NIS2 Country Guide

NIS2 Italy: Legislative Process, Authorities & Key Requirements

Understand how Italy is preparing to implement the NIS2 Directive (EU) 2022/2555 through new legislative decrees, which entities will be classified as essential or important, how supervision is organized, and how to prepare before the new rules apply.

Get Ready Checklist Get Consultation
Italy NIS2 Decree: Pending Final Approval Coordinated by: ACN

Introduction: NIS2 Directive & the Italian context

Italy has implemented the NIS2 Directive through Legislative Decree No. 138/2024, adopted under the mandate provided by the Legge di delegazione europea 2022-2023. The new framework significantly expands Italy’s national cybersecurity perimeter and aligns domestic obligations with EU-wide standards for essential and important entities. Agenzia per la Cybersicurezza Nazionale (ACN) plays a central role in overseeing the NIS2 framework, working together with the Presidency of the Council of Ministers and the relevant sectoral ministries.

ACN (Agenzia per la Cybersicurezza Nazionale) is leading the drafting of Italy’s NIS2 framework together with the Presidency of the Council of Ministers and relevant sectoral ministries.

Quick link: Read our overview “What is NIS2?” and “NIS vs NIS2” before exploring Italy’s implementation path.

NIS2 Directive implementation in Italy

Italy has implemented the NIS2 Directive through Legislative Decree No. 138 of 4 September 2024,adopted pursuant to Law No. 15 of 21 February 2024 (Legge di delegazione europea 2022-2023). The new decree replaces the previous national NIS framework and significantly expands Italy’s cybersecurity perimeter.

It repeals and updates, in particular:

  • Decreto Legislativo 65/2018 (NIS 1 implementation)
  • Relevant sectoral cybersecurity obligations coordinated with the Perimetro Nazionale di Sicurezza Cibernetica

Status

Although the EU transposition deadline was 17 October 2024, the national decree has since entered into force and replaced the previous NIS framework.

Legislative basis

NIS2 was adopted under Law No. 15/2024 (European Delegation Law 2022-2023) and implemented through Legislative Decree No. 138/2024.

Scope

Italy applies the NIS2 categories of essential and important entities, with integration and coordination mechanisms vis-à-vis the National Cybersecurity Perimeter for strategically critical operators.

AreaItalian note
Current rules The previous NIS framework, implemented through Decreto Legislativo 65/2018, has been replaced by Legislative Decree No. 138/2024 implementing NIS2.
Public sector Italy will include a wide range of public administrations under NIS2, while coordinating with AGID and ACN’s guidelines.
National Cybersecurity Perimeter Operators already within the Perimetro Nazionale will likely face strengthened obligations, with oversight by ACN and sectoral authorities.

NIS2 Italy: what you need to know about compliance & certification

Italy follows NIS2’s structure of Essential Entities (EE) and Important Entities (IE), with additional obligations for operators within the National Cybersecurity Perimeter.

Scope criteria

  • Operate in one of the sectors in Annex I or II of NIS2 (energy, transport, health, finance, digital infrastructure, etc.).
  • Meet size thresholds (≥50 employees or ≥€10M turnover/balance sheet).
  • Established in Italy or providing NIS2-relevant services on Italian territory.
  • Possible inclusion regardless of size for high-criticality operators.

Obligations

  • Risk management and cybersecurity policy (IT/OT).
  • Incident reporting in strict timeframes.
  • Business continuity and crisis management.
  • Supply chain security and contractual controls.
  • Access control, encryption, vulnerability handling.
  • Board accountability and cybersecurity governance.

Standards & certification

Italy does not mandate compliance with a specific certification standard under NIS2, but recognised frameworks such as ISO/IEC 27001, NIST CSF and IEC 62443 (for industrial environments) are commonly used to structure and demonstrate compliance. Operators in the National Cybersecurity Perimeter are subject to enhanced technical and organisational requirements, including detailed assessments coordinated by ACN.

Competent authorities & CSIRT

Italy has a multi-layered cybersecurity governance model, with ACN at the center and sectoral authorities responsible for operators in regulated industries.

RoleAuthorityNotes
National NIS2 Authority ACN – Agenzia per la Cybersicurezza Nazionale Coordinates NIS2 implementation, issues guidelines, and supervises high-criticality sectors.
Sector supervision Relevant ministries & independent authorities Transport, energy, finance, health and others will have dedicated sectoral supervisors.
National CSIRT CSIRT Italia (managed by ACN) Handles major incident coordination, early warnings, and sector alerts.
Public administration Dipartimento per la Trasformazione Digitale & AGID (supporting) Coordinate digital security and guidelines for public sector compliance.

National NIS2 timeline & key dates (Italy)

27 Dec 2022 — NIS2 Directive published.
17 Oct 2024 — EU transposition deadline for Member States.
21 Feb 2024 — Law 15/2024 (EU delegation law) empowers Italy to adopt NIS2 legislative decrees.
4 Sept 2024 — Decreto Legislativo 4 settembre 2024, n. 138 is adopted, formally transposing NIS2 into Italian law.
Late 2024 — The decree enters into force and replaces the previous NIS framework (D.lgs. 65/2018).

Sector-specific requirements (Italy)

  • Energy: alignment with ARERA and MITE requirements for critical operators.
  • Transport: aviation, rail, maritime and road operators under sectoral regulators.
  • Digital infrastructure: data centers, CDN, cloud, IXPs, and managed service providers under NIS2 scope.
  • Finance: coordinated with Bank of Italy and CONSOB; integration with DORA.
  • Health: hospitals, labs and health service operators monitored by the Ministry of Health.

Penalties for non-compliance

Italy applies the NIS2 maximum administrative fine thresholds:

  • Up to €10 million or 2% of global annual turnover for essential entities.
  • Up to €7 million or 1.4% of global turnover for important entities.

Competent authorities may also impose corrective measures, binding instructions, temporary suspension of activities, and mandatory remediation. Entities falling within the Perimetro Nazionale di Sicurezza Cibernetica may be subject to enhanced supervisory scrutiny in line with their criticality.

How to prepare for NIS2 in Italy

  1. Assess scope: identify Annex I/II services, size thresholds, and critical functions.
  2. Identify your supervisory authority: determine whether ACN or a sectoral regulator oversees you.
  3. Perform a gap assessment: compare current practices to NIS2 requirements.
  4. Strengthen governance: ensure management and board accountability for cybersecurity.
  5. Improve risk management: update policies, controls, and processes in line with NIS2 expectations.
  6. Review supply chain: ensure contracts include cybersecurity clauses and risk controls.
  7. Prepare for reporting: build incident detection, escalation and 24/7 reporting workflows.
  8. Document and evidence: maintain records of controls, assessments, and remediation actions.
Run Eligibility Check Start Readiness Test

Official links & resources

🏛️ Agenzia per la Cybersicurezza Nazionale (ACN)
📘 CSIRT Italia
⚖️ D.lgs. 65/2018 — Italian NIS Act
🧭 ACN – Guidance for operators

FAQ: NIS2 in Italy

Has Italy implemented the NIS2 Directive?
Yes, Italy has implemented the NIS2 Directive through Legislative Decree No. 138 of 4 September 2024, adopted pursuant to Law No. 15/2024 (European Delegation Law 2022-2023).
Who is the main authority for NIS2 in Italy?
ACN (Agenzia per la Cybersicurezza Nazionale) will coordinate NIS2 regulations and supervise critical sectors, together with sectoral ministries and regulators.
Are operators in the National Cybersecurity Perimeter covered by NIS2?
Yes. Operators already in the Perimetro Nazionale will face coordinated and possibly stricter obligations under NIS2.
Will Italy follow NIS2 size thresholds?
Yes. Italy applies the NIS2 size-based model (generally medium-sized and above - ≥50 employees or ≥€10 million turnover or balance sheet total), with specific provisions allowing inclusion of entities regardless of size where they are considered critical.
Are we required to get ISO 27001 certified?
Certification is not mandatory, but ISO 27001 and related frameworks are strongly recommended by ACN as they support structured NIS2 compliance.
Information provided for general guidance; consult official Italian sources for updates as the NIS2 legislative decree is finalised.