Italy
(a) What is the NIS2 implementation status?
Italian Legislative Decree 138/2024, bringing the Italian implementation of NIS2 Directive has been published in the Italian Official Journal on 1 October 2024 (available here, Italian only: Gazzetta Ufficiale).
The Italian law implementing Directive NIS2 in Italy has recently been published in the Italian Official Journal.
Though requirements will become applicable progressively and further implementation acts of this Italian law are needed and expected in the following months, it is crucial for subjects potentially in-scope to immediately assess whether they fall within its application. The first requirements will have to be complied with soon. In such respect, please find attached a table with relevant deadlines.
(b) What is the envisaged NIS2 implementation timeline?
Legislative Decree 138/2024 is applicable as of 18 October 2024. However further implementation acts are awaited in the next future.
(c) What does the NIS2 mean for other national cybersecurity legislation?
It implies amendment of and coordination with the current legislation, and abrogation of other provisions (the Italian Decree implementing NIS1 Directive). The text of the legislative decree contains specific provisions thereon, including some provisions for an interim phase.
(d) Who will be the supervisory authority and how are they preparing the market?
“Agenzia per la Cybersicurezza Nazionale” (the National Cybersecurity Agency or “ACN”). is confirmed as the relevant NIS 2 authority. Among ACN current competencies there is the regulatory and implementation activity of the NIS 2: Autorità e sanzioni - Agenzia per la cybersicurezza nazionale (acn.gov.it).
Other Italian public authorities will be the relevant sectoral authorities with which ACN will liaise. The issuance of further implementation acts of the Legislative Decree 138/2024 is awaited, and a new platform to register as subjects in scope (with specific deadlines) will be established before the ACN, which will play a major role in the Italian NIS2 framework.
(e) What should you be doing/on the lookout for?
Monitor legal developments, and assess whether they fall or not within the scope of the Legislative Decree 138/2024. In addition, they should start to strengthen their security measures, implement/review their policies to analyse risks, to assess providers, to respond to incidents.
Contact
Massimo Maioletti E: massimomaioletti@eversheds-sutherland.it
Edoardo Coia E: edoardocoia@eversheds-sutherland.it
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page