National Cybersecurity Agency – ACN: NIS 2, Procedures Published for the Listing and Categorisation of Activities and Services.

With regard to the compliance obligations arising from the NIS 2 regulatory framework, the Italian National Cybersecurity Agency (ACN) has made available its determination concerning the process, procedures and criteria for the listing and categorisation of the activities and services referred to in Article 30 of the Italian NIS Decree.

The purpose of the listing and categorisation process is to group activities and services according to the relevant category provided for under the categorisation model. This constitutes the prerequisite for identifying the portions of network and information systems in respect of which more targeted and incisive risk mitigation measures will be required, once the compliance process relating to the “baseline security measures” has been completed, through the integration of additional requirements under the so-called “long-term security measures”. Such measures will be established by ACN in full compliance with the principles of proportionality and gradual implementation.

By Determination No. 155238 of 20 April 2026, through Annex 1 and Annex 2, ACN identified ten macro-areas for the organisation of an entity’s activities and services. Each such activity or service must be assigned one of four relevance categories: “minimum impact”, “low impact”, “medium impact” or “high impact”.

The results of this simplified, harmonised and shared impact assessment must be notified to the National Competent Authority for NIS through the ACN platform between 1 May and 30 June, in accordance with the procedure laid down in Determination No. 127437/2026, Articles 20 and 21.