghi di regione Municipalities that are regional capitals	Gli Enti a struttura associativa Entities with a membership structure
Le Autorità amministrative indipendenti Independent administrative authorities		Le Aziende sanitarie locali Local Health Authorities	Gli Enti produttori di servizi assistenziali, ricreativi e culturali Entities producing welfare, recreational and cultural services
			Gli Enti e le Istituzioni di ricerca Research organizations and institutions
			Gli Istituti zooprofilattici sperimentali Experimental Zooprophylactic Institutes

Annex IV Sectors

Mapping of EU NIS2 Annex IV sectors to Italian NIS2 implementation sectors
own data, March 2025
Subsector	Services	Supervising Authority
Servizi di trasporto pubblico locale Local public transport services	Entities providing local public transport services	Ministero delle infrastrutture e dei trasporti
Istituzioni educative impegnate nella ricerca Educational institutions engaged in research	Educational institutions conducting research	Ministero dell’università e della ricerca
Attività di interesse culturale Activities of cultural interest	Organizations involved in cultural activities	Ministero della cultura
Società in house, società partecipate e società a controllo pubblico In-house companies, investee companies, and publicly controlled companies	In-house companies, investee companies, and publicly controlled companies (as defined in Decree No. 175 of August 19, 2016)	Ministero dell’economia e delle finanze

Security

Risk Management

The Italian NIS2 implementation law addresses risk management measures in line with the NIS 2 Directive in Art. 24 and Art. 25.

Essential and important entities shall take appropriate and proportionate technical, operational and organizational measures to manage the risks posed to the security of the information and networks systems that such entities use in their activities or in the provision of their services, as well as to prevent or minimize the impact of incidents to the recipients of their and other services Art. 24

Specifically, the risk measures should at least include:

Risk analysis and security policies for information and network systems
Business continuity, including backup management, disaster recovery (where applicable), and crisis management
Supply chain security, including security-related aspects concerning the relationship between each entity and its direct suppliers or service providers
Personnel safety and reliability, access control policies, and asset management
Incident management, including procedures and tools for making notifications
Security of the acquisition, development, and maintenance of information and network systems, including vulnerability management and disclosure
Policies and procedures for evaluating the effectiveness of cybersecurity measures
Basic hygiene practices and training in computer security
Policies and procedures regarding the use of cryptography and, where appropriate, encryption
Use of multi-factor or continuous authentication solutions, secure voice, video, and text communications, and secure emergency communication systems

While the law emphasizes that the risk measures should reflect the state of the art of NIS security, commensurate with the existing risks, and, where applicable, the "national, European and international standards", it also emphasizes the importance of the measures being proportionate to the degree of exposure of the subject, as well as the magnitude and risk probability of incidents occurring (including their social and economic impact in case of occurrence) Art. 24 a)-b)

Information and authorities

Registration

The registration obligations are defined in Art. 7 of the Italian implementation law. Essential and important entities, as well as DNS registration services have to register and update their registration on the digital platform provided for by the ACN.

As part of the registration the relevant entities must provide (or update) at least:

name of the entity
current address, contact information (including e-mail and telephone numbers)
point of contact within the entity
the relevant sectors and subsectors as well as entity types (in accordance with Annexes I, II, III, and IV of the implementation law)

Reporting and notification obligations

The reporting obligations are defined under Chapter IV in Art. 23-33 and are closely aligned with the NIS 2 Directive.

Art 23 §3 requires that the administrative and management bodies of NIS 2 entities shall be informed of incidents on a periodic or, if appropriate, timely basis.
Art 25 §9 requires essential and important entities to notify the recipients of their services of significant incidents that may adversely re-impact the provision of such services without undue delay after consultation with the CSIRT Italy.

Organizations subject to the implementation law have the obligation to notify CSIRT Italia of any incident which has a significant impact on the delivery of their services:

Within 24 hours from the moment the organization becomes aware of the incident, a report must be sent pre-notification indicating whether the incident may have been caused by malicious acts or whether it may have an impact outside the country Art. 25 §5a
Within 72 hours from the moment the organization becomes aware of the incident, a report must be sent notification with an initial assessment of the incident Art. 25 §5b
If requested by CSIRT Italy, the entity is required to provide an Interim report (relazione intermedia) Art. 25 §5c
Within a month from the accident the organization must provide a final report on all details such as causes, remediation measures taken and cross-border impact Art. 25 §5d

Sanctions

Sanctions are defined under Art. 35 to 37 They allow for effective implementation of sanctions, within appropriate timeframes in order to encourage the entities concerned to comply with their obligations and adopt good practices in cybersecurity. The penalty amounts are closely aligned with EU NIS 2.

Once the ACN has completed the list of NIS 2 entities in April 2025, it will send a formal notice to the operator where non-compliance with the provisions of the Directive and the Decree is found and, if the anomalies have not been or cannot be resolved, it will be able to impose sanctions depending on whether the operator is classified as essential or important:

for essential entities, excluding public administrations, with administrative pecuniary sanctions of up to a maximum of 10,000,000 euros or 2% of the total annual turnover on a worldwide scale for the preceding financial year of the entity, if this amount is higher Art. 38 §9a;
for important entities, excluding public administrations, with administrative pecuniary sanctions of up to a maximum of 7,000,000 euros or 1.4% of the total annual turnover on a worldwide scale for the preceding financial year of the entity, if this amount is higher Art. 38 §9b;
for public administrations with administrative pecuniary sanctions from 25,000 to 125,000 euros Art. 38 §9c

The Decree has established a minimum fine amount which is one twentieth or one thirtieth of the maximum fine amount for essential and important subjects respectively. For less serious violations (e.g. failure to register, incorrectly communicate or update information on the ACN platform, failure to cooperate with ACN) a fine of up to 0.1% or up to 0.07% of the annual worldwide turnover is foreseen Art. 38 §11 Repeated violations may lead to increases in fines of up to three times Art. 38 §13

Additional sanctions can be imposed if the ACN sees its request for the implementation of certain measures ignored, resulting in the suspension of a certificate or authorization relating to the services provided by the individual or bans on members of the administrative and management bodies from carrying out managerial functions within the entity.

Before imposing sanctions, the ACN will consider the circumstances of the violation Art. 34 §6, including:

Severity and importance of the infringement, particularly in cases of:
- Repeated violations
- Failure to report or remedy significant incidents
- Non-compliance with binding instructions from the national NIS Authority
- Obstructing supervisory activities
- Providing false or seriously inaccurate information
Duration of the infringement
Past violations by the entity
Material or immaterial damage, including financial losses, service disruptions, and affected users
Intent or negligence of the entity
Preventive or mitigating measures taken
Adherence to approved codes of conduct or certification mechanisms
Cooperation with the ACN

Audits

The audit obligations are defined in Art. 34-37, the audit powers in Art. 36 Audits can be conducted by independent bodies designated by ACN Art. 37 §5 The ACN can request regular or ad hoc audits, either by independent bodies or by its own officials, to assess how well entities implement security measures Art. 35 §3 Audits may occur periodically or in response to specific triggers (e.g., an incident) Art. 37 §3 Art. 34-37 don't specify predetermined audit cycles.

Art 36 §6 of the Decree specifies that the ACN may subject the organizations to which the provisions in question apply to:

checks of the documentation and information transmitted to the competent national authority NIS pursuant to this decree;
on-site and remote inspections, including random checks;
requests for access to data, documents and other information necessary for the exercise of the powers referred to in this article, declaring the purpose of the request and specifying the information requested from the subjects.

Sources

Italian NIS2 registration portal, Website of the Italian Agency for Cybersecurity
Italian EU NIS2 implementation law , Website of the Italian Offical Journal, October 1, 2024

EU NIS2 in Italy

Implementation in Italy