Giancarlo Di Lieto : 30 October 2025 07:21
The NIS 2 Decree (Legislative Decree 138/2024), effective October 16, 2024, implements the principles of the European NIS2 Directive, laying the foundation for a more complex operational model of collaboration between stakeholders and the competent authority regarding cyber incident management. This management is essentially more rigorous, structured, and binding, with extended notification obligations and specific deadlines for businesses and public administrations.
In fact, to fulfill the obligations set forth in Articles 23, 24, and 25 of the decree, NIS entities are required to adopt security measures and notify CSIRT Italia – the unit established within the ACN to monitor and respond to cyber security incidents in Italy – of the most significant incidents, as established by ACN resolution 164179 of 14 April 2025 and related annexes.
In this context, Article 25 is of great importance, as it provides not only for more stringent obligations regarding the notification of incidents to the competent authority, but also for a structured multi-stage reporting process.
All public and private entities falling within the scope of the Decree are required to register on the ACN’s dedicated digital platform, indicating a Point of Contact and providing essential information, including IP addresses, domains, and governing bodies. This requirement will be renewed annually to ensure this information is updated.
Starting from January 2026, important entities will have to notify CSIRT Italia of the significant incidents listed in Annex 3 of the ACN determination, while essential entities will have to notify those indicated in Annex 4.
In this regard, the obligation of a CSIRT Contact Person (ACN determination 250916) has recently been added to the Contact Point. This person must be designated by December 31st, with the specific task of liaising with CSIRT Italy for incident notification, and must have the necessary skills to fulfill this role.
But reporting incidents also means developing technologies and processes that enable timely incident detection and proper management of all the typical incident handling phases, in compliance with the regulations themselves.
Therefore, by the end of this year, entities must already fulfill a series of obligations specifically related to incident management, even before completing all the other requirements set forth in the Decree, the deadline for which has been set for October 2026.
All organizations included among the subjects identified by the Decree are required to:
Pursuant to Article 25 of the Decree, essential and important entities are required to notify CSIRT Italy of any incident that significantly impacts the provision of their services. The notifications must contain all the information necessary for CSIRT Italy to assess the incident’s potential impact, both domestically and cross-border.
This communication does not imply any increase in responsibilities for the party making it, beyond those already associated with the event itself, although it is itself a sort of self-report to the competent authority and therefore must be conducted with all necessary precautions, involving both technical functions (internal or external) for in-depth analyses, and management and legal bodies to accurately assess the impacts.
Furthermore, to be considered “significant,” an incident must cause or potentially cause serious operational disruption or financial loss, or have significant repercussions, with significant material or non-material damage to natural or legal persons. Thus, the definition extends beyond the purely technical dimension to include the economic and social consequences of the event.
It should be noted that the definition of “significant incident” provided by ACN in the aforementioned annexes differs from that of the NIS2 Executive Regulation 2690/2024 issued by the EC. Although this regulation applies only to entities providing digital services, it still provides valuable guidance for understanding this definition (see Articles 3-14) and, in general, represents a very valid security framework that encompasses all the measures required by NIS2 (see the annex to the Regulation).
The decree requires all essential and important entities to submit a series of progressive communications, aimed at providing the CSIRT with a constantly updated picture of the situation:
Notification must be carried out by characterizing the incident using the ACN Cyber Taxonomy, which aims to facilitate the exchange of information through a common lexicon for sharing information regarding cyber events among impacted entities and for notification to the Italian CSIRT. Unfortunately, this taxonomy is only adopted in Italy, so it loses some of its effectiveness for cross-border incidents.
If the significant incident also involves a personal data breach , a further notification will be required, this time to the Italian Data Protection Authority, but with different timeframes and methods (within 72 hours).
If the entity is a banking institution falling within the scope of the DORA Regulation, a further notification to the national financial supervisory authority (Banda d’Italia) is required.
In short, the notification process can become significantly complicated, so the entity will need to adequately structure itself to meet all these requirements, making use of professionals (internal and/or external) capable of easily navigating this regulatory maze, adhering to very tight deadlines that preclude any kind of improvisation.
In fact, failure to notify or failure to comply with obligations may lead to operational limitations, especially for essential entities, and significant financial sanctions, significantly more severe than those provided for by NIS1, with maximum fines of up to €10 million (or 2% of annual turnover) for essential entities and €7 million (or 1.4% of annual turnover) for important entities.
Another new development concerns the minimum fines, which are proportional to the maximum (1/20 or 1/30), meaning there will be much less discretion over the minimum fine imposed. For public entities, the fines are lower (from €25,000 to €125,000), but they can also be personal, involving the administrators and managers in charge, for example, for gross negligence in cybersecurity governance or for failing to comply with ACN’s warnings.
NIS2 strengthens the Authority’s oversight role in cyber incidents, and CSIRT Italy plays a key role in this context, receiving notifications and providing technical support to relevant stakeholders.
CSIRT Italy is the ACN body responsible for preventive monitoring and response to cyber incidents and is part of the global CERT community (FIRST). It began operating in 2020, assuming the tasks previously performed by the National CERT and the CERT-PA.
Within the NIS2 framework, the CSIRT will have to take on various tasks, both reactive (monitoring and analysis, operational support in response, forensic analysis, awareness, etc.) and proactive (issuing bulletins, alerts, early warnings, periodic scans, etc.).
Within 24 hours of the pre-notification, the CSIRT must provide initial feedback, including any mitigation suggestions, and can offer further assistance upon request. In the event of criminal incidents, the CSIRT directs the individual to the relevant authorities, ensuring coordination between the technical and investigative response.
Subject to the CSIRT’s favorable opinion, entities must inform their users without undue delay when the incident may have a significant impact on the provision of services, communicating the mitigation measures taken in the presence of significant threats.
Finally, the CSIRT may publicly share significant incidents to prevent further attacks or protect the public interest, possibly extending such communication to other Member States.
It is clear, therefore, that the CSIRT’s tasks are truly onerous, and it will need to be further strengthened, given the high number of entities already within its scope (over 25,000, compared to less than 500 in NIS1), to be even more efficient starting next January, when all NIS2 entities will be required to report significant incidents.
The new incident reporting procedure described above introduces a structured and formal model that significantly changes the way businesses and public administrations will have to manage cybersecurity incidents.
While for the more mature and well-organized organizations, this mostly means adapting and improving existing processes, for many others (e.g., SMEs) it will mean starting entirely new technological and organizational adaptation projects that will take several months, if not years, to complete.
Leaving things to the last minute benefits no one and leads to unsatisfactory results, as the experience of GDPR compliance has shown: too often, it has turned out to be a mere bureaucratic formality, rather than bringing about a substantial improvement in the protection of personal data.
NIS2, however, also from the point of view of incident management, must be seen as a fundamental opportunity for all the subjects involved:
This more disciplined approach is crucial because it allows for rapid detection and containment of incidents, prevention of chain reactions, improvement of internal governance and compliance, and ensuring cooperation and visibility at national and European levels, effectively strengthening the resilience of critical systems and services.
The entry into force of the NIS2 Decree marks a turning point in cyber incident management, requiring a more rigorous, structured, and coordinated approach. This is not simply a regulatory adjustment, but a cultural shift that requires organizations to rethink their security processes, moving from a reactive approach to a proactive and integrated strategy.
Businesses and public administrations must view these obligations as an opportunity to strengthen their resilience by investing in technologies, skills, and governance. Timely incident detection and reporting, combined with collaboration with CSIRT Italy, is key to reducing risks, preventing systemic impacts, and ensuring business continuity.
In a context where cyber threats are increasingly sophisticated and pervasive, NIS2 compliance is not just a matter of compliance, but a strategic factor in protecting the trust of customers, partners, and citizens. Acting today means not only avoiding sanctions, but also building a more secure and resilient digital ecosystem, benefiting the entire country.
Giancarlo Di Lieto