On October 16, 2024, the Italian National Security Agency (ACN) published information on the implementation plan for the Directive (EU) 2022/2555 on Security of Network and Information Systems (NIS 2 Directive). The ACN is the competent authority for the application of the NIS 2 Directive.

Implementation plan

The implementation plan outlines a gradual path for public and private organizations to fulfill the new obligations under the NIS 2 Directive. The ACN has set out the following:

• registration on the ACN portal from December 1, 2024, to February 28, 2025, for medium and large companies and, in some cases, for small and micro-enterprises; and

• a shared path for strengthening national and European cybersecurity to start from April 2025, given the foreseen differentiated time window for implementation (nine months for notifications and 18 months for security measures, starting from the end of March 2024, when the list of NIS 2 Directive's subjects is consolidated).

Additionally, the ACN stated that in order to facilitate the transposition of obligations relating to incident notification and safety measures, such obligations will be defined in a phased manner following the Director General's determinations and are to be adopted by the first four months of 2025.

You can read the press release, only available in Italian, here.