Skip to main content
ImplementedNIS2

NIS2 in Italy

Italy transposed NIS2 via Legge 90/2024, with ACN (Agenzia per la Cybersicurezza Nazionale) as the central authority. Enforcement is phased through 2026.

Transposition law
Legge 28 giugno 2024, n. 90: Disposizioni in materia di rafforzamento della cybersicurezza nazionale
In force
28 June 2024
Competent authority
Agenzia per la Cybersicurezza Nazionale (ACN)
Max fine (Essential)
€10 million or 2% of global annual turnover
Max fine (Important)
€7 million or 1.4% of global annual turnover
Full enforcement
January 2025

Key Deadlines

Law in force
28 June 2024
Registration phase 1 (ACN-identified)
1 January 2025
Security measures compliance
1 January 2026

Competent Authority

Agenzia per la Cybersicurezza Nazionale (ACN)
Primary NIS2 competent authority and national CSIRT
https://www.acn.gov.it

ACN operates a phased registration programme. Entities first identified by ACN must register; subsequent waves open self-registration. Italy has a dedicated NIS2 registry portal and a sector-based regulatory framework.

Registration Process

Registration via the ACN Piattaforma NIS2 at nis2.acn.gov.it. You will need your VAT number (Partita IVA/Codice Fiscale), ATECO sector code, and contact details for the NIS2 point of contact and security officer.

📊 Quick Test

Find out if your company is in scope

Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?

Check NIS2 Scope →

Key Requirements

  • 1Registration on the ACN NIS2 portal (Piattaforma NIS2)
  • 224-hour early warning and 72-hour full notification for significant incidents
  • 3Minimum security measures defined in ACN guidelines (MISURE MINIME)
  • 4Annual cybersecurity risk assessment
  • 5Supply chain security management
  • 6Board-level accountability for cybersecurity
  • 7Use of qualified/certified products where required by ACN

National Additions

Italy mandated that public administrations and essential services purchase only ACN-qualified ICT products and services for critical functions
Italy introduced specific cybersecurity requirements for the public administration sector beyond standard NIS2 Article 21 measures
ACN publishes a national list of 'essential services' entities required to comply, entities not on the list may still self-declare

FAQ: NIS2 in Italy

What are Italy's MISURE MINIME?
The MISURE MINIME are Italy's minimum cybersecurity measures defined by ACN based on Article 21 NIS2. They are categorised by entity tier (Essential/Important) and include specific technical requirements for access control, encryption, incident response, and patch management.
Is Italy's NIS2 enforcement phased?
Yes. ACN is taking a phased approach: Phase 1 (2025) covers registration and baseline security measures; Phase 2 (2026) requires full Article 21 compliance including advanced supply chain and cryptographic controls.

Ready to assess your NIS2 compliance?

Use our free tools to check your NIS2 scope and run a gap assessment.

🎯 Scope Checker📊 Gap Assessment