Italy

(a) What is the NIS2 implementation status?

Italian Legislative Decree 138/2024, bringing the Italian implementation of NIS2 Directive, has been published in the Italian Official Journal on 1 October 2024 (available here, Italian only: Gazzetta Ufficiale) and entered into force on 16 October 2024 (in the following also “Italian NIS2 Decree”).

Requirements will become applicable progressively and further implementation acts of this Italian law are needed and expected in the following months. It is crucial for subjects in-scope to monitor future implementations. In such respect, please find attached a table with relevant deadlines.

On 11 February 2025, Decree of the Prime Minister 221/2024 came into force, establishing the criteria for the application of the so-called “safeguard clause”, set out in Article 3 of Decree 138/2024. The “safeguard clause” allows in-scope entities to derogate to art. 6, par. 2 of EU Recommendation 2003/361/CE at specific conditions, thus potentially impacting on their dimensional requirements and subsequent qualification.

By 28 February 2025, entities that consider themselves within the scope of the Italian NIS2 Decree must complete registration on the digital platform made available by the Italian National Cybersecurity Agency (“ACN”), providing the required information.

Entities listed in Art.42 of the Italian NIS2 Decree (i.e., some specific ICT providers) should have already completed the registration by 17 January 2025.

(b) What is the envisaged NIS2 implementation timeline?

Legislative Decree 138/2024 is applicable as of 16 October 2024.

Decree of the Prime Minister 221/2024, establishing the criteria for the application of the “safeguard clause”, is applicable as of 11 February 2025.

Further implementation acts of the Italian NIS2 Decree are awaited in the next future.

(c) What does the NIS2 mean for other national cybersecurity legislation?

It implies amendment of and coordination with the current legislation, and abrogation of other provisions (the Italian Decree implementing NIS1 Directive). The text of the legislative decree contains specific provisions thereon, including some provisions for an interim phase.

(d) Who will be the supervisory authority and how are they preparing the market?

“Agenzia per la Cybersicurezza Nazionale” (the National Cybersecurity Agency or “ACN”) is the relevant NIS2 authority.

Among ACN current competencies there is the regulatory and implementation activity of the NIS2: Autorità e sanzioni – Agenzia per la cybersicurezza nazionale (acn.gov.it). ACN published some FAQs on its NIS2 webpage, which are frequently updated in order to clarify some interpretative doubts about the application of the Italian NIS2 Decree. Other Italian public authorities will be the relevant sectoral authorities with which ACN will liaise.

The ACN has established a digital platform to register as subjects in scope (with specific deadlines) and has issued a relevant determination. This platform is central in NIS2 compliance in Italy.

This registration must be completed online by an individual designated by the NIS2 in-scope entity as its point of contact for liaising with ACN. The designated individual’s details must be communicated to ACN via the digital platform, which is accessible using the Italian Public Digital Identity System (SPID) or alternative credentials.

Registration will now be an annual requirement, to be completed every year between 1 January and 28 February. However, due to the initial implementation of NIS2, ACN has exceptionally opened registrations earlier in 2024: they have been made possible from 1 December 2024 until 28 February 2025. For certain entities, such as specific ICT providers, the registration deadline, due on 17 January 2025, has expired.

Entities within the scope of NIS2 are required to submit accurate and complete data, including information about sectoral activities, group affiliations, and financial details. They must also update their information on the digital platform as needed, validate all submitted data to ensure compliance, and promptly address any discrepancies identified during ACN's routine checks. ACN has announced that it will conduct random checks following the registration period.

By 31 March 2025, the ACN will prepare the list of subjects falling within the scope of the Italian NIS2 Decree and will notify the registered entities of their inclusion or exclusion from the list by 15 April 2025.

Failure to register may result in regulatory action, including administrative fines under the Italian NIS2 Decree.

(e) What should you be doing/on the lookout for?

Monitor legal developments, and assess whether you fall or not within the scope of the Legislative Decree 138/2024 and if you can ask for the application of the “safeguard clause”.

If you believe to be a subject in scope, you must complete registration on the ACN digital platform by 28 February 2025. In addition, you should start to strengthen your security measures, implement/review your policies to analyse risks, to assess providers, to respond to incidents.