Italy implements NIS2: key dates you need to know

The domestic implementation of NIS2 continues to advance at pace. In this note, we outline Italy’s formal adoption of NIS2, highlight the key dates you need to know for registration, compliance and enforcement.

For further information about NIS2, including sector-specific guidance, please visit our Resiliency page.

Registration Dates:

• 1 December 2024 – 17 January 2025: Digital Providers (see details below)
• 1 December 2024 – 28 February 2025: All other in- scope entities

Notification dates:

• January 2026 (approx.): Nine months from the consolidation of the list of NIS2 entities

Full compliance:

• October 2026 (approx.): 18 months from the publication of Italy’s NIS List.

Italian Legislative Decree 138/2024, which implements the NIS2 Directive in Italy, was published in the Italian Official Journal on 1 October 2024. While the law is set to take effect progressively, it is essential for in-scope entities to evaluate their compliance requirements now.

Overview of Decree 138/2024

Decree 138/2024 officially came into force and effect as of 16 October 2024, but the obligations for regulated entities will be introduced gradually over the course of the next 15 months. Crucially, by the end of 2024, organisations must have completed their NIS2 scoping exercises to determine if they fall within the scope of the Decree. This assessment should be based on factors such as company size and relevant sectors which is detailed in the Decree’s annexes.

The Decree expands the scope of Italy’s previous regulations to 18 sectors, of which 11 are highly critical (this was previously 8) and 7 are deemed to be critical (this is a new category), with additional breakdowns separating these sectors into essential and important services.

Furthermore, Italy's implementation of NIS2 extends the scope of the framework to include certain public administrations of any size (Annex III) and additional entities such as local public transport providers, research-active educational institutions, cultural organisations, and publicly controlled companies (Annex IV).

Registration Requirements

From 1 December 2024 to 28 February 2025, entities that qualify as being in-scope will need to register on the portal provided by the Italian National Cybersecurity Agency (NCA). However, digital providers certain service providers must complete this registration by 17 January 2025. This category includes:

• Domain name system service providers
• Top-level domain name registry operators
• Domain name registration service providers
• Cloud computing service providers
• Data centre service providers
• Content delivery network providers
• Managed service providers
• Managed security service providers
• Providers of online marketplaces, search engines, and social network platforms

Failure to register could result in sanctions of up to 0.1% of the entity’s worldwide turnover.

From 31 March 2025, the NCA will compile a list of entities deemed essential or important under the Decree. These entities will receive notifications of their status via the portal between 1 April and 15 April 2025. By 15 April 2025, in-scope organisations must appoint a compliance officer for the Decree. Additionally, between 15 April and 31 May 2025, they must provide further information through the digital platform.

Finally, regulated entities are expected to achieve full compliance with NIS2 requirements by October 2026—18 months from the publication of Italy’s NIS list by the NCA.