ACN NIS Platform: Relevant Suppliers and What Organizations Must Submit

ACN NIS Platform: Relevant Suppliers and What Organizations Must Submit

ACN NIS Platform: Relevant Suppliers and What Organizations Must Submit

April 16, 2026
supply chain vendor management Determinazione 127437/2026 ACN platform +6

Key Takeaways

  • The ACN platform does not ask NIS entities to list every supplier. It asks them to list relevant NIS suppliers during the annual information-update process (ACN platform determination).
  • Under Article 1, paragraph 1, letter ll), a relevant NIS supplier is a supplier of services or products that meets at least one of two relevance criteria: ICT supply, or non-fungible supply whose interruption or compromise would significantly affect the entity's ability to provide the activities or services that bring it into NIS scope (ACN platform determination).
  • Under Article 18, the platform requires five data points for each relevant supplier: name, tax code, country of registered office, CPV codes of the supplied items, and the relevance criterion used (ACN platform determination).
  • The supplier list is part of the annual update window running from 15 April to 31 May of each year under Article 16, not a standalone filing track (ACN platform determination).
  • The determination expressly exempts DORA-regulated financial entities only from the governance-body listing under Article 16(3)(b) and Article 17; it does not state the same exemption for Article 18 supplier listing (ACN platform determination).

Scope of This Article

This article explains what the ACN platform requires when an organization must transmit its list of relevant NIS suppliers. The focus is not generic supplier-risk management. The focus is the narrower regulatory question:

  1. which suppliers fall into the ACN definition of relevant NIS supplier;
  2. which fields must be transmitted in the platform;
  3. how to prepare an internal evidence base that supports those platform entries.

The Short Answer: ACN Wants a Filtered Supplier List, Not a Vendor Dump

The ACN platform expects NIS entities to provide a selected list of suppliers that are relevant under the criteria defined in the determination. That list is submitted through the annual-update workflow and is tied to a specific data payload.

The operational model set by the determination is:

Question ACN answer
When is the list transmitted? During annual update, from 15 April to 31 May each year
Where is it transmitted? Through Servizio NIS/Aggiornamento annuale informazioni
Which suppliers are in scope? Only suppliers meeting at least one relevance criterion in Article 1, letter ll)
Which fields are required? Name, tax code, country of registered office, CPV codes, relevance criterion

That distinction matters. Many organizations already keep procurement and vendor-management registers. The ACN platform does not replace those internal records. It requires a narrower regulatory extract based on defined relevance logic.

Where the Supplier List Sits in the ACN Workflow

Article 16 states that, from 15 April to 31 May of each year, users update information through the Servizio NIS/Aggiornamento annuale informazioni. Among the data sets to be verified and updated for all NIS subjects is the list of relevant NIS suppliers under Article 3, paragraph 9, letter f) of Legislative Decree 138/2024 (ACN platform determination, Legislative Decree 138/2024).

This means the supplier list is part of the recurring governance cycle already discussed for registration, annual update, and continuous update. It is not framed by ACN as a separate ad hoc declaration.

What Counts as a Relevant NIS Supplier

The core definition is in Article 1, paragraph 1, letter ll) of the ACN determination. A relevant NIS supplier is a subject supplying services or products to a NIS entity and meeting at least one of the following relevance criteria:

  1. the supply is referable to the activities or services listed in Annex I, points 8 and 9, of the NIS decree, meaning ICT supply;
  2. interruption or compromise of the supply would significantly affect the NIS entity's ability to provide the activities or services for which it falls within the scope of the decree, including where alternative suppliers are unavailable, meaning non-fungible supply.

The practical value of this definition is that ACN is not asking for a broad vendor census. It is asking the entity to identify suppliers that are either:

  • part of the ICT supply chain in the sense expressly referenced by the determination; or
  • operationally critical because the supply cannot be substituted without significant impact on regulated activities or services.

The Two Relevance Criteria Need Different Internal Reasoning

Although the platform records the criterion used in a compact form, the internal assessment behind that choice should not be superficial.

Criterion 1: ICT Supply

This is the easier bucket operationally. If the supply falls within the ICT perimeter referenced by the determination, the supplier can be classified as relevant under the first criterion. In practice, this usually requires the organization to map the supplied item or service to its ICT role rather than rely only on internal purchasing labels.

Criterion 2: Non-Fungible Supply

The second criterion is usually the harder one. The determination links relevance to significant impact on the entity's ability to deliver the activities or services that bring it into NIS scope, including where alternative suppliers are unavailable.

That means a supplier may be relevant even if it is not a typical ICT vendor, provided that:

  • the supply supports the regulated activity or service in a material way; and
  • interruption or compromise would cause significant operational impact; and
  • replacement is not realistically immediate or available.

This is where many organizations need a documented rationale rather than a binary procurement tag.

What ACN Requires You to Submit for Each Supplier

Article 18 is precise. Through the annual-update service, users must list relevant NIS suppliers and indicate:

  • the supplier's name;
  • the supplier's tax code;
  • the country where the supplier has its registered office;
  • the CPV codes (Common Procurement Vocabulary) relating to the supplies used by the NIS subject;
  • the relevance criterion used, as defined in Article 1, letter ll).

This is the minimum platform payload. Article 18 does not list contract value, spend volume, SLA commitments, or security-rating fields as mandatory platform inputs. Organizations may still need those elements internally for governance and third-party-risk analysis, but they should not confuse internal due-diligence data with the ACN transmission minimum.

CPV Mapping Is Likely the Weakest Field for Many Organizations

The supplier name and tax code are typically available in procurement records. The difficult field is often the CPV code linkage for the supplies the entity uses.

From a control-design perspective, this means the organization should avoid rebuilding the supplier list manually at the portal deadline. A more reliable setup is:

  • link each potentially relevant supplier to the supplied product or service category internally;
  • maintain the related CPV mapping before the annual-update window opens;
  • retain evidence showing why the selected relevance criterion was chosen.

Without that preparation, the portal submission can easily become a last-minute classification exercise with weak traceability.

Continuous Update Still Matters After the Annual Window

Article 19 states that, after annual update has been perfected, if changes occur to information transmitted under Article 16, users must provide updated information through the Servizio NIS/Aggiornamento continuo informazioni (ACN platform determination).

Because the relevant-supplier list is part of the information set transmitted under Article 16, the practical implication is straightforward: supplier information should not be treated as frozen for the rest of the year. If the supplier perimeter changes, if a relevant supplier changes legal identity data, or if the classification basis changes in a material way, the entity should assess whether a continuous update is required.

That is not a new standalone rule invented outside the determination. It is the direct operational consequence of the Article 16 and Article 19 workflow design.

No Express Article 18 Carve-Out Is Stated for DORA-Regulated Financial Entities

Article 16, paragraph 13, provides a specific exemption for financial entities under Regulation (EU) 2022/2554 that fall within NIS scope, but the exemption is expressly limited to Article 16, paragraph 3, letter b) and Article 17, meaning the listing of governing and management body members. The same paragraph does not state an equivalent exemption for Article 18 supplier listing (ACN platform determination).

The cautious reading is therefore operationally important: organizations should not assume that DORA overlap automatically removes the need to maintain the relevant-supplier list on the ACN platform unless official ACN documentation states otherwise.

How to Build a Defensible Supplier Listing Process

The ACN determination tells the entity what must be transmitted, but not how to organize the internal decision workflow. A practical model usually includes:

  • a supplier universe extracted from procurement and contract records;
  • a first filter for ICT supplies;
  • a second filter for non-fungible supplies affecting NIS-scoped activities or services;
  • a documented rationale for each selected relevance criterion;
  • a maintained mapping between supplier, supplied item, CPV code, and business owner;
  • a review step before the annual-update filing and a trigger for continuous-update review if supplier data changes later.

This is also the point where a documentation-driven compliance service can add value. The difficult part is often not entering five fields in the portal. The difficult part is maintaining the evidence chain that makes those five fields coherent, reviewable, and repeatable over time.

FAQ

Does ACN require every supplier to be listed?

No. The determination requires the listing of relevant NIS suppliers, not the full vendor base. Relevance is tied to the criteria in Article 1, paragraph 1, letter ll) (ACN platform determination).

What are the mandatory platform fields for each relevant supplier?

Article 18 requires name, tax code, country of registered office, CPV codes for the supplied items, and the relevance criterion used (ACN platform determination).

Is the supplier list a separate filing outside annual update?

No. Article 18 operates through the Servizio NIS/Aggiornamento annuale informazioni, which is part of the annual update window from 15 April to 31 May (ACN platform determination).

Does the determination expressly waive Article 18 for DORA-regulated financial entities?

The determination expressly states an exemption only for Article 16(3)(b) and Article 17. It does not state the same exemption for Article 18 supplier listing (ACN platform determination).

Conclusion

The ACN platform requires a filtered and justified supplier list, not a broad procurement export. Organizations that document why a supplier is relevant, map the related CPV codes in advance, and maintain change-control after annual update will be in a stronger position to file supplier data that is both compliant and defensible.

Official Sources

Share this post