f in x
NIS2 in Italy: Who Is Subject and What They Must Do — Practical Guide 2026
> cd .. / HUB_EDITORIALE
Sicurezza Informatica

NIS2 in Italy: Who Is Subject and What They Must Do — Practical Guide 2026

[2026-06-01] Author: Ing. Calogero Bono

You received an email from your trade association about NIS2 and you are not sure if it applies to you? Or your consultant told you “you should comply” without explaining what and how. This is the most common issue we see when talking to Italian SMEs: the NIS2 directive scares everyone, but nobody explains in plain terms who actually needs to act and what is required.

We at Meteora Web are not a certification body, but we have worked for years with companies that need to secure data, websites, and processes — from small businesses in Southern Italy to larger firms with hundreds of clients. When we started studying NIS2 for our own clients, the first question was: “Who does it apply to in Italy?”. The answer is not trivial, because the transposition decree made specific choices. In this guide we give you exactly what you need: who is in, who is out, and the concrete steps to avoid being caught off guard.

NIS2: why it matters (even if you are not in cybersecurity)

The NIS2 Directive (Network and Information Security 2) is the EU law that forces companies and entities in critical sectors to better protect themselves from cyber attacks. In Italy it was transposed by Legislative Decree 138/2024, effective from 16 October 2024. The formal deadline for compliance was 17 January 2025 (for operators’ designation), but enforcement follows. If you are subject, you cannot ignore it: fines can reach up to 2% of global annual turnover.

But who is subject? Not just banks, hospitals, and large enterprises. The directive broadened the scope compared to the old NIS1. In Italy, the transposition follows the EU line but with some specifics.

Who is subject in Italy: two categories

The regulation distinguishes between essential entities (critical) and important entities. The difference matters because controls and sanctions are stricter for the former.

Essential entities

They belong to high-risk sectors: energy, transport, banking, financial market infrastructures, health, drinking water, digital infrastructure (cloud providers, data centers, search engines). In Italy, central government administrations are also included. If your company operates in one of these sectors and has at least 250 employees or annual turnover exceeding €50 million, you are essential. Exception: for the digital sector the threshold is lower.

Important entities

They include sectors such as chemical manufacturing, waste management, food production, medical device manufacturing, research, postal services, local public administration. The size threshold is at least 50 employees and turnover above €10 million. Attention: even if your company is smaller, you can still be subject if the National Authority (the Italian National Cybersecurity Agency, ACN) designates you as such due to the criticality of the service.

Here is the crucial point for Italian SMEs: many companies with fewer than 50 employees provide services to essential entities (e.g., IT maintenance, logistics, component supply). Even if you are not directly subject, your essential client will require security guarantees — because the directive mandates supply chain security. So get ready, even if you are outside the perimeter for now.

What you must do if you are subject

If your profile fits, you must adopt a set of technical and organisational measures. It is not a generic obligation: the directive lists minimum requirements, and ACN has published guidelines. Here are the main points.

1. Risk assessment and security measures

You must perform a cybersecurity risk analysis and implement proportionate measures. These include: cryptography, two-factor authentication, vulnerability management, backups, business continuity. You do not need an in-house SOC, but you need a minimum of governance. At Meteora Web, in our projects we always start with a simple audit: open ports, weak passwords, missing backups — things companies often do not even know they have.

2. Incident notification

If you suffer a significant incident (e.g., ransomware, data breach), you must notify ACN within 24 hours for an early warning, and a full notification within 72 hours. This requires having an incident response process. You do not need a dedicated team, but at least a contact person who knows what to do and how to reach ACN (via a dedicated platform).

3. Supply chain security

You must assess risks from your suppliers (cloud, software, maintenance) and include adequate contractual clauses. If your supplier is insecure, the responsibility remains yours. That is why you should start asking your partners for their certifications now.

4. Training and awareness

Personnel must be trained on cyber threats. A one-time course is not enough: a continuous program is needed. We see it with clients: the human factor is the weakest link. A well-crafted phishing email and an untrained employee can open the door to everything.

How to check if your company is subject: practical checklist

Here are the immediate steps you can take today.

  1. Identify your sector according to the annex of Legislative Decree 138/2024. Download the decree from ACN’s website. Check if your ATECO code falls into one of the critical or important sectors.
  2. Calculate the parameters: average number of employees in the last year and turnover. If you exceed the thresholds (250 emp. or €50M for essential; 50 emp. or €10M for important), you are subject. If you are below but supply essential entities, prepare anyway.
  3. Check if ACN has already notified you: by October 2025 operators in critical sectors had to register. If you received nothing, it does not mean you are out; you may be added later.
  4. Map your IT suppliers: cloud, SaaS, maintenance. Ask them if they have certifications (ISO 27001, SOC2, or at least a security policy). If they do not answer, that is a warning sign.
  5. Conduct a mini internal audit: check if a working backup exists, if passwords are strong, if software is up to date. If you lack time, call a consultant. But do it.

Operational tools to start

You do not need to reinvent the wheel. ACN published the “Manual for the adoption of minimum security measures” (inspired by AgID guidelines). For SMEs, you can start with these measures:

  • Multi-factor authentication (2FA) for all remote and administrative access.
  • Daily backup with external storage (offline or separate cloud).
  • Patch management: automatic updates for operating systems and applications.
  • Antimalware on all business devices.
  • Access logs with retention of at least 6 months.

We implement these daily on our clients’ servers. A concrete example: when a server’s automatic SSL certificate renewal broke, we fixed it and automated the process without taking the client offline. That attention to detail is what NIS2 requires: no open gaps.

Common mistakes to avoid

“I am small, they won’t catch me” — Wrong. The law allows ACN to inspect even after a report from a customer or competitor. And fines are not suspended for small businesses.

“An antivirus is enough” — It is not. NIS2 requires a systemic approach: governance, risk assessment, training. Antivirus is just one piece.

“I will do it later, inspections have not started yet” — The deadline for compliance has already passed. ACN began checks in 2026. If you receive a communication, you have very tight deadlines to respond. Better to be ready.

In summary — what to do now

  1. Self-assess using the checklist above. Download Legislative Decree 138/2024 and verify your threshold.
  2. If you are subject: appoint a cybersecurity contact (you can outsource a DPO or MSSP) and start a risk analysis.
  3. If you are not subject but in the supply chain: ask your essential clients what they require. They often have questionnaires to fill.
  4. Secure the bare minimum: 2FA, backups, updates, basic training. This is your “NIS2 starter pack”.
  5. Monitor updates: ACN regularly updates guidelines. Follow the “Normativa” section on the official website.

We at Meteora Web help companies go through this process without selling smoke. We come from accounting and ERP, so we know that every euro invested in security must have a return. If you want a no-obligation chat to understand where you stand, contact us. Meanwhile, start with the checklist.

Sponsored Protocol

Ing. Calogero Bono

> AUTHOR_EXTRACTED

Ing. Calogero Bono

Co-founder di Meteora Web. Ingegnere informatico, sviluppo ecosistemi digitali ad alte prestazioni. AI, automazione, SEO tecnica e infrastrutture web. Scrivo di tecnologia per rendere complesso… semplice.

[ Read Full Dossier ]

Hai bisogno di applicare questa strategia?

Esegui il protocollo di contatto per iniziare un progetto con noi.

> INIZIA_PROGETTO

Sponsored

> MW_JOURNAL

Hackers Hijack Instagram Accounts by Tricking Meta AI Support Chatbot
2026-06-01

Hackers Hijack Instagram Accounts by Tricking Meta AI Support Chatbot

Privacy and AI: DuckDuckGo, Strava and the FROST Threat Rock the Web
2026-06-01

Privacy and AI: DuckDuckGo, Strava and the FROST Threat Rock the Web

Atari Acquires Crossy Road Studio and PlayStation Unveils Wireless Fight Stick and Gaming Monitor
2026-06-01

Atari Acquires Crossy Road Studio and PlayStation Unveils Wireless Fight Stick and Gaming Monitor

Brain Chip Made in China: Is Europe Already Losing the Race?
2026-06-01

Brain Chip Made in China: Is Europe Already Losing the Race?

MiniMax-M3 Challenges GPT-5.5 and Gemini 3.1 Pro with Low-Cost Open-Weight AI
2026-06-01

MiniMax-M3 Challenges GPT-5.5 and Gemini 3.1 Pro with Low-Cost Open-Weight AI

> READ_ALL()