ACN's 2026 timing determination creates a different implementation path for entities first inserted into the NIS list during 2026. For those subjects, significant-incident notification starts on 1 January 2027, while the deadline for adopting the baseline security measures referenced by Determination 379907/2025 is 31 July 2027. The same determination also confirms that entities already inserted in 2025 and still present in the 2026 list keep the deadlines already fixed by the previous framework (ACN determination on 2026 timing, ACN news page, ACN baseline determination 379907/2025).
Key Takeaways
- The determination is addressed specifically to subjects first inserted into the NIS list in 2026.
- For those subjects, baseline security measures are due by 31 July 2027.
- For those subjects, significant-incident notification duties start on 1 January 2027.
- The determination applies from 30 April 2026.
- ACN's news page adds a practical governance implication: the CSIRT contact should be designated before the end of 2026.
Scope of This Article
This article covers:
- Which entities fall under the new 2026 timing.
- What the two main deadline shifts are.
- How the 2026 timing interacts with the existing baseline framework.
- What organizations should prioritize operationally before 2027.
This article does not cover:
- Portal access procedures in detail.
- Supplier-listing or categorizzazione procedures.
- Legal interpretation beyond the official ACN and legislative texts.
What the 2026 Determination Actually Changes
The ACN determination states that it sets the implementation terms for obligations under Articles 23, 24, 25, 29, and 32 of Legislative Decree 138/2024 for subjects first inserted into the NIS list during 2026. It is therefore a timing and proportionality act, not a replacement of the baseline control framework itself (Gazzetta Ufficiale - Legislative Decree 138/2024, ACN determination on 2026 timing).
The legal and operational baseline remains anchored to Determination 379907/2025. What changes is the calendar for newly listed 2026 subjects.
Deadline Table for Newly Listed 2026 Subjects
| Obligation area | Official rule for subjects first inserted in 2026 | Operational reading |
|---|---|---|
| Baseline security measures | Due by 31 July 2027 | The adoption window for the baseline measures in Annexes 1 and 2 of Determination 379907/2025 runs into mid-2027. |
| Significant-incident notification | Starts on 1 January 2027 | Notification duties described in Annexes 3 and 4 of Determination 379907/2025 become active from the start of 2027. |
| Domain-name security, stability, and resilience obligations where applicable | Due by 31 July 2027 | The same date applies to the Article 4 obligations of the 2025 baseline determination for the affected subject set. |
| Applicability of the 2026 determination | From 30 April 2026 | Organizations should use this date as the formal transition point for the new timing framework. |
New 2026 Subjects vs Subjects Already Present Since 2025
The determination does not create a blanket new deadline for every NIS subject. It makes an explicit distinction:
| Subject category | Timing rule |
|---|---|
| First inserted into the NIS list during 2026 | Follows the new timing: notification from 1 January 2027, baseline measures by 31 July 2027. |
| Inserted during 2025 and still present in the 2026 list | Keeps the timing already established by Article 3 of Determination 379907/2025. |
This distinction matters because some organizations will incorrectly assume that the 2026 determination resets everyone's deadlines. The text does not say that. It only creates a differentiated schedule for the newly listed 2026 cohort (ACN determination on 2026 timing).
Why ACN Introduced a New Timeline
The determination expressly notes that the first-application phase ended on 31 December 2025. ACN then frames the new timing as a proportionality mechanism, taking into account:
- exposure to risk,
- subject size,
- probability of incidents,
- severity and impact, including social and economic impact.
That wording is important for boards and GRC owners. It means the 2026 schedule is not presented as a relaxation of obligations in principle; it is framed as a proportionate implementation path after the closure of first application.
Practical Impact on Governance and Execution
The real operational consequence is that newly listed 2026 entities should split their planning into two tracks:
Track 1: Build the incident-notification operating model before 2027
Because notification duties start on 1 January 2027, organizations should complete before year-end:
- designation of the CSIRT contact and substitutes where relevant,
- ownership of the notification chain,
- escalation rules and decision authority,
- evidence and timestamp discipline,
- draft-ready incident procedures aligned with the 2025 baseline framework.
ACN's news page explicitly states that designating the CSIRT contact before the end of 2026 is necessary for the new subject cohort.
Track 2: Deliver baseline implementation before 31 July 2027
The baseline-measure deadline gives more runway, but it does not remove the workload. For most organizations, the gating items are:
- scoping the applicable baseline measures,
- assigning accountable owners,
- closing documentary gaps,
- building evidence structures for verification,
- sequencing implementation and governance approvals in a controlled roadmap.
Board-Level Reading of the 2026 Timing
For senior stakeholders, the 2026 determination should be read as a sequencing rule:
- Confirm whether the entity is truly a first-time 2026 entrant or an already-listed 2025 subject.
- Treat 1 January 2027 as the hard activation point for significant-incident notification duties for the new cohort.
- Treat 31 July 2027 as the hard delivery date for baseline-measure adoption for the new cohort.
- Use 30 April 2026 as the effective date from which this specific timing framework applies.
This is also why governance records matter early. If the organization classifies itself incorrectly or plans on the wrong deadline track, remediation programs and incident readiness can drift out of alignment with the ACN framework.
2026 Readiness Checklist for Newly Listed Subjects
- Confirm the legal status of the organization under the 2026 list logic and document the basis for classification.
- Map the applicable baseline obligations back to Determination 379907/2025.
- Appoint and formalize the notification governance chain before 31 December 2026.
- Build the incident-notification process so it is operational by 1 January 2027.
- Sequence the implementation roadmap for baseline measures to land by 31 July 2027.
- Keep board and executive oversight tied to the correct ACN cohort logic rather than generic NIS messaging.
For many organizations, this is where external support becomes useful: not to reinterpret the law, but to make sure classification, incident readiness, and baseline implementation are translated into one defensible execution plan.
FAQ
Does the 2026 determination replace the 2025 baseline determination?
No. It expressly refers back to Determination 379907/2025 and changes the timing for subjects first inserted in 2026.
When do significant-incident notification obligations start for newly listed 2026 subjects?
They start on 1 January 2027 under Article 1 of the 2026 timing determination.
What is the deadline for baseline security measures for newly listed 2026 subjects?
The deadline is 31 July 2027 under the same determination.
Does the same 31 July 2027 date also matter for domain-name resilience obligations?
Yes, for the subjects covered by Article 2 of the determination, the deadline is also 31 July 2027.
When does this 2026 timing determination apply?
It applies from 30 April 2026.
Conclusion
The 2026 ACN timing determination is best understood as a controlled transition rule for newly listed entities, not as a general reset of NIS deadlines. If your organization entered the NIS perimeter during 2026, the priority is to make incident-notification governance operational for 1 January 2027 and to drive baseline implementation toward 31 July 2027 without losing sight of the underlying 2025 baseline framework.