Italy has now formalized the incident taxonomy that triggers mandatory reporting and notification under Article 1 of Law 90/2024. ACN adopted it through the Determina of 9 February 2026, published in the Official Gazette on 17 February 2026 (No. 39, code 26A00713), and the measure applies from its publication date.
Sources: ACN page, GU - Determina 9 febbraio 2026, Art. 2 - application date
Key takeaways
- The taxonomy is now legally anchored for Article 1, paragraph 1, Law 90/2024 obligations.
- Obligated entities must report and notify incidents included in Allegato A of the ACN determina.
- Article 1, paragraph 2, of Law 90/2024 sets the timing model: report within 24 hours and complete notification within 72 hours from knowledge of the incident.
- ACN explicitly states coherence with NIS incident categories and allows simplification where pre-notification/notification under Article 25 of Legislative Decree 138/2024 is performed.
Sources: Law 90/2024 - Art. 1, Determina - Art. 1, D.Lgs. 138/2024
What changed in practice
The new determina does not create a separate conceptual framework disconnected from existing NIS obligations. Instead, ACN links Law 90/2024 incident obligations to a taxonomy coherent with the "incidenti significativi di base" framework already used in the NIS context.
For compliance teams, this means that notification governance should be designed as a single operational process across overlapping legal regimes, not parallel fragmented workflows.
Source: Determina - Art. 1, paragraphs 1-2 and recitals
Taxonomy at a glance (Allegato A)
The published Allegato A includes incident codes such as:
- IS-1: evidence of external confidentiality loss of digital data.
- IS-2: evidence of integrity loss with external impact on data.
- IS-3: evidence of service-level violations affecting services/activities against expected service levels.
Source: Allegato A
Who is in scope under Law 90/2024
Article 1 of Law 90/2024 lists a broad set of public-sector and related entities, including central public administrations, regions/provinces, metropolitan cities, large municipalities/capital municipalities, specified transport operators, local health authorities, and relevant in-house companies.
Details are defined in the official legal text and should be mapped against the entity perimeter with legal counsel and governance owners.
Source: Law 90/2024 - Art. 1
Notification timing model to operationalize
Under Article 1, paragraph 2, Law 90/2024:
- Initial reporting without delay and no later than 24 hours from awareness.
- Complete notification within 72 hours from the same moment.
- Reporting/notification is performed through ACN institutional procedures.
Source: Law 90/2024 - Art. 1, paragraph 2
Operational checklist for cyber, GRC, and legal teams
- Update your incident classification matrix to include Allegato A codes (IS-1, IS-2, IS-3 and full taxonomy entries).
- Align triage and escalation playbooks to 24h/72h legal timings.
- Harmonize Law 90/2024 and NIS reporting workflows to avoid duplicate or inconsistent submissions.
- Review accountability and evidence capture for regulatory defensibility.
- Test the end-to-end reporting process with table-top exercises.
FAQ
From when does this taxonomy apply?
From the publication date of the determina in the Official Gazette, i.e., 17 February 2026. Source: Art. 2 - Pubblicazione
Does this replace NIS notification obligations?
The determina states coherence with NIS incident categories and provides a simplification approach where pre-notification/notification under Article 25 NIS is made. Compliance teams should still ensure all legal requirements are met in practice. Source: Determina - Art. 1
Which incident types trigger obligations?
Those included in Allegato A of the ACN determina. Source: Allegato A