Italy

(a) What is the NIS2 implementation status?

Italy transposed NIS2 via Legislative Decree No. 138 of 4 September 2024, which entered into force on 16 October 2024. The decree replaces the previous NIS framework and introduces a broader, more stringent regime aligned with NIS2, including expanded sectoral scope, clearer classification of essential and important entities, strengthened governance and management accountability, and structured incident‑reporting obligations. Implementation follows a phased approach, with further measures issued by the National Cybersecurity Agency (ACN), including the Prime Minister’s Decree of February 2025 on the “safeguard clause” and ACN resolutions detailing technical, organisational, and reporting requirements. In‑scope entities must register with the ACN via the national digital platform, generally by 28 February 2025, with ongoing annual update obligations. While EU standards and the Commission’s implementing regulations are referenced, compliance with them alone is not sufficient, as the Italian regime imposes additional national registration, governance, and supervisory requirements, with full operational compliance timelines extending into 2026.

(b) What is the envisaged NIS2 implementation timeline?

Registration under the Italian NIS2 framework is open via the official portal of the National Cybersecurity Agency (ACN), available at https://portale.acn.gov.it/login.

Entities are required to complete their registration on the ACN portal between 1 January and 28 February of each year following the entry into force of the relevant legislative decree. The first registration deadline for entities in scope was 28 February 2025.

(c) What does the NIS2 mean for other national cybersecurity legislation?

It implies amendment of and coordination with the current legislation, and abrogation of other provisions (the Italian Decree implementing NIS1 Directive). The text of the legislative decree contains specific provisions thereon, including some provisions for an interim phase. However, this interim phase has come to an end with the publication of the Resolution on 15 April 2025.

(d) Who will be the supervisory authority and how are they preparing the market?

“Agenzia per la Cybersicurezza Nazionale” (the National Cybersecurity Agency or “ACN”) is the relevant NIS2 authority.

Among ACN current competencies there is the regulatory and implementation activity of the NIS2: Autorità e sanzioni – Agenzia per la cybersicurezza nazionale (acn.gov.it). ACN published some FAQs on its NIS2 webpage, which are frequently updated in order to clarify some interpretative doubts about the application of the Italian NIS2 Decree. Other Italian public authorities will be the relevant sectoral authorities with which ACN will liaise.

The ACN has established a digital platform to register as subjects in scope (with specific deadlines) and has issued a relevant determination. This platform is central in NIS2 compliance in Italy.

This registration must be completed online by an individual designated by the NIS2 in-scope entity as its point of contact for liaising with ACN. The designated individual’s details must be communicated to ACN via the digital platform, which is accessible using the Italian Public Digital Identity System (SPID) or alternative credentials.

Registration will now be an annual requirement, to be completed every year between 1 January and 28 February. However, due to the initial implementation of NIS2, ACN has exceptionally opened registrations earlier in 2024: they have been made possible from 1 December 2024 until 28 February 2025. For certain entities, such as specific ICT providers, the registration deadline, due on 17 January 2025, has expired.

Entities within the scope of NIS2 are required to submit accurate and complete data, including information about sectoral activities, group affiliations, and financial details. They must also update their information on the digital platform as needed, validate all submitted data to ensure compliance, and promptly address any discrepancies identified during ACN's routine checks. ACN has announced that it will conduct random checks following the registration period.

By 31 March 2025, the ACN will prepare the list of subjects falling within the scope of the Italian NIS2 Decree and will notify the registered entities of their inclusion or exclusion from the list by 15 April 2025.

Failure to register may result in regulatory action, including administrative fines under the Italian NIS2 Decree.

(e) What should you be doing/on the lookout for?

Monitor legal developments, and assess whether you fall within the scope of the Legislative Decree 138/2024 and if you can ask for the application of the “safeguard clause”.

In addition, companies should start to strengthen security measures, implement/review policies to analyse risks, assess providers and be ready to accurately respond to incidents.