02

Immagine creata con IAAI-generated image

NIS 2 put to the test: notifications, categorisation and security measures in the 2026 roll-out

2026 marks the shift of the Italian transposition of the NIS 2 Directive from the declaratory phase to the implementation phase: the duty to notify significant incidents to CSIRT Italia, the first window for the categorisation of activities and services, and the deadline for adopting baseline security measures. How to find one’s way among ACN determinations, technical annexes and deadlines that do not always match those reported in the press? Let us bring some clarity.

In our previous contributions we dealt with the maze of EU cybersecurity rules and with the difficulties of implementing Directive (EU) 2022/2555 (“NIS 2”), on “measures for a high common level of cybersecurity across the Union”. This seems the right place to update that picture, given that Legislative Decree No. 138 of 4 September 2024 (the “NIS Decree”), in force since 16 October 2024, has now entered its most delicate phase: that of compliance. As the National Cybersecurity Agency (ACN) has stated, with the definition of the obligations on security measures and notification “the second phase” of implementation has begun, affecting a pool of over 20,000 organisations, of which more than 5,000 are essential entities.

The regulatory framework: from Determination 164179/2025 to Determination 379907/2025

The key operational instrument is now the Determination of the ACN Director-General No. 379907 of 19 December 2025, which — as expressly provided by its Article 9 — “updates and replaces ACN determination No. 164179 of 14 April 2025” and “applies from 15 January 2026”. The determination is structured into four annexes: Annex 1 sets out the baseline security measures for important entities (37 measures and 87 requirements), Annex 2 those for essential entities (43 measures and 116 requirements), while Annexes 3 and 4 identify the baseline significant-incident scenarios for important and essential entities respectively.

The duty to notify significant incidents

As to notifications, Article 3(2) of Determination 379907/2025 provides that “the deadline for fulfilling the obligation to notify the baseline significant incidents described in Annexes 3 and 4 is set at nine months from the NIS entity’s receipt of the communication of its inclusion in the list of NIS entities”. Since inclusion communications began on 12 April 2025, for the first cohort of entities the obligation became operational in January 2026. As to procedure, the ACN’s institutional FAQs clarify that NIS entities must report significant incidents to CSIRT Italia “by transmitting an early warning without undue delay and in any case no later than 24 hours from becoming aware of it” and, “following the early warning, without undue delay and in any case no later than 72 hours”, the full incident notification. The channel is the CSIRT Italia reporting platform. There are four significant-incident scenarios, three common to all NIS entities and one further scenario reserved to essential entities.

The categorisation of activities and services: the first annual window

The novelty of 2026 is the listing-and-categorisation obligation introduced to implement Article 30 of the NIS Decree. As the institutional portal states, “Article 30(1) provides that, from 1 May to 30 June each year, essential and important entities shall communicate and update […] a list of their activities and services, including all the elements necessary to characterise them and the attribution of a relevance category”. Process, procedures and criteria were defined by ACN Determination No. 155238 of 20 April 2026, which breaks activities and services down into ten macro-areas, while “the categorisation model defines in all 4 relevance categories with increasing impact level: minimal, low, medium and high”. The first window therefore closed on 30 June 2026: anyone who has not complied should act without delay, given the relevance of the obligation for supervisory purposes. Systematic links are not lacking: Article 5 excludes from the listing services already included in the National Cybersecurity Perimeter, “as they are already labelled with the ‘high impact’ relevance category”.

The baseline security measures: the October 2026 deadline

The most demanding deadline is that of Article 3(1) of Determination 379907/2025: “the deadline for adopting the baseline security measures referred to in Annexes 1 and 2 is set at eighteen months from the NIS entity’s receipt of the communication of inclusion in the list of NIS entities”. This is crucial: the deadline is individual, running from receipt of the single inclusion communication, and does not coincide with a single date valid erga omnes. The ACN officially indicates the adoption of the measures as “expected by October 2026”; the hard date of “31 October 2026”, recurring in the specialised press as the ultimate deadline of the first wave, is a popularising simplification and not a legal datum. Each entity should compute its own deadline from its own inclusion communication. For entities listed for the first time during 2026, the ACN has outlined a gradual path: for security measures “the deadline expires on 31 July 2027”, while for incident notification “the deadline runs from 1 January 2027”.

Critical issues

First, the documentary and organisational burden is far from negligible, especially for smaller important entities: the FAQs presuppose the possession and updating of inventories, policies, procedures, registers and plans (risk management, business continuity and disaster recovery, risk treatment, vulnerability management, training, incident response). This requires structured governance, and not the mere formal drawing-up of documents. Second, overlaps and double-notification scenarios persist between customer and supplier in managed and cloud services, along with the need to coordinate NIS obligations with the further EU digital regimes, from the DORA Regulation to the Cyber Resilience Act (CRA). Finally, the information fragmentation: between decree, determinations, technical annexes and FAQs, the discipline only comes together through an integrated reading of heterogeneous sources.

Conclusions

2026 is the year in which Italian NIS 2 stops being a paper perimeter and becomes a set of verifiable organisational obligations: 24- and 72-hour notifications, annual categorisation, security measures to be adopted within the eighteenth month from the inclusion communication. The Member States, and with them the thousands of organisations involved, coming from a fragmented regulatory framework, now face a cybersecurity obligation of considerable complexity. In the light of the above, one wonders whether the deadlines set for implementing the new set-up can be met by the generality of NIS entities, and whether the required obligations will translate into an effective raising of the level of security, and not into the mere compilation of inventories, policies and registers lacking any real operational oversight.