Thanks to Mario Infantino for collaborating on this article
The NIS 2 Decree[1] transposes in Italy the NIS 2 Directive, which establishes measures for a high level of cyber security across the EU and will take effect October 18 of this year.
NIS AUTHORITY
The NIS 2 Decree identifies the National Cybersecurity Agency (Agenzia per la Cybersicurezza Nazionale – “ACN”) as the responsible national NIS authority. As such, the ACN may issue cyber security regulations, conduct investigations, and impose administrative sanctions. The ACN (through the CSIRT) also receives security incident reports.
SCOPE OF APPLICATION
The NIS 2 Decree broadens the scope of application of the NIS 2 Directive, extending it to a range of essential/important public and private entities. Such entities are identified as essential/important with reference to their sectors and the activities they perform. Geographical and size criteria also come into play.
Significant changes include moving ICT service management providers, electronic communication services providers, manufacturers of medical devices/pharmaceuticals, and trust service providers under the NIS 2 umbrella.
Between January 1 and February 28 of each year, entities that believe they are subject to the NIS 2 Decree must register on a digital platform established and managed by the ACN and provide certain information (such as company name, updated address, and contact details). Registration must be updated every year.
Following registration, and by March 31 of each year, the ACN will notify the registered entities whether they are essential/important entities.
The obligation to register will be effective upon implementation of the appropriate digital platform (which is not yet available).
OBLIGATIONS OF ESSENTIAL/IMPORTANT ENTITIES
Essential/important entities are subject to several obligations, including the following:
- Information obligations. An essential/important entity must provide the ACN with certain information (e.g., public IP address and domain name(s), list of Member States in which it provides services falling under the NIS 2 Decree, a list of activities and services);
- Risk management obligations. An essential/important entity must implement adequate and proportional technical, operational, and organizational measures for security risk management;
- Incident reporting obligations. In case of an incident affecting service provision, an essential/important entity must notify the ACN without undue delay and, when applicable, should provide recipients of its services remedial and mitigation measures.
TIMELINE AND APPLICATION
Although the NIS 2 Decree will take effect October 18, 2024, it establishes grace periods for the application of certain obligations, as follows:
- Until December 31, 2025, starting the day an entity receives the ACN communication that it is essential/important, it will have (i) nine months to comply with incident reporting obligations and (ii) eighteen months to adopt risk management measures according to article 24 of the NIS 2 Decree;
- Until December 31, 2025, the board of directors and the management bodies of an essential/important entity will have eighteen months, starting the day it receives the ACN communication that it is essential/important, to comply with its obligations under article 23 of the NIS 2 Decree (e.g., carrying out training activities);
- The obligation for an essential/important entity to provide the ACN with a list of its activities and services will apply starting January 1, 2026;
- Essential/important entities may register themselves on the ACN digital platform from January 1, 2025 to February 28, 2025 (as long as the ACN implements the platform by December 31, 2024, as planned). However, some entities that may fall under the NIS 2 Decree (e.g., digital service providers) must register by January 17, 2025.
In the coming months, the ACN will likely publish further details on methods for complying with the obligations set forth under the NIS 2 Decree.
[1] Legislative Decree No. 138/2024, published in the Official Journal on October 1, 2024.
