Home

Internal

Global

Contact

de|en|it

RÖDL strengthens its market position in Austria with the Causa team of 28 professionals |

Worldwide

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

Cyber Risks: ACN Publishes New Decision on the Taxonomy of Notifiable Incidents

published on 24 February 2026 | reading time approx. 5 minutes

With its Decision of 9 February 2026, the Italian National Cybersecurity Agency (ACN) adopted the new taxonomy of incidents subject to reporting or notification pursuant to Article 1(1) of Law No. 90/2024. This Decision represents an important step within the national cybersecurity framework and forms part of a broader alignment process with Directive (EU) 2022/2555 (NIS2). It enables the entities concerned to comply with their respective legal obligations in a more coordinated and structured manner.

Scope of Application

The Decision applies to the entities identified under Article 1(1) of Law No. 90/2024, including:

public administrations (such as regions, provinces and metropolitan cities);
companies managing urban and extra-urban public transport services;
local health authority;
in-house companies of the above entities providing IT services, transport services, wastewater collection, treatment or disposal services, or waste management services.

These entities are required to report to the Italian CSIRT any significant incident affecting their networks, information systems and IT services, in accordance with the procedures and timelines established by the applicable legislation.

Many of the entities operating in the above sectors — particularly public transport, healthcare, wastewater management, waste management and public administration — also fall within the scope of Legislative Decree No. 138 of 4 September 2024 (implementing the NIS2 Directive) as “essential” or “important” entities.

As a result, there may be overlap between the obligations under Law No. 90/2024 and those arising under the NIS2 framework. The ACN Decision aims to coordinate these obligations, avoiding duplication and ensuring an integrated notification system towards CSIRT.

The Incident Taxonomy: Three Main Categories

The Decision identifies three main categories of incidents that must be reported or notified:

incidents involving a loss of confidentiality towards external parties of digital data owned by, or under the control (even partial) of, the entity;
incidents involving a loss of integrity, with external impact, of digital data owned by, or under the control (even partial) of, the entity;
incidents involving a breach of the expected service levels (SLs) of the entity’s services and/or activities, based on the service levels established by the entity itself.

The Decision clarifies that the reporting obligation arises when the entity has “evidence” of the loss of confidentiality, integrity or breach of expected service levels.

The concept of “evidence” therefore plays a central role. The notification obligation arises when the organization has objective elements enabling it to reasonably conclude that one of the above scenarios has occurred. It is not necessary to have completed a full technical investigation or identified the exact root cause. What matters is awareness of an impact falling within one of the defined categories.

This approach is consistent with the GDPR framework on personal data breaches, where the moment the controller becomes aware of the breach triggers the deadline for notification.

While the first two categories (loss of confidentiality and loss of integrity) are familiar concepts in data protection law, their scope under the ACN taxonomy is significantly broader. The Decision refers to “digital data” in general, not only personal data. As a result, an incident may be notifiable under Law No. 90/2024 even in the absence of a personal data breach under the GDPR. This considerably expands the perimeter of assessment for notification purposes.

Particularly noteworthy is the third taxonomy, which directly links incident reporting to operational continuity and service resilience.

A breach of expected service levels presupposes that such service levels have been previously defined and documented, including at contractual level where relevant. Without clearly defined SLs, it would be difficult to determine whether a notifiable incident has occurred.

From this perspective, taxonomy encourages organizations to reach a higher level of maturity in defining, documenting and measuring their operational performance.

Coordination with the NIS2 Framework

The Decision expressly provides for coordination between Law No. 90/2024 and Legislative Decree No. 138/2024 implementing the NIS2 Directive.

In particular, Article 1(2) establishes that, for the sake of simplification, where an entity has already submitted the early warning and notification pursuant to Article 25 of Legislative Decree No. 138/2024, the notification obligation under Article 1(1) of Law No. 90/2024 is deemed fulfilled.

This provision has significant operational relevance: entities falling within the NIS2 scope may avoid procedural duplication and comply with both regimes through a single communication flow to the CSIRT, resulting in improved efficiency and consistency in incident management.

Operational Implications and Recommended Actions

The ACN Decision marks an important development in defining cybersecurity notification obligations at national level.

In a context where digital resilience is increasingly linked to national security and the continuity of essential services, structured, documented and integrated incident management is no longer merely a regulatory requirement. It has become a core governance and accountability element and a measurable indicator of organizational maturity.

For this reason, entities falling under Law No. 90/2024 should assess and, where necessary, update their cybersecurity governance framework, with particular attention to the following aspects:

formally incorporating categories IS-1, IS-2 and IS-3 into internal incident management procedures, ensuring consistency between policies and response plans;
clearly defining and documenting expected service levels (SLs), including thresholds, indicators and measurement methodologies aligned with the organization’s operational reality;
ensuring the capability to promptly detect and properly classify incidents under the taxonomy, with specific focus on identifying the moment when “evidence” arises;
ensuring the timely activation of early warning and notification flows towards CSIRT Italia, including through periodic simulation exercises involving IT, legal, compliance and communication functions;
integrating NIS2 procedures with GDPR data breach procedures, avoiding overlaps or gaps and ensuring effective coordination between the DPO, CISO and CSIRT contact point;
properly documenting all assessments carried out and the reasons underlying decisions regarding notification (or non-notification), in order to demonstrate accountability in the event of inspections by the competent authority.

The ability not only to notify incidents correctly, but also to demonstrate the existence of an adequate organizational system capable of preventing, detecting and managing incidents, will increasingly represent a key indicator of compliance and digital governance.