NIS2 in Italy
Everything you need to know about the NIS2 directive in Italia: transposition law, competent authority, fines, deadlines, and how Reglyze helps SMEs become compliant.
Italy transposed NIS2 early and in detail. Decreto Legislativo 138/2024 entered into force on 16 October 2024 and is one of the most granular transpositions in Europe, with sector-by-sector obligations. Obligations are staged rather than tied to a single date: ACN consolidated the list of NIS subjects in April 2025, after which base incident-notification duties apply within about nine months and base security measures within about eighteen months (around October 2026), scaled per entity. The Agenzia per la Cybersicurezza Nazionale (ACN) is both the competent authority and the operator of the national CSIRT (CSIRT-Italia).
Key facts at a glance
Decreto Legislativo 4 settembre 2024, n. 138
Adopted / in force: 2024-10-16
Agenzia per la Cybersicurezza Nazionale (ACN)
https://www.acn.gov.itUp to EUR 10 million or 2% of global annual turnover
Up to EUR 7 million or 1.4% of global annual turnover
These ceilings come from the directive — see how NIS2 fines are calculated, recent enforcement cases and director personal liability.
How Misure ACN maps to NIS2
Each control of Misure ACN — the national framework for NIS2 — shown against the NIS2 controls it covers. This is the authority's own correspondence, not a generic article list: where a control has no direct NIS2 control nexus, we say so.
| Control (Misure ACN) | NIS2 control(s) | ISO 27001 correspondence | Status |
|---|---|---|---|
| Specifiche di base per l'adempimento agli obblighi di cui agli articoli 23, 24, 25, 29 e 32 del decreto NISdet-379907-2025 | Art. 20(1) Art. 20(2) Art. 21(2)(a) Art. 21(2)(b) Art. 21(2)(c) Art. 21(2)(d) Art. 21(2)(e) Art. 21(2)(f) Art. 21(2)(g) Art. 21(2)(h) Art. 21(2)(i) Art. 21(2)(j) | Covered | |
| Termini per i soggetti 2026 in relazione agli obblighi di cui agli articoli 23, 24, 25, 29 e 32 del decreto NISdet-127434-2026 | Art. 21(2)(a) Art. 21(2)(b) Art. 21(2)(c) Art. 21(2)(d) Art. 21(2)(e) Art. 21(2)(f) Art. 21(2)(g) Art. 21(2)(h) Art. 21(2)(i) Art. 21(2)(j) | Partial coverage | |
| Piattaforma, Punto di contatto e sostituto, aggiornamento delle informazioni e rappresentante NIS di cui all'articolo 7 del decreto NISdet-127437-2026 | — | No direct NIS2 mapping | |
| Categorie di rilevanza e processo per l'elencazione, caratterizzazione e categorizzazione delle attività e dei servizidet-155238-2026 | Art. 21(2)(a) | Indicative | |
| Composizione del Tavolo per l'attuazione della disciplina NISdet-112335-2026 | — | No direct NIS2 mapping | |
| Organizzazione e funzionamento del Tavolo per l'attuazione della disciplina NISdet-276206-2025 | — | No direct NIS2 mapping | |
| Notifica degli accordi di condivisione delle informazioni sulla sicurezza informatica di cui all'articolo 17 del decreto NISdet-136118-2025 | — | No direct NIS2 mapping |
Mapping derived from the authority's published Misure ACN framework. Reglyze maintains it as the source data evolves — see the platform for the full control-by-control view.
Priority sectors for NIS2 in Italy
NIS2 covers 18 sectors across Annex I (essential) and Annex II (important). These are the sectors where Italy's transposition and ACN supervision focus most.
Public administration and local government
Italy applies a broad public-administration scope. Regional bodies and municipalities (comuni) running citizen-facing services are frequently classified as soggetti essenziali or importanti, with a designated referente per la sicurezza who is personally accountable.
Manufacturing and Made-in-Italy supply chains
Italy's industrial base — automotive, machinery, food and pharmaceutical producers — falls under Annex II as soggetti importanti once above the size threshold, and is increasingly pulled in indirectly through supply-chain due-diligence demands from larger customers.
Digital and telecom infrastructure
Cloud providers, data centres, telecom operators and ICT service managers are covered, often regardless of size for the special-category services (DNS, TLD, cloud, data centres).
Key deadlines
2024-10-16
D.Lgs 138/2024 entered into force. Registration period opened.
2025-02-28
Close of the first ACN registration window (opened 1 December 2024) — in-scope entities register on the ACN portal.
2025-04
ACN consolidates the list of NIS subjects; the per-entity obligation clocks start from this point.
~2026-01
Base incident-notification obligations apply — about nine months after the April 2025 consolidation.
~2026-10
Base security measures must be operational — about eighteen months after the April 2025 consolidation. There is no single national 'full enforcement' date; the timeline is staged per entity.
Is your company in scope? Common Italy scenarios
Two worked examples of how NIS2 scoping plays out in Italy. Not sure where you land? Run the free NIS2 scope checker.
Food production sits in Annex II and the company is above the 50-employee threshold. It registers on the ACN portal and must bring its Article 21 measures and incident processes online on ACN's staged timeline — base security measures roughly eighteen months after the April 2025 list consolidation (around October 2026).
Public administration is a covered sector. The comune must designate a referente per la sicurezza and meet ACN's obligations, including reporting significant incidents to CSIRT-Italia within the 24h / 72h / 1-month windows.
What Italy businesses need to know
Italy's transposition (D.Lgs 138/2024) is one of the most detailed in Europe, with specific sector-by-sector obligations.
The ACN is both the competent authority and the CSIRT — a unified model.
Obligations are staged from the April 2025 consolidation of the NIS subjects list — base incident-notification duties roughly nine months later and base security measures roughly eighteen months later (around October 2026), per entity. There is no single national 'full enforcement' date.
Organizations must designate a security liaison (referente della sicurezza) who is personally accountable.
Incidents must be reported to ACN within 24 hours (early warning) and 72 hours (notification).
How ACN enforces NIS2 in Italy
Notifications under Article 23 are filed to CSIRT-Italia (operated by ACN), not directly to ACN — the same 24-hour early-warning, 72-hour notification and one-month final-report clock applies. ACN publishes indicative significance thresholds (for example more than 25% of users affected, or more than 4 hours of downtime on a critical service); benchmark your incident-classification logic against those published soglie di significativita rather than waiting for after-the-fact guidance. Italy explicitly authorises individual administrative fines on members of the management body (Capo VI), so director accountability is not theoretical.
NIS2 in Italy: frequently asked questions
- What is Italy's NIS2 decree (D.Lgs 138/2024)?
- Decreto Legislativo 4 settembre 2024, n. 138 is Italy's NIS2 transposition, in force since 16 October 2024. It is one of Europe's most detailed transpositions, with specific sector-by-sector obligations applied on a staged timeline rather than a single switch-on date (see the enforcement question below).
- Who are soggetti essenziali and soggetti importanti?
- Italian law preserves the directive's two-tier scoping with Italian terminology used in all official communications and audit findings. Soggetti essenziali (essential entities) are large organisations in Annex I high-criticality sectors; soggetti importanti (important entities) are medium organisations in Annex I plus organisations in Annex II sectors.
- When do NIS2 obligations start to apply in Italy?
- There is no single national switch-on date. ACN sequences obligations from the consolidation of the NIS subjects list in April 2025: base incident-notification duties apply about nine months later and base security measures about eighteen months later (around October 2026), scaled per entity. The first registration window on the ACN portal ran from 1 December 2024 to 28 February 2025. The figure '18 April 2026' that circulates is one reading of the decree's 18-month clock counted from its 16 October 2024 entry into force, but ACN's published obligations run the clock from the April 2025 consolidation.
- What are the NIS2 sanctions (sanzioni) in Italy?
- Up to EUR 10 million or 2% of global annual turnover for soggetti essenziali, and EUR 7 million or 1.4% for soggetti importanti. ACN can additionally impose individual administrative fines on members of the management body.
Official sources
Primary references for NIS2 in Italy — verify the latest text and deadlines directly with the authority.