Home

Internal

Global

Contact

de|en|it

RÖDL Italy cooperates with Venturia S.p.A., the Italian venture builder that connects start-ups and SMEs to create high-growth businesses |

Worldwide

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

Cybersecurity and NIS2: the latest updates in Italy

published on 23 January 2026 | reading time approx. 3 minutes

The National Cybersecurity Agency (ACN) has published the 'NIS Guidelines – definition of the cybersecurity incident management process'. Although not binding, the Guidelines complement the basic specifications set out in Determination 379907/2025 (and the additional operating rules introduced by ACN Determination No. 379887/2025 on the ACN Portal – NIS Services).

A key point

From 15 January 2026, Determination 379907/2025 will apply and the obligations to report 'basic significant' incidents for NIS entities will become fully operational.

Why is this relevant?

These measures mark the transition from 'formal' compliance to substantial, operational and verifiable compliance. In summary, the NIS Guidelines, published on 31 December 2025, provide for the following key elements:

Structured and documented incident management process: incident management is presented as a cyclical process covering all phases (preparation; analysis; response and containment; continuous improvement and post-incident review);
Roles and responsibilities: roles and responsibilities in incident management must be formally defined and traceable (e.g. through a specific Cyber Organisational Model – known as MOC – and/or a specific RACI responsibility matrix);
Involvement of suppliers (cloud, partners, service providers): critical suppliers and partners must be included in the incident management process throughout the entire supply chain, particularly for suppliers operating on essential or important services;
Communications and notifications: internal communication flows (towards management, legal/compliance functions, DPO, communication) and interaction with CSIRT Italia for incident notifications must be defined. In particular, the central role will be that of the CSIRT Contact Person, a key figure in incident management who acts as the operational interface with CSIRT Italia, coordinates incident management throughout the entire cycle and must be involved in post-incident review and any updating of procedures.

In addition to the above, the two new ACN Determinations of 19 December 2025 (Determination 379907/2025 and ACN Determination No. 379887/2025) complete the operational framework for essential and important NIS entities by providing specific baselines for:

governance and risk management, notification of significant incidents and DNS security/resilience requirements;
distinct baselines for important vs. essential entities (annexes dedicated to measures and incidents);
time triggers from notification of inclusion in the NIS list, i.e. 18 months to implement baseline measures and 9 months for the 'significant' incident notification process to become fully operational;
the redefinition of the registration of interested parties, now scheduled from 1 January to 28 February 2026, as well as the 10-day deadline for any changes to the declaration;
annual update obligations, now scheduled for 15 April to 31 May;
the deadlines for the designation of relevant organisational figures.

What are the consequences of non-compliance with ACN requirements within the deadlines?

It is extremely important that companies take action as soon as possible and proceed to initiate the necessary adjustment processes and finalise the remediation of these requirements no later than the mandatory deadlines indicated. The consequences of non-compliance can be very significant, including the risk of penalties of up to 7 million euros or 1.4 per cent of annual turnover, as well as personal liability for directors, with consequent penalties for the latter, including the inability to hold managerial positions within the same entity.

So what should be done in practice?

It is essential to implement a practical three step approach:

Map the technical and organisational measures implemented by the organisation;
Verify the governance structure and incident management process: roles, responsibilities, procedures;

Align: (i) significance criteria and notification flows to CSIRT Italia, (ii) requirements and updates on the ACN Portal (roles, technical data, contacts), (iii) supply chain management.