Italy

(a) What is the NIS2 implementation status?

Italian Legislative Decree 138/2024, bringing the Italian implementation of NIS2 Directive has been published in the Italian Official Journal on 1 October 2024 (available here, Italian only: Gazzetta Ufficiale).

The Italian law implementing Directive NIS2 in Italy has recently been published in the Italian Official Journal.

Though requirements will become applicable progressively and further implementation acts of this Italian law are needed and expected in the following months, it is crucial for subjects potentially in-scope to immediately assess whether they fall within its application. The first requirements will have to be complied with soon. In such respect, please find attached a table with relevant deadlines.

(b) What is the envisaged NIS2 implementation timeline?

Legislative Decree 138/2024 is applicable as of 18 October 2024. However further implementation acts are awaited in the next future.

(c) What does the NIS2 mean for other national cybersecurity legislation?

It implies amendment of and coordination with the current legislation, and abrogation of other provisions (the Italian Decree implementing NIS1 Directive). The text of the legislative decree contains specific provisions thereon, including some provisions for an interim phase.

(d) Who will be the supervisory authority and how are they preparing the market?

“Agenzia per la Cybersicurezza Nazionale” (the National Cybersecurity Agency or “ACN”) is confirmed as the relevant NIS2 authority. Among ACN current competencies there is the regulatory and implementation activity of the NIS2: Autorità e sanzioni - Agenzia per la cybersicurezza nazionale (acn.gov.it).

Other Italian public authorities will be the relevant sectoral authorities with which ACN will liaise. The issuance of further implementation acts of the Legislative Decree 138/2024 is awaited, and a new platform to register as subjects in scope (with specific deadlines) will be established before the ACN, which will play a major role in the Italian NIS2 framework.

The ACN presented the digital platform through which NIS2-in scope-entities will have to register with ACN. This platform will be central in NIS2 compliance in Italy.

This registration must be completed online by an individual designated by the NIS2 in-scope entity as its point of contact for liaising with ACN. The designated individual’s details must be communicated to ACN via the digital platform, which is accessible using the Italian Public Digital Identity System (SPID) or alternative credentials.

Registration will now be an annual requirement, to be completed every year between 1 January and 28 February. However, due to the initial implementation of NIS2, ACN has exceptionally opened registrations earlier this year: they will be possible from 1 December 2024 until 28 February 2025. For certain entities, such as specific ICT providers, the registration deadline is 17 January 2025.

Entities within the scope of NIS2 are required to submit accurate and complete data, including information about sectoral activities, group affiliations, and financial details. They must also update their information on the digital platform as needed, validate all submitted data to ensure compliance, and promptly address any discrepancies identified during ACN's routine checks. ACN has announced that it will conduct random checks following the registration period.

Non-EU entities providing services in Italy or the EU and required to appoint a representative in Italy must notify ACN of this representative no later than 1 January 2025.

ACN has issued a determination regarding registration (though no templates or practical guidance have been released yet) and has updated its NIS2 FAQs on its website.

Failure to register may result in regulatory action, including administrative fines under the Italian NIS2 Decree.

(e) What should you be doing/on the lookout for?

Monitor legal developments, and assess whether they fall or not within the scope of the Legislative Decree 138/2024. In addition, they should start to strengthen their security measures, implement/review their policies to analyse risks, to assess providers, to respond to incidents.