It has been just over a year since Italian Decree 138/2024 came into force. For us it has been a year of asset inventories, gap analyses, runbooks written and rewritten, training sessions, and — yes — first inspections. Seven companies guided end-to-end, across sectors (manufacturing, logistics, digital services, research). Here is what we learned.
Five things that make the real difference
1. A dedicated person, even part-time
Companies that named a cybersecurity lead with allocated time — even just 20% FTE — moved fast. Those who assigned everything to "the IT manager who already does ten things" struggled. You do not need a full-time CISO for an 80-person SME, but you need someone who owns the hat.
2. Self-updating asset inventory
A spreadsheet of assets compiled in January is obsolete by March. Companies that wired inventory to live sources (Intune, EDR, network monitoring) have useful information. The others have a document that looks good in audits but nobody uses.
3. Short incident response runbooks
80-page documents do not work. The companies that did well wrote runbooks of 2-4 pages per scenario: ransomware, admin credentials loss, customer data leak, critical service outage. Practical pages, with phone numbers, binary decisions and timings.
4. Annual tabletop exercises
Sitting management, IT and legal around a table to simulate an incident is the single exercise with the best cost/benefit ratio. Two hours once a year expose gaps no document audit reveals.
5. Supply chain more than yourself
Most real vulnerabilities come from IT vendors. Having a vendor registry with criticality levels, current contracts and security SLAs matters more than many internal controls. NIS2 demands it explicitly, and it is right.
Three things you can skip (at first)
1. Very expensive SIEMs
An enterprise SIEM costs tens of thousands per year and demands skills SMEs rarely have. For year one, a managed external SOC service covers the need at a fraction of the cost. Internalisation can come later when there is a team.
2. Costly certifications without need
ISO 27001 is a good thing. Not mandatory for NIS2 and chasing it in the first 12 months distracts from more immediately useful measures. Plan it for year 2-3.
3. Tools nobody will use
Buying a top-tier EDR whose alerts nobody reviews is worse than not having it. Every tool needs an owner and an operating workflow. Those without should be deferred.
Inspections up close
ACN started targeted checks in 2025. What we saw: practical questions over documentary ones. "Show me the last 30 alerts from your EDR." "What is your average critical patch time?" "Who answers the phone if you notify an incident?" Prepared companies answered in minutes. Unprepared ones cut embarrassing figures.
The verdict
NIS2 in Italy, a year on, is less a burden and more an opportunity. Companies that took it seriously are objectively safer than a year ago. Those who turned it into bureaucracy are still vulnerable — just with more paper. The difference is not the volume of rules. It is the seriousness with which they are applied.