Cybersecurity - Italy

Legislative Decree 138/2024 (in force 16 October 2024) implements EU Directive 2022/2555, designating ACN as the national competent authority and single point of contact. Italy widened the EU scope via national annexes to cover regional/local public administration, cultural heritage bodies and local public transport operators.

ACN opened the NIS2 registration window 1 December 2024–28 February 2025 on its service portal; by 31 March 2025 it compiled the list of in-scope essential and important entities, notifying inclusion/exclusion by 15 April 2025, with security obligations phasing in across 2025–2026.

Law No. 90/2024 (in force 17 July 2024) strengthens national cybersecurity and toughens computer-crime provisions, imposing on public administrations duties to report incidents, appoint a cyber contact point, adopt at least 26 minimum protection measures and set up an internal cyber-risk structure.

The Perimetro di Sicurezza Nazionale Cibernetica (Decree-Law 105/2019, converted by Law 133/2019, with DPCM 131/2020 and DPCM 81/2021) covers public/private operators performing essential State functions across strategic sectors, requiring annual ICT asset lists, prescribed security measures and incident notification to CSIRT; fines reach up to €1.8 million.

Significant incidents must be reported to CSIRT Italia under a tiered timeline: an initial early-warning within 24 hours and a fuller notification within 72 hours (with a final report typically within 30 days under NIS2). Law 90/2024 entities follow the 24h/72h model, and personal-data breaches additionally fall under GDPR notification to the Garante.

ACN adopted a binding incident taxonomy via its Determina of 9 February 2026 (Official Gazette No. 39, 17 February 2026), with Allegato A defining notifiable incident codes (e.g., confidentiality loss IS-1, integrity loss IS-2, service-level violations IS-3), applicable from publication.