Italy, like all EU’s 17 member states is work hard and fast to incorporate the new measures introduced by NIS 2.
Direttiva NIS2 in 3 minuti: tutto quello che devi sapere
With the extended registration period closing on 31 July 2025, organizations have already passed the first checkpoint. A milestone focused on updating information on the ACN portal.
Company details, contact points, and technical data such as domains and IP addresses have now been submitted.
According to Agenzia per la Cybersicurezza Nazionale’s (ACN) website, information from 30,000 entities was shared. In which 20,000, including over 5,000 essential entities were officially entitled for compliancy.
Today
Following this, eligible entities began receiving communications either by email or directly through the ACN portal, confirming whether they are titled in the NIS2 entity list as essential or important.
From here, organizations now have roughly nine months to prepare for the “next”. Profiling their services and ensuring they can handle what ACN calls “Incident Notification Obligation”. In practice, this means demonstrating the ability to detect, report, and respond to incidents at a level appropriate to their classification.
During this phase, entitled organization, will work to clarify and make their security supply chain visible. Procedurally Effective for Governing, Identifying, Protecting/Detecting, Responding and Recovering.
During this phase a variety of activities will need to be carried out. Analyzing, mapping ICT systems/services, aligning with stakeholders/3rd parties, drafting policies, training material for internal staff, are among some.
Essentially addressing all the areas defined by the NIS 2 directive:
- Organizational hierarchy
- Risk Management
- Supplier Management
- Business Continuity
- HR Management
- Asset Management
- Incident Management
- IT Application Lifecycle
- Process Automation
To support this transition, earlier this month ACN released the “Linee Guida NIS – Specifiche di base: Guida alla lettura”, a practical guide that helps entities interpret the baseline specifications.
The document highlights distinctive features of the framework.
It offers a clear reference for compliance with Articles 23, 24, and 25 of the NIS decree.
🔗 ACN – Linee Guida NIS Specifiche di base
Acting
The directive is no longer an abstract; organization must now analyze & budget plan carefully.
For many organizations, this might be the first real encounter with structured cybersecurity obligations. For others, especially SMEs caught in the supply chains of bigger players, it feels like being pulled into a regulatory orbit they didn’t even know existed.
If you are in doubt or want to ensure efficiency and key outcomes from this initiatives “consulting” is, consider a great strategically mean of act!
While early acting is what we, at SORINT, believe to be the utmost significant scenario to stretch technical and business value throughout this journey. The time element is a tricky factor.
After January 2026’s milestone?
By October 2026, organizations will need to fully adopt (implement) the expanded National Framework for Cybersecurity and Data Protection, which translates into 43 security measures and 116 detailed requirements.
Yes, the deadlines might be tied and demanding for some, yet the road is structured. An essential move towards a stronger defense, shared accountability, and a new baseline for resilience across digital services.
👉 Needless to say, Agenzia per la Cybersicurezza Nazionale’s (ACN) remains the official source of information.