Home

Internal

Global

Contact

de|en|it

Five new Associate Partners for Rödl & Partner Italy |

Worldwide

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

NIS2 Directive: Compliance Requirements Following the ACN Notification

published on 19 May 2025 | reading time approx. 4 minutes

The National Cybersecurity Agency (ACN) has officially started the implementation phase of Directive (EU) 2022/2555 ("NIS2 Directive"), transposed into Italian law with Legislative Decree 138/2024 ("NIS Decree").

Since April 15, 2025, the ACN has sent notifications to companies and entities that registered on the official ACN Portal by March 10, 2025, in some cases considering them included within the scope of the Directive and marking the start of the obligations to comply with the new cybersecurity standards. Below, we summarize the main compliance obligations for the involved parties.

The communications sent by the Agency via certified email (PEC) serve as the official confirmation of the recipient's inclusion (or exclusion) among those required to comply with Directive NIS2, as transposed in Italy by the NIS Decree. The receipt of this communication triggers a series of compliance obligations with varying deadlines for the concerned organizations and entities. The strategy adopted by the ACN provides for a gradual implementation, aimed at progressively guiding businesses and entities towards full compliance, avoiding regulatory overload and promoting the adoption of structured and truly effective measures.

From April 15 to May 31, 2025, so-called "essential" and "important" entities that have been considered within the scope of NIS2 will be required to submit or update the information required by Article 7 of the NIS Decree, including:

the complete list of public IP addresses in use or available to the organization, as well as the domain names registered or otherwise available to the organization, including those that are currently inactive but still managed;
the list of European Union Member States where the services covered by the regulation are provided (where applicable);
the individuals responsible for the organization (legal representative and/or attorney with authority to represent it), specifying their role within the entity and their updated contact details, including email addresses and phone numbers;
a substitute for the contact point already indicated in the ACN Portal during registration, specifying their role within the organization and their updated contact details, including email addresses and phone numbers.

The ACN will provide a dedicated section within the Services Portal where entities can enter and update this information. Any changes must be communicated within 14 days.

Furthermore, ACN Determination No. 164179 of April 14, 2025, has specified additional deadlines for fulfilling the obligations set by the NIS2 regulation:

within 9 months of receiving the notification of inclusion in the NIS2 list (i.e., by January 2026), recipients must adopt appropriate Cybersecurity Governance, implementing suitable policies and procedures for notifying significant incidents as described in Annexes 3 and 4 of the Determination;
within 18 months from the same notification (i.e., by October 2026), the basic security measures outlined in Annexes 1 and 2 of the Determination must be implemented. This essentially involves implementing 37 technical and organizational measures, broken down into 87 requirements, for important entities developed within the context of the National Framework for Cybersecurity and Data Protection. Essential entities will also need to adopt an additional 6 measures and 29 requirements, bringing the total to 43 measures and 116 requirements.

The NIS2 Directive marks an important evolution in European cybersecurity regulation. In light of the risk of significant financial penalties (up to 10 million euros or 2 per cent of global annual turnover), it is crucial for organizations to promptly implement the aforementioned obligations and the required technical-organizational measures, starting as soon as possible with the necessary assessment activities to "take a snapshot" of their current cybersecurity posture and identify any gaps compared to the requirements set by the new regulation.

Compliance not only means fulfilling a legal obligation but also represents a real opportunity to strengthen systems protection and prevent cybersecurity incidents.