Red Hot Cyber, The cybersecurity news
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search
Banner Ancharia Mobile 1
LECS 970x120 1
NIS2 and new ACN guidelines: what changes for companies and how to prepare

NIS2 and new ACN guidelines: what changes for companies and how to prepare

Redazione RHC : 21 October 2025 07:36

The European NIS2 directive represents a turning point for cybersecurity in Italy and Europe, imposing new responsibilities on public and private organizations in managing cyber risks. To support the compliance process at all stages, the National Cybersecurity Agency ( ACN ) recently published a guide to reading the ” NIS Guidelines – Basic Specifications,” a document that clarifies the obligations for essential and important NIS entities involved and defines the timeframes and methods for adopting minimum security measures and reporting incidents.

This document provides valuable guidance for companies and public bodies in understanding how to meet the obligations set forth in Legislative Decree 138/2024, which implemented the European NIS2 Directive in Italy.

In this article, we’ll analyze in detail the two central chapters of the ACN guidelines: first, the ” Basic Security Measures,” which must be identified using a risk-based approach and therefore tailored to the context of each organization; then, we’ll review the types of requirements and required documentary evidence. Another key aspect concerns the ” Basic Significant Incidents,” with particular attention to the identified types, the evidence criteria, and the risks associated with privilege abuse. At the same time, we’ll explore the value of relying on an expert partner like ELMI to effectively and comprehensively manage NIS2 risks and compliance.

Indice dei contenuti nascondi
1. ACN NIS2 Guidelines: Basic Security Measures
2. Types of requirements
3. Documentation supporting security measures
4. The basic significant incidents
5. NIS2 Directive: Obligations and Deadlines for Companies
6. How ELMI supports organizations in NIS2 compliance
6.1. Assessment and analysis of the NIS2 perimeter
6.2. Proactive event management
6.3. Ongoing regulatory training and support

ACN NIS2 Guidelines: Basic Security Measures

The first part of the ACN guidelines document covers Basic Security Measures, with a focus on:

  • structure of security measures
  • risk-based approach according to which the measures were developed
  • types of measure requirements
  • main documentary evidence required.

NIS entities must implement security measures within 18 months (October 2026) of receiving notification of registration in the national NIS list. The security measures apply to the information and network systems used by the entities in their operations or in providing their services.

These measures, developed in accordance with the National Cybersecurity Framework , are organized into functions, categories, and subcategories, each with specific requirements. In practical terms, each measure indicates what must be implemented and what documentary evidence must be provided to demonstrate compliance.

In total, the ACN guidelines define:

  • 37 security measures and 87 requirements for important subjects;
  • 43 safety measures and 116 requirements for essential workers.

The difference reflects the greater risk exposure and critical role of essential entities; in fact, they must comply with a greater number of measures and requirements than important entities, since the legislation takes into account their greater exposure to risks and the potential social and economic impact of a potential accident.

In this context, the support of a specialized partner like ELMI allows organizations to correctly interpret ACN requirements, translate them into concrete operational plans, and prepare the necessary documentation, reducing the risk of non-compliance.

Basic security measures: risk-based approach

In defining security measures, the ACN applied the provisions of Article 31 of the NIS2 Decree: the obligations are not the same for everyone, but must be calibrated to the degree of risk exposure of information and network systems.

The more complex requirements are modulated through some clauses that guide their application:

  • may concern at least the systems and networks most relevant to the organization;
  • must be defined on the basis of the risk assessment (measure ID.RA-05);
  • they allow exceptions only in the presence of documented regulatory or technical reasons ;
  • They also apply to supplies that may have a direct impact on system security.

Types of requirements

To translate security measures into concrete actions, the ACN defines specific requirements that NIS entities must meet to achieve compliance. These requirements are divided into two main categories:

  • Organizational: These primarily concern the management, organization, documentation, and control of processes and activities, such as the adoption and approval of policies or procedures, the definition of internal processes, and the drafting of official documentation. Many of the requirements for basic security measures fall into this category, such as measure GV.RR-02 , which defines the IT security organization and its roles and responsibilities, or measure GV.PO-01 , relating to the adoption and documentation of security policies.
  • Technological: These involve the adoption of technological tools and solutions to ensure the protection of information systems. Examples include data encryption, software updates, or the use of multifactor authentication systems. Some technological requirements are related, for example, to measure DE.CM-01 , which requires intrusion detection systems and tools for analyzing and filtering incoming traffic.

This distinction allows for the combination of organizational and technological controls , ensuring that security measures are not only formally adopted, but actually effective in preventing and mitigating cyber risks.

Documentation supporting security measures

To demonstrate the effective implementation of security measures, NIS entities must prepare a series of key documents , structured according to their organization and operational context. Among the main ones are:

  • Lists: Information security organization personnel, reference configurations, and remotely accessible systems.
  • Inventories: physical equipment, services, software systems and applications, network flows, vendor services and their suppliers.
  • Plans: risk management, business continuity and disaster recovery, risk management, vulnerability management, adaptation and effectiveness assessment, cybersecurity training, incident response.
  • IT security policies: defined based on the requirements set out in Annexes 1 and 2 of Resolution 164179/2025, for important and essential entities, respectively.
  • Procedures: developed in relation to the specific requirements for which they are required.
  • Records: policy review outcomes, staff training activities, maintenance performed.

The organization can decide how to structure the documentation, for example by concentrating multiple contents in a single document or distributing them across multiple files, as long as the documents are easily accessible and consultable by those who need to verify them.

ELMI supports organizations with a document management platform that allows them to map regulatory requirements, centralize and secure documentation, track access and responsibilities, and automate approval processes. It also facilitates the controlled management of policies, plans, and risk analyses, ensuring ongoing updates and supporting staff training.

Thus, companies not only comply with NIS2 obligations, but transform compliance into a simple, secure and easily auditable process.

The basic significant incidents

The ACN guidelines also define the basic types of significant incidents , which are events that can have a significant impact on the data security or continuity of services for NIS entities. Incidents are differentiated based on the type of entity: three major incidents have been identified for important entities , while four major incidents have been identified for essential entities , with the addition of a specific event related to the abuse of granted privileges.

In detail, the main types of significant basic accidents are:

  • IS-1: loss of confidentiality of digital data owned by or under the subject’s control;
  • IS-2: Loss of data integrity, with external impact;
  • IS-3: Violation of expected service levels of the entity’s services or activities;
  • IS-4 (essential subjects only): Unauthorized access or abuse of granted privileges to digital data, even partial. Privilege abuse occurs when access is carried out in violation of the organization’s internal policies or for purposes unrelated to functional needs.

Evidence of the incident is the starting point for fulfilling notification obligations: a significant incident is considered only when the entity has objective evidence confirming that the event actually occurred. The deadlines for pre-notification (24 hours) and official notification (72 hours) to CSIRT Italy begin to run from the moment the evidence is acquired.

Evidence can be gathered through several sources, including:

  • External reports , for example communications received from CSIRT Italy;
  • Internal reports , such as support requests or malfunctions reported by users to the help desk;
  • Events detected by monitoring systems , such as security logs, alerts, or intrusion detection systems.

In practice, having evidence means being able to demonstrate with concrete data that the incident occurred, enabling a timely response and the correct management of regulatory obligations.

For many organizations, the critical element is not just incident detection, but having a constant presence capable of monitoring and blocking cyber threats in real time. With this in mind, ELMI’s Security Competence Center provides 24-hour monitoring and, thanks to advanced threat hunting and incident response tools, drastically reduces the time required to confirm an event and initiate notification in accordance with NIS2 guidelines.

NIS2 Directive: Obligations and Deadlines for Companies

Those included in the NIS entity list must meet specific deadlines, with no room for delay. NIS entities must organize their compliance proactively and promptly to ensure NIS2 compliance and reduce cyber risks.

The regulatory process includes a series of fundamental stages:

  • by January 2026, entities will have to comply with basic accident reporting obligations;
  • by April 2026, ACN will define and adopt the model for categorizing activities and services, as well as prepare long-term obligations;
  • by September 2026 , entities are required to implement basic security measures and categorize their activities and services;
  • After October 2026 , the obligation for entities to fully implement the long-term obligations will come into force.

In parallel to this calendar, the main activities to plan include:

  • Implementation of basic security measures , calibrated to the specific risk of systems and networks;
  • Preparation of key documentation , such as lists, inventories, plans, policies, procedures and records;
  • Monitoring and management of significant incidents , with a focus on evidence gathering and reporting.

To effectively address these deadlines, it’s advisable to establish clear operational plans, assign specific responsibilities, implement continuous monitoring systems, and integrate compliance with staff training. This way, organizations not only comply with regulations, but also strengthen digital resilience and reduce the impact of potential incidents.

ELMI supports NIS entities in this crucial phase, supporting them in planning compliance and preparing the required documentation. Through targeted assessments and compliance roadmaps, the company enables them to meet the deadlines set by the NIS2 directive without disrupting internal processes, while ensuring operational continuity and robust defenses.

How ELMI supports organizations in NIS2 compliance

Relying on a highly qualified partner like ELMI means following a structured path towards compliance with the NIS2 Directive , with customized, integrated, and scalable solutions designed for every phase of the compliance process. Thanks to consolidated expertise in cybersecurity and consulting, ELMI supports organizations in implementing security measures, managing incidents, and completing the documentation required by the regulation.

Assessment and analysis of the NIS2 perimeter

ELMI supports companies with a structured assessment aimed at evaluating the scope of the directive: analysis of the services provided, IT infrastructure and regulatory constraints, identification of cybersecurity roles and responsibilities, and assessment of the current level of security.

Subsequently, a gap analysis is conducted to identify areas of non-compliance and opportunities for improvement, assessing the risks, vulnerabilities, and operational impact of any incidents. Based on this, an intervention plan is developed, which includes technical and procedural countermeasures to strengthen security and ensure compliance with regulatory requirements.

Proactive event management

The Security Competence Center is ELMI’s operations center designed to address cybersecurity challenges with an integrated and proactive approach. The Security Operation Center (SOC) and the Network Operation Center (NOC) ensure the protection of critical information, regulatory compliance, continuous monitoring, and IT infrastructure resilience. Specifically:

  • The Security Operation Center (SOC) is the operations center equipped with a control room dedicated to the continuous monitoring, triage and management of security events 24/7 that may impact the company infrastructure.
  • The Network Operation Center (NOC) focuses on managing and monitoring networks to ensure their efficiency, availability, and resilience.

Together, the SOC and NOC form the operational heart for protecting critical assets and managing incidents.

Through a 24/7 service and advanced threat intelligence tools and early warning systems, ELMI ensures complete incident management, reducing time to detect and time to respond , guaranteeing constant control over critical networks, systems and applications, in line with the requirements of the NIS2 Directive.

Ongoing regulatory training and support

NIS2 compliance doesn’t end with technical and procedural implementation. ELMI supports organizations with targeted training programs focused on incident management, security governance, and the dissemination of cybersecurity culture at all levels of the company.

In parallel, ELMI offers ongoing regulatory support , with updates on new provisions and guidelines, periodic review of policies and procedures, and assistance in the technical interpretation of requirements, ensuring a sustainable and integrated approach to NIS2 compliance.

The European NIS2 Directive and the ACN guidelines establish a clear standard for managing IT risks , from basic security measures to the proper management of significant incidents . For organizations, meeting these requirements means adopting a risk-based approach, with integrated organizational and technological controls, ongoing monitoring, and documented procedures.

Relying on a partner like ELMI and its team of certified specialists allows you to turn NIS2 compliance into a true competitive advantage. Thanks to customized cybersecurity services and regulatory training and support programs, companies can ensure robust information systems, event traceability, reduced time to detect and respond, and full compliance with reporting obligations.

Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli