Enacted

Italy has implemented the NIS2 Directive through the adoption of Legislative Decree No.138/2024 (the “NIS2 Decree”), which was published in the Italian Official Gazette on 1 October 2024.

Although the NIS2 Decree has been in force since 18 October 2024, the compliance obligations applicable to in-scope entities will be introduced on a phased basis. 

In-scope entities were required to register on the digital platform made available by the competent authority and to designate a point of contact for communications with the Agenzia per la Cybersicurezza Nazionale (“ACN”), as well as a CSIRT contact person for the purposes of incident notification and operational coordination with CSIRT Italia. The information provided must be kept up to date and confirmed or updated on an annual basis.

In the upcoming months, in-scope entities subject to NIS2 will be required to: (i) report cyber incidents to CSIRT Italia as from January 2026; (ii) implement the prescribed technical measures within 18 months from notification by the competent Italian authority (i.e., the Agenzia per la Cybersicurezza Nazionale, “ACN”) of their inclusion within the NIS2 scope (approximately October 2026); and (iii) comply with any additional requirements to be issued by the ACN in relation to the specific sector in which the relevant NIS2-regulated entity operates.

Closely modelled on the NIS2 Directive.

In addition to the provisions of the NIS2 Decree:

1. the ACN publishes and periodically updates, on its website, FAQs intended to assist entities in the implementation of the Decree and to clarify key interpretative issues;
2. decisions of the Director General of the ACN (determinazioni del Direttore generale dell’ACN) play a central role in the implementation of the NIS2 Decree (e.g., by setting out the security measures to be adopted, which are closely aligned with the NIST Framework);
3. further guidelines have been published on the ACN’s website concerning reporting obligations and the security measures to be implemented; and
4. secondary legislation supplements and further specifies the provisions of the NIS2 Decree (e.g., Prime Ministerial Decree ("DPCM") No. 221/2024 sets out the criteria for the application of the “safeguard clause” under Article 3(4) of the NIS2 Decree).

The NIS2 Decree provides for a broader scope of application, including: (i) public administrations identified on the basis of a criterion of gradualness, taking into account the evolution of their exposure to risk, the likelihood of incidents and their potential severity, irrespective of size; (ii) entities providing local public transport services; (iii) educational institutions carrying out research activities; (iv) entities performing activities of cultural interest; and (v) in-house companies, investee companies and publicly controlled companies.

As regards governance, the NIS2 Directive refers to “management bodies”, whereas the NIS2 Decree refers to “governing and management bodies”, thereby also encompassing corporate bodies with operational roles and responsibilities. This entails certain practical implications: Italian companies may be required to adopt a more articulated governance structure involving multiple corporate bodies, whereas the Directive appears to entrust responsibility solely to the management body (i.e., a comparatively streamlined decision-making body) capable of acting promptly in the event of a crisis. 
 
Failure to comply with the obligations under the NIS2 Decree may result in significant penalties for operators. In particular, following the reporting of non-compliance by the ACN, administrative sanctions of up to EUR 10,000,000 or 2% of the total annual worldwide turnover for the previous financial year of the entity, whichever is higher, may be issued by the competent authorities. In addition, the directors have personal liability and sanctions against them for non-compliance. 

The NIS2 Directive became applicable within the Italian jurisdiction by means of the NIS2 Decree as of 16 October 2024.