INFORMATION TECHNOLOGY
National Cybersecurity Agency: the road map for the gradual implementation of the obligations provided for by the NIS 2 Directive and the transposing legislative decree has been published.
IT security is increasingly important for companies and public administrations. From 16 October 2024, the new Italian legislation on Network and Information Security (NIS 2) is applicable. The fields of application of the legislation are increasing. The sectors involved become 18, of which 11 are highly critical and 7 critical, involving over 80 types of subjects, distinguishing them between essential and important in relation to the level of criticality of the activities carried out and the sector in which they operate. The National Cybersecurity Agency (ACN) is the competent authority for the application of NIS 2 and a single point of contact, and has outlined a gradual and sustainable path to allow public and private organizations to comply with the new legal obligations.
This is in light of the increased requirements for security measures and incident notification and the increased supervisory power given to the ACN and the bodies responsible for incident response and crisis management. New tools for cybersecurity are also planned, such as the coordinated disclosure of vulnerabilities, to be achieved through cooperation and information sharing at national and European level.
Compliance with the NIS regulations provides for a sustainable path with a gradual implementation of the obligations.
The first step for interested parties is to register on the ACN portal. There is time from 1 December 2024 until 28 February 2025 for medium and large companies and, in some cases, also for small and micro enterprises.
To facilitate the implementation of incident notification obligations and safety measures, they will be defined progressively and following consultations within the sectoral tables following the decisions of the Director General of ACN which will be adopted by the first quarter of 2025.
There is also a differentiated implementation time window: 9 months for notifications and 18 months for security measures, starting from the date of consolidation of the list of NIS entities (end of March 2025).
From April 2025, a shared path to strengthen national and European cybersecurity will therefore start.
To make it easier to understand the news, the ACN has published a video and information pages.
This is in light of the increased requirements for security measures and incident notification and the increased supervisory power given to the ACN and the bodies responsible for incident response and crisis management. New tools for cybersecurity are also planned, such as the coordinated disclosure of vulnerabilities, to be achieved through cooperation and information sharing at national and European level.
Compliance with the NIS regulations provides for a sustainable path with a gradual implementation of the obligations.
The first step for interested parties is to register on the ACN portal. There is time from 1 December 2024 until 28 February 2025 for medium and large companies and, in some cases, also for small and micro enterprises.
To facilitate the implementation of incident notification obligations and safety measures, they will be defined progressively and following consultations within the sectoral tables following the decisions of the Director General of ACN which will be adopted by the first quarter of 2025.
There is also a differentiated implementation time window: 9 months for notifications and 18 months for security measures, starting from the date of consolidation of the list of NIS entities (end of March 2025).
From April 2025, a shared path to strengthen national and European cybersecurity will therefore start.
To make it easier to understand the news, the ACN has published a video and information pages.
