NIS2 in Italy: the next mandatory steps between 2025 and 2026

Objective of the NIS2 Directive

La NIS2 Directive (Network and Information Security 2) represents a major update of the European cybersecurity framework that aims to improve the overall level of resilience of information systems in areas considered critical and strategic.
The purpose is clear: to strengthen prevention, response, and recovery capabilities against cyber incidents in an environment where cyber threats are increasingly sophisticated and persistent.

Transposition of NIS2 in Italy

With the Legislative Decree No. 138 of September 4, 2024, Italy has made official the transposition of the NIS2 Directive. The measure defines clear obligations for public and private organizations operating in sectors defined as "essential" or "important." including energy, transportation, healthcare, finance, public administration and digital infrastructure. Companies had to initiate a number of preliminary measures such as risk analysis, appointing a security contact person (CISO), initiating internal trainings and adjusting incident management policies.

Past and future deadlines to know

October 16, 2024: Entry into force of Legislative Decree No. 138/2024, which transposes the NIS2 Directive into Italian law.

December 1, 2024 - February 28, 2025: Time window for the mandatory registration of subjects identified as "essential" or "important" on the digital platform managed by theACN. During this period, organizations must designate a point of contact and provide detailed information on cybersecurity infrastructure and governance.

March 31, 2025: Deadline for theACN To prepare and report the list of subjects to which the NIS2 regulations apply.

April 15-May 31, 2025: Period during which "essential" and "important" parties must transmit or update information required by Article 7 of the NIS Decree, including:

• Personal and contact details of legal representatives and members of administrative and governing bodies.
• Technical information related to IT infrastructure, such as public IP addresses and domain names.
• List of member states in which the organization operates.

May 31, 2025: Deadline for annual update of information on the ACN platform. Organizations must ensure that all data provided are correct and up-to-date.

L'ACN provided for a 60-day extension, until July 31, 2025, exclusively For companies that:

• They encountered technical or organizational difficulties
• They have requested formal support from ACN, such as through dedicated counter or interlocutor

This extension is not automatic: va justified and authorized. It is therefore not just an extension for everyone, but a derogation upon request.

2nd half of 2025: how should companies act?

1. By May 2025: Audit and verification of NIS2 compliance.

All companies subject to the NIS2 Directive are required to complete a rigorous and detailed internal cybersecurity audit by May 2025. This audit should be conducted in accordance with the official guidelines issued by the ACN, which define precise criteria for the analysis and evaluation of corporate security systems.

The main objective of the audit is threefold:

• Assess cyber risk governance and management: the organizational structure dedicated to cybersecurity, decision-making processes, accountability of key roles (such as the CISO), and the effectiveness of risk management policies are examined.
• Measure the maturity of implemented policies and controls: you verify the completeness, adequacy, and effective implementation of security policies, technical controls (e.g., firewalls, advanced authentication systems, continuous monitoring), and operational procedures.
• Identify gaps and vulnerabilities: gaps to compliance standards are identified, defining clear and prioritized remediation plans with defined timelines and responsibilities.

It is essential to emphasize that many organizations tend to underestimate the complexity and resources required for this process, which requires qualified personnel, specific expertise in regulatory and technical scope, as well as a significant investment in terms of time.

Delays or superficial execution can expose the company to administrative penalties, operational inefficiencies and high reputational risks.

---

2. From July 2025: National Registry and new registration requirements.

As of July 2025, it becomes mandatory For all companies classified as "essential" or "important" registration in the National Registry established and managed by CSIRT Italy (Computer Security Incident Response Team). This registry is a central tool for coordinating and monitoring cybersecurity at the national level.

Organizations should provide accurate and up-to-date information, including:

• Full biographical data of the organization, With legal and administrative references.
• Detailed list of critical assets and digital infrastructure, including hardware, software, networks, and data essential for business continuity.
• Appointment and contact information security contact person (CISO or equivalent).
• Report on the last internal audit performed, With evidence of the corrective measures implemented.

Failure or delayed registration in the National Register will result in heavy administrative penalties and may result in automatic exclusion from public bidding processes or NRP-funded calls, severely limiting business opportunities. For this reason, it is essential to prepare all required documentation in good time and keep information up-to-date.

---

3. By January 2026: Integration of security plans with business continuity.

By January 2026, companies subject to NIS2 will need to take a significant step forward by demonstrating that they have effectively integrated their cybersecurity plans with business continuity and disaster recovery strategies.

Key elements of this integration include:

• Established procedures for restoration and continuity of essential services, ensuring that in the event of cyber incidents or attacks, critical processes can continue without significant interruption.
• Business impact analysis, aimed at identifying the most strategic business functions, the dependencies between processes and resources, and the potential consequences of any disruptions.
• Periodic simulations of crisis scenarios, with actual activation of operational teams and verification of response procedures, to test the effectiveness of plans and continuously improve responsiveness.

Policy recommendations
For the second half of 2025

In view of the new deadlines, companies need to take a systemic approach.
The following are some priority interventions:

• Update the map of critical assets in a manner consistent with emerging threats and the digital supply chain.
• Leveraging automation technologies, such as SIEM, SOAR, EDR/XDR to reduce incident response time.
• Review vulnerability management policies In light of the new European guidelines.
• Programming accident simulations With top management involvement and validation of response plans.
• Preparing for public reporting, considering transparency as a competitive and reputational factor.
• Rely on strategic partners, such as HRC and CyberBrain.

As HRC e CyberBrain can support you in your compliance with NIS2

NIS2 compliance is not achieved with a one-size-fits-all solution, but with a structured approach that integrates technology, expertise and strategic vision. HRC, along with its team specializing in cybersecurity CyberBrain, supports companies in this journey through concrete tools and advanced consulting services, already successfully deployed in enterprise settings.

🔎 Preventive analysis and identification of vulnerabilities.
Through tools of Vulnerability Assessment, penetration testing and digital reconnaissance activities, we help organizations understand their exposure and build an action plan based on objective data.

🧠 Comprehensive Cyber Check-Up
A service designed to provide a clear snapshot of the current security level, with an assessment of critical issues against NIS2 requirements: governance, risk management, technical and organizational measures.

🔐 MDR and proactive defense.
Managed Detection & Response (MDR) solutions implemented by CyberBrain provide continuous endpoint monitoring, early threat detection and real-time response capabilities. A valuable ally in strengthening the continuous policing required by regulation.

☁️ CyberDrive: the cloud that protects critical data
CyberDrive is the cloud platform designed for secure sharing of corporate data, with encryption, access control and full traceability features. A useful tool for meeting the confidentiality and integrity requirements of the directive.

📚 Safety training and culture.
Through our partnerships, we offer specific training paths to increase internal cybersecurity awareness and skills-from CISOs to operational employees. A key component of meeting training obligations under NIS2.

For more than two decades, we have been supporting companies on their journey to digital and technological evolution, providing advanced solutions to optimize processes and improve productivity. Our goal is not only to offer cutting-edge tools, but to do so by always putting the human factor at the center.

It is no accident that we are called Human Resource Consulting: We firmly believe that, even in the age of digital transformation, people remain the most valuable element. Technology is a means, not the end. People drive it, which is why each of our solutions is designed to be intuitive, accessible and truly useful to those who use it every day.

We work alongside companies to help them to Simplify process management, improving security, efficiency and regulatory compliance. From software to cybersecurity, we develop tools that not only meet current needs but also prepare businesses for future challenges, ensuring continuity and innovation.

We were born with the mission of Bridging the gap between technology and people, and we continue to do so with passion, offering advice, support and tailored solutions. Because, in an increasingly digital world, human value is and will remain the true driver of progress.