Italy has transposed the European Union’s NIS2 Directive into its local legislation by publishing its Legislative Decree No. 138 on September 4, 2024.
So, how does this Legislative Decree compare with the NIS2 Directive, and what are the additional requirements?
The Italian Decree follows NIS2 very closely; however, it expands its application to some sectors that were not covered by NIS2, and also specifies more precise requirements for audit and supervision.
The basics of the Italian NIS2 Legislative Decree
As mandated by NIS2, Italian Legislative Decree No. 138 (further in text: NIS2 Legislative Decree) transposes the NIS2 Directive into Italian legislation. Its primary objective is to mitigate cybersecurity risks associated with critical infrastructure organizations (referred to as essential and important entities) and enhance the resilience of their network and information systems. Additionally, it delineates the main responsibilities of governmental bodies tasked with enforcing cybersecurity measures in Italy.
The full text of Italian Legislative Decree No. 138 can be accessed here (in Italian): https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG
This article will focus on the cybersecurity obligations essential and important entities must meet under the decree. The role of government bodies responsible for ensuring compliance with this law will not be the focus of this discussion.
Similarities and differences
The key similarities and differences between the Italian NIS2 Legislative Decree and the EU’s NIS2 Directive are summarized in the table below:
Italian NIS2 Legislative Decree compared to EU NIS2 Directive | |
Which companies must comply | The same criteria as in NIS2, but only for companies that are registered in Italy. The exception is digital infrastructure providers — they have to be compliant with the NIS2 Legislative Decree no matter where they are registered, if they provide services in Italy. Further, it lists criteria with which small companies from the 18 sectors have to comply, and also prescribes the compliance obligations for metropolitan cities, municipalities over 100,000 residents, local health authorities, local public transportation services, educational institutions conducting research, and subjects carrying out activities of cultural interest. |
Deadlines | Entities must register with the competent authority by February 28, 2025. Compliance with incident notification requirements: 9 months from receipt of the notice from the competent authority about including the company in the register of essential and important entities. Compliance with governance and risk management requirements: 18 months from receipt of the notice from the competent authority. |
Responsibilities of senior management | The same as NIS2. |
Importance of training | The same as NIS2. |
Risk-based approach to cybersecurity | The same as NIS2. |
Cybersecurity measures | The same as NIS2. |
Supply chain security | The same as NIS2. |
Incident reporting obligations | The same as NIS2, but CSIRT Italy is specified as the key contact point. |
Using certified IT products and services | The same as NIS2. |
Supervision and enforcement | More detailed requirements about monitoring, analysis, audit, and inspections. |
Fines | The same as NIS2. |
Completely new requirements | (none) |
Which organizations need to comply with the Italian NIS2 Legislative Decree?
The Italian NIS2 Legislative Decree applies to companies (that belong to 18 sectors prescribed by NIS2) registered in Italy and providing products or services in any EU country. However, there is an exception: Digital infrastructure providers must comply with the NIS2 Legislative Decree even if they are not registered in Italy, if they are providing services in the country.
The NIS2 Legislative Decree defines the same criteria as NIS2 for categorizing companies and organizations as essential and important entities. Additionally, there are specific requirements in the Italian NIS2 Legislative Decree that go beyond the standard NIS2 framework:
- Metropolitan cities, municipalities with over 100,000 residents, and local health authorities are considered important entities if assessed as crucial for societal or economic activities.
- Local public transportation services, educational institutions conducting research, and entities performing activities of cultural interest are also categorized as important entities under specific conditions.
Deadlines
Under the Italian NIS2 Legislative Decree, entities must adhere to the following deadlines:
- Registration: Entities are required to register with the competent authority by February 28, 2025.
- Incident notification compliance: Entities must comply with incident notification requirements within 9 months of receiving notice from the competent authority about their inclusion in the register of essential and important entities.
- Governance and risk management compliance: Entities must meet governance and risk management requirements within 18 months of receiving notice from the competent authority.
Supervision and enforcement
Under Italy’s NIS2 Legislative Decree, the national authority (Agenzia per la Cybersicurezza Nazionale) conducts monitoring and analysis of compliance, using a centralized digital platform where entities register and update risk information.
It can request regular or ad hoc audits, either by independent bodies or by its own officials, to assess how well subjects implement security measures. Audits may occur periodically or in response to specific triggers (e.g., an incident). The authority also carries out inspections, both onsite and offsite, focusing on system configurations, logs, incident reports, and overall cybersecurity readiness.
Failure to cooperate or remediate identified issues can lead to enforcement measures, including binding orders or fines. This risk-based approach seeks to ensure that supervision remains flexible, proportionate, and aligned with both NIS2 principles and the distinct needs of Italy’s critical infrastructure and public services.
Fines
In line with the NIS2 Directive, Italy’s NIS2 Legislative Decree allows significant penalties for non-compliance. For private essential entities, fines can reach up to EUR 10 million or 2% of global turnover (whichever is higher). For private important entities, the upper limit is EUR 7 million or 1.4% of turnover.
The Italian decree, however, also sets lower ceilings for government bodies and entities under public control (such as local authorities), generally capping at EUR 125,000 for essential entities and reduced amounts for important ones.
Repeated or deliberate violations can result in higher fines, following a risk-based assessment. Authorities weigh factors like incident severity, prior infringements, cooperation level, and whether the entity remedied breaches swiftly. If entities fail to correct issues within deadlines, additional measures — like temporary suspension of operations — may follow.
Requirements that are the same as in NIS2
There is a lot in Italy’s NIS2 Legislative Decree that is the same as in the EU NIS2 Directive:
- Responsibilities of the senior management — see the details here: What is NIS 2 Directive? A detailed and straightforward guide
- Importance of training — learn more: How to perform training and awareness according to NIS 2
- Risk-based approach to cybersecurity — learn more: The 8 most important cybersecurity and reporting requirements in NIS2
- Cybersecurity as a mixture of technical, operational, and organizational measures — see also: List of required documents according to NIS 2
- Supply chain security
- Incident reporting obligations — see also: What are reporting obligations according to NIS 2?
- Using certified IT products and services
However, the NIS2 Legislative Decree defines that the Italian government will enact regulations that will further specify the implementation of this decree, so once this happens, these will be certainly more detailed than the NIS2 Directive.
Italian NIS2 Legislative Decree vs. EU NIS2 Directive
Overall, the Italian NIS2 Legislative Decree follows NIS2 very closely; however, it expands its application to some sectors that were not covered by NIS2, and also specifies more precise requirements for audit and supervision.
Of course, a lot will depend on the further regulations that will be published by the Italian government, because they will certainly prescribe more detailed cybersecurity requirements, like those already published in some other EU countries.
To find all the documents needed for complying with the NIS 2 Directive, check out this NIS 2 Documentation Toolkit that includes all policies, procedures, plans, and other templates.