Enacted

• Italy has implemented the NIS2 Directive through the adoption of Legislative Decree No. 138/2024 (the “Decree”), which was published in the Italian Official Gazette on 1 October 2024.
• The Italian competent authority (i.e., the Agenzia per la Cybesicurezza Nazionale, "ACN") publishes and periodically updates on its website its FAQs aimed at supporting companies in this preliminary phase of implementation while also clarifying the main issues related to the implementation of the Decree.
• On 26 November 2024, the Director General of the ACN issued a decision, effective from 1 December 2024, establishing the operating rules for the use of the ACN digital portal through which the entities falling within the scope of application of the provisions of the Decree must fulfill the registration obligations and other obligations described therein.
• On 10 February 2025, the decree of secondary legislation (i.e., Decreto del Presidente del Consiglio dei Ministri) No. 221/2024 was published in the Italian Official Gazette (i.e., the Gazzetta Ufficiale della Repubblica Italiana) regarding the so-called “Safeguard Clause”, i.e., the criteria to be taken into account in assessing the degree of independence of an entity in relation to its partner or related entity when applying Article 6(2) of the Annex to Recommendation 2003/361/EC.

• Closely modeled on the NIS2 Directive.
• The personal scope of the Decree will be affected by further secondary legislation (e.g., Decreto del Presidente del Consiglio dei Ministri) to be adopted.
• Broader scope of application, including the following: (i) public administrations identified on the basis of a criterion of gradualness, the evolution of the degree of exposure to risk of the PA, the probability of incidents occurring and their severity; and, irrespective of size(i) entities providing local public transport services, (ii) educational institutions carrying out research activities, (iii) entities carrying out activities of cultural interest, (iv) in-house companies, investee companies and publicly controlled companies.
• Although the NIS2 Directive has been applicable since 17 October 2024, the timeline for compliance obligations applicable to companies falling within its scope is broadly extended with the adoption of the Decree (e.g., companies are required to register on the platform created by the ACN by 28 February 2025; 9 months from notification of qualification as an essential or important subject (approximately around January 2026), companies will be obliged to implement reporting requirements, etc.).
• With respect to governance issues, the NIS2 Directive refers to “management bodies” while the Decree refers to “governing and management bodies“, also including companies' bodies having more operational roles and responsibilities. This has some implications, as while Italian companies may need to adopt a more structured approach (involving several levels of company bodies), the NIS2 Directive would entrust only management bodies (i.e., a relatively lean group of decision-makers) who would be able to intervene quickly in the event of a crisis.
• Failure to comply with the obligations under the Decree may result in significant penalties for operators. In particular, following the reporting of non-compliance by the ACN, administrative sanctions of up to €10,000,000 or 2% of the total annual worldwide turnover for the previous financial year of the entity, whichever is higher, may be issued by the competent authorities. In addition, the directors have personal liability and sanctions against them for non-compliance.

The NIS2 Directive became applicable within the Italian jurisdiction by means of the Decree as of October 16, 2024.