Everything you need to know about the NIS2 directive in Italia: transposition law, competent authority, fines, deadlines, and how Reglyze helps SMEs become compliant.
Decreto Legislativo 4 settembre 2024, n. 138
Adopted / in force: 2024-10-16
Agenzia per la Cybersicurezza Nazionale (ACN)
https://www.acn.gov.itUp to EUR 10 million or 2% of global annual turnover
Up to EUR 7 million or 1.4% of global annual turnover
2024-10-16
D.Lgs 138/2024 entered into force. Registration period opened.
2025-01-28
Registration deadline for most in-scope entities on ACN portal.
2026-04-18
Full enforcement: all security obligations, incident reporting, and sanctions become enforceable.
Italy's transposition (D.Lgs 138/2024) is one of the most detailed in Europe, with specific sector-by-sector obligations.
The ACN is both the competent authority and the CSIRT — a unified model.
April 18, 2026 is the critical enforcement date — full sanctions regime activates.
Organizations must designate a security liaison (referente della sicurezza) who is personally accountable.
Incidents must be reported to ACN within 24 hours (early warning) and 72 hours (notification).