SEM Devs
← All articles
nis2sicurezzacomplianceacn

NIS2 in Italy: October 17 is here, and Decree 138/2024 is reality

08 October 20242 min read

Italian Decree 138/2024 is now in the Official Gazette. What it operationally means for companies in the NIS2 scope, and what to do in the next 90 days.

On September 16, 2024, Italian Legislative Decree 138/2024 was published in the Official Gazette, transposing the NIS2 directive. The decree enters into force on October 16, 2024, one day before the European deadline. For many Italian companies it is the moment theory becomes operational duty.

What the Italian decree changes

Compared with the directive text, the Italian decree:

  • Confirms the National Cybersecurity Agency (ACN) as the competent authority.
  • Introduces a dedicated portal for registering, updating data and notifying incidents.
  • Defines a roadmap of obligations: initial registration by January 2025, adoption of technical measures by October 2025, deeper assessments in subsequent years.
  • Sets fines in line with the directive and adds a scale of administrative measures.

Four things to do in the next 90 days

1. Scope check

Sector + size. Our experience: companies that thought they were out turn out to be in due to "high-criticality" manufacturing. The check must be done carefully, and if needed with legal counsel.

2. ACN portal registration

In-scope entities must register via the ACN portal within the published windows. The first registration window runs from December 2024 to January 2025. You will need company data, a security contact, and the service perimeter.

3. Asset inventory and gap analysis

Full list of systems, applications, IT vendors, cross-border data flows. Compare against the ten measure areas in art. 24. Output: a realistic plan with priorities and budget.

4. Incident notification procedure

Have a clear script for when things happen: who gets called, who decides, how you get to the 24-hour notification. Without this procedure, even rehearsing an attack response becomes chaos.

The real fines

Essential entities: up to €10M or 2% of global turnover. Important ones: €7M or 1.4%. For the first time in Italy there is direct management liability: directors who fail to approve and monitor measures can be held personally responsible.

The mistake to avoid

The most common one: thinking NIS2 is "a compliance audit". It is not. It is the minimum baseline of cyber hygiene that many companies lack and would eventually need anyway. Compliance is the by-product. Security is the product.

For those starting from zero, the path is 12-18 months. For those already aligned with ISO 27001, it is a remix, not an earthquake. For those who do not know where to start, step one is calling someone and doing the asset inventory. Everything else follows.