NIS2 Italy: ACN Compliance Requirements, Enforcement Timeline, and What Italian Entities Must Do in 2026

Italy has emerged as one of the EU’s most aggressive NIS2 enforcers. The Agenzia per la Cybersicurezza Nazionale (ACN), established in 2021, has built a compliance architecture that goes beyond the EU directive’s baseline requirements — adding expanded sector coverage, surprise audit authority, and a dual-supervision model that forces organizations to satisfy both ACN and sectoral regulators simultaneously. For any entity operating in Italy under NIS2 jurisdiction, the window for proactive compliance is narrowing fast.

This guide covers Italy’s transposition of NIS2 through Decreto Legislativo 138/2024, ACN’s enforcement approach, the dual-authority supervision model, personal liability for management bodies, and the practical steps your organization should take before the October 2026 compliance deadline.

Italy’s NIS2 Transposition: Decreto Legislativo 138/2024

Italy formally transposed NIS2 through Legislative Decree No. 138 of September 4, 2024, which entered into force on October 16, 2024. The decree repealed the previous NIS1 framework (D.Lgs. 65/2018) and adopted the maximum penalty levels allowed under the EU directive — a signal that Italy intends to enforce aggressively.

The transposition maintains NIS2’s two-tier structure while adding uniquely Italian elements:

• Entità Essenziali (Essential Entities): Large organizations in critical sectors including energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, ICT service management, public administration, and space. Threshold: 250+ employees OR €50M annual turnover + €43M balance sheet total.

• Entità Importanti (Important Entities): Medium-sized organizations in the same sectors plus postal services, waste management, chemicals, food, medical devices, manufacturing (computers, electronics, machinery, motor vehicles), and digital providers. Threshold: 50-249 employees OR €10M-€50M annual turnover.

Italy’s Expanded Scope: Beyond the EU Baseline

Italy did not simply copy-paste the NIS2 Directive. Decreto 138/2024 adds Annex III and Annex IV, which expand the list of in-scope entities beyond the EU’s baseline to include:

• Regional and local public administrations — municipal governments, regional health authorities, and local transport agencies
• Cultural heritage institutions — a uniquely Italian addition reflecting the country’s vast museum and cultural infrastructure, which relies heavily on digital systems
• Local public transport operators — extending beyond national rail and air to include municipal transit systems

This expanded scope means thousands of Italian organizations that would be exempt in other Member States are in scope under Italian law. Many of these entities lack mature cybersecurity programs, creating a significant compliance gap that ACN is actively monitoring.

The Safeguard Clause: Subsidiary Exemptions

Per DPCM 9 December 2024, n. 221 (in force February 11, 2025), small subsidiaries that are part of a large in-scope group may apply for an exemption if they can demonstrate their ICT systems are completely independent from the parent entity. This is not automatic — organizations must apply through the ACN digital platform and provide technical evidence of system isolation. Most subsidiaries will not qualify.

ACN: Italy’s Central Cybersecurity Authority

The Agenzia per la Cybersicurezza Nazionale (ACN) serves as Italy’s primary NIS2 supervisory authority. Established in 2021 under the authority of the Presidency of the Council of Ministers, ACN has rapidly built enforcement capacity:

• National registry management: ACN operates the digital platform where all in-scope entities must register, update contact details, and declare their essential/important status
• Compliance audits: Both scheduled and surprise audits, including remote digital audits that can flag gaps automatically
• CSIRT Italia: Italy’s Computer Security Incident Response Team, the mandatory recipient of all NIS2 incident reports
• Binding security recommendations: ACN can issue sector-specific security measures that go beyond the directive’s baseline
• Enforcement actions: Administrative sanctions, formal warnings, and mandatory remediation orders

The Dual-Authority Model

Italy’s enforcement architecture is uniquely complex. Organizations must satisfy two layers of supervision simultaneously:

1. ACN — Central authority with ultimate oversight, maintaining the national registry and conducting cross-sector audits
2. Sectoral authorities — Health Ministry, Energy Authority (ARERA), Bank of Italy, Transport Authority, and others with supplementary sector-specific requirements

This dual-authority model creates practical compliance challenges:

• Evidence trails must be harmonized across both supervisory streams
• Where sectoral rules diverge from ACN baseline requirements, organizations must log the divergence, document their decision rationale, and name the responsible party
• When conflicts arise, ACN rules take precedence over sectoral guidance

For cyber insurance underwriters, this dual-authority model increases compliance complexity and should be factored into risk assessments for Italian-domiciled insureds. Organizations with weak internal coordination between compliance, IT security, and legal teams face elevated enforcement risk.

Registration Requirements and Deadlines

Registration with ACN is the first mandatory step for all in-scope entities. The process creates a persistent, timestamped audit trail that begins the compliance clock:

Requirement	Deadline	Status
Digital registration (core sectors)	December 2024 – February 2025	Closed
Digital/cloud/managed provider registration	January 17, 2025	Closed
ACN notification of entity status (Essential vs. Important)	March – April 2025	Closed
Compliance contacts and role updates	At registration + ongoing	Active
Incident reporting obligations fully active	January 2026	Active
ACN defines “comprehensive” security measures	April 2026	Pending
Full compliance with all technical requirements	October 2026	Upcoming

Common registration failures that trigger enforcement:

• Late registration (non-conformity is logged and can trigger audit)
• Unlogged registration amendments (changes to contacts, IP ranges, or status must be updated within 30 days)
• Outdated risk maps and missing policy update histories
• Unacknowledged role assignments for security responsibilities

The Three Pillars of Italian NIS2 Compliance

1. Risk Management and Security Measures

Entities must implement “appropriate and proportionate” measures based on real-world risk assessments covering technical, operational, and supply chain vulnerabilities. ACN is rolling out security measure definitions in two phases:

• Basic measures (defined April 2025): Fundamental security controls applicable to all in-scope entities
• Comprehensive measures (deadline April 2026): Enhanced requirements for essential entities and specific sectors

These measures must address all 10 security requirements listed in Article 21 of the NIS2 Directive: risk analysis, incident handling, business continuity, supply chain security, security in network acquisition, cryptography, vulnerability handling, physical security, training, and access control. For a complete breakdown of these requirements, see our NIS2 Article 21 technical measures guide.

2. Incident Reporting: The 24/72/30 Rule

Italy adopted the NIS2 standard incident reporting timeline without modification:

• 24 hours: Initial early warning to CSIRT Italia — must include whether the incident is suspected to be caused by unlawful or malicious acts, and whether it could have cross-border impact
• 72 hours: Detailed incident notification with initial assessment, severity indicators, and indicators of compromise
• 1 month: Final report with root-cause analysis, mitigation measures, and cross-border impact assessment

Critical detail: The clock starts at detection, not confirmation. Organizations must report based on initial indicators, even before a full investigation is complete. This is a significant departure from how many Italian organizations have historically handled security incidents.

NIS2 and GDPR: Italy’s Dual Reporting Challenge

Italy’s implementation creates a unique dual-reporting obligation. When a cybersecurity incident involves personal data, organizations must report to both ACN (under NIS2) and the Garante per la Protezione dei Dati Personali (Italy’s data protection authority, under GDPR). Key considerations:

• GDPR’s 72-hour notification to Garante runs in parallel with NIS2’s 24-hour early warning to CSIRT Italia
• The stricter timeline always wins — in practice, this means the 24-hour NIS2 early warning serves as the trigger for GDPR assessment
• Teams must maintain separate but consistent evidence trails for both authorities
• Using dual notification templates (pre-built for both ACN and Garante formats) significantly reduces compliance burden

For insurance professionals, this dual-reporting requirement is a key underwriting consideration. Italian entities that fail to report to both authorities face cumulative penalties under both regulatory regimes.

3. Governance and Personal Liability

Article 23 of Decreto 138/2024 makes personal liability for management bodies a cornerstone of Italian NIS2 enforcement. Administrative and management bodies — CEOs, board members, directors — must:

• Approve the cybersecurity risk management approach
• Oversee its implementation
• Prove due diligence in the event of a breach

If management cannot demonstrate that they took reasonable steps to ensure compliance, they face personal administrative sanctions. This aligns with the broader EU trend of individual accountability at the board level, which we analyzed in our NIS2 board liability guide.

The Penalty Structure: Maximum Enforcement

Italy adopted the maximum fine levels allowed under the EU directive, and fines can be doubled for repeat offenders within five years:

Violation	Essential Entities	Important Entities	Public Entities
Serious violation (max)	€10M or 2% global turnover	€7M or 1.4% global turnover	€125,000
Administrative violation (max)	0.1% global turnover	0.07% global turnover	€50,000
Registration failures	€50,000 – €10M	€50,000 – €7M	€25,000 – €125,000

Beyond financial penalties, ACN has the authority to:

• Issue binding remediation orders with specific deadlines
• Conduct surprise audits (both on-site and remote digital audits)
• Require appointment of a compliance monitor at the entity’s expense
• Temporarily suspend management functions in severe cases
• Publicly name non-compliant entities

Sector-Specific Requirements

Italy’s sectoral authorities have begun issuing supplementary compliance requirements that go beyond ACN’s baseline:

Sector	Authority	Key Additional Requirements
Banking/Finance	Banca d’Italia	Enhanced stress testing, specific incident classification, quarterly compliance attestations
Health	Ministero della Salute	Medical device coordination, patient data controls beyond GDPR, regional health authority integration
Energy	ARERA	Grid resilience testing, specific disaster recovery expectations, physical-cyber convergence
Public Administration	Digitale PA	Data residency proof within Italy/EU, mandatory staff training hours, dedicated security officer role
Digital Infrastructure	AGCOM	Separate disaster recovery expectations, network redundancy requirements, supply chain audit mandates

Organizations operating across multiple sectors must satisfy all applicable sectoral requirements simultaneously. This creates a particularly complex compliance landscape for Italian conglomerates and multi-sector operators.

Practical Compliance Steps for Italian Entities

If your organization operates in Italy and falls under NIS2 jurisdiction, here is the action plan:

Immediate Actions (Before Q2 2026)

1. Complete ACN registration if not already done — late registration is logged and can trigger enforcement attention
2. Designate a CSIRT contact person — this is a named individual responsible for receiving and acting on incident communications
3. Conduct a gap analysis against the 10 Article 21 security requirements — use our NIS2 compliance checklist as a starting point
4. Map your supply chain dependencies — identify all third-party ICT providers and assess their security posture

Medium-Term Actions (Q2-Q3 2026)

5. Implement basic security measures as defined by ACN — risk analysis framework, incident handling procedures, business continuity plan
6. Establish dual-reporting procedures — build templates for both CSIRT Italia (NIS2) and Garante (GDPR) incident notifications
7. Conduct board training — management must understand their personal liability and document their oversight activities
8. Prepare for comprehensive measures — when ACN publishes enhanced requirements in April 2026, essential entities will have until October 2026 to comply

Ongoing Requirements

9. Maintain continuous audit readiness — ACN conducts surprise audits; compliance must be demonstrable at all times, not just at deadline
10. Update sectoral evidence — track and log all interactions with sectoral authorities, divergence from baseline requirements, and internal decision rationale
11. Test incident response procedures — regular drills against the 24/72/30 timeline, with documented results

What This Means for Cyber Insurance

Italy’s aggressive NIS2 enforcement creates both risk and opportunity for the cyber insurance market:

For underwriters assessing Italian risks:

• Verify the insured has completed ACN registration and can demonstrate compliance progress
• Check whether the insured operates in sectors with supplementary requirements
• Assess the insured’s dual-reporting capability (NIS2 + GDPR)
• Factor in the doubled-penalty provision for repeat offenders
• Evaluate management body awareness of personal liability provisions

For brokers placing Italian risks:

• Use our NIS2 underwriting questions to assess client preparedness
• Italy’s expanded scope means many clients may be in scope without realizing it — help them self-assess
• The October 2026 compliance deadline is a natural touchpoint for policy renewal discussions

For Italian entities seeking coverage:

• Demonstrating proactive NIS2 compliance progress can improve insurability and pricing
• Cyber insurance policies should cover both NIS2 regulatory penalties and GDPR fines where applicable
• Supply chain security requirements may necessitate coverage extensions for third-party failures

Key Takeaways

Italy is not taking a soft approach to NIS2 enforcement. ACN has built a compliance architecture that exceeds the EU baseline in several respects — expanded scope, dual-authority supervision, surprise audits, and maximum penalty levels. The October 2026 deadline for full technical compliance is approaching, and organizations that have not yet begun the process face significant enforcement risk.

The three things every Italian entity must do now:

1. Register with ACN if not already done — this is non-negotiable and late registration creates audit risk
2. Establish incident reporting procedures — the 24/72/30 timeline is already active and applies to all in-scope entities
3. Brief management on personal liability — board members face individual sanctions under Article 23 of Decreto 138/2024

For a structured approach to your NIS2 compliance journey, download our free NIS2 compliance checklist PDF or use our NIS2 Compliance Checker to determine your organization’s status.