--- title: "NIS 2026 New Subjects: Deadlines" description: "Entities first listed in the NIS perimeter in 2026 have new deadlines: significant-incident notification from 1 January 2027 and baseline measures by 31 July 2027." canonical: https://www.aegister.com/en/cms/insights/new-nis-subjects-2026-incident-notification-deadlines/ url: /en/cms/insights/new-nis-subjects-2026-incident-notification-deadlines/ lang: en --- ![](/static/images/header-contact.webp) # New NIS Subjects in 2026: Incident-Notification and Baseline-Measure Deadlines --- ![New NIS Subjects in 2026: Incident-Notification and Baseline-Measure Deadlines](/static/images/cms/nis-registrazione-2026-scadenza.webp) ## New NIS Subjects in 2026: Incident-Notification and Baseline-Measure Deadlines April 14, 2026 [ACN](/en/cms/keyword/acn/) [compliance](/en/cms/keyword/compliance/) [CSIRT](/en/cms/keyword/csirt/) [cybersecurity](/en/cms/keyword/cybersecurity/) +6 ACN's 2026 timing determination creates a different implementation path for entities first inserted into the NIS list during 2026. For those subjects, **significant-incident notification starts on 1 January 2027**, while the deadline for adopting the baseline security measures referenced by Determination **379907/2025** is **31 July 2027**. The same determination also confirms that entities already inserted in **2025** and still present in the **2026** list keep the deadlines already fixed by the previous framework ([ACN determination on 2026 timing](https://www.acn.gov.it/portale/documents/d/guest/detacn_misuresicurezza-v4_post), [ACN news page](https://www.acn.gov.it/portale/w/nis-online-le-determine-sugli-adempimenti-per-i-nuovi-soggetti-e-sulle-modalita-di-accesso-alla-piattaforma-acn), [ACN baseline determination 379907/2025](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)). ## Key Takeaways - The determination is addressed specifically to subjects first inserted into the NIS list in **2026**. - For those subjects, baseline security measures are due by **31 July 2027**. - For those subjects, significant-incident notification duties start on **1 January 2027**. - The determination applies from **30 April 2026**. - ACN's news page adds a practical governance implication: the **CSIRT contact** should be designated before the end of **2026**. ## Scope of This Article This article covers: - Which entities fall under the new 2026 timing. - What the two main deadline shifts are. - How the 2026 timing interacts with the existing baseline framework. - What organizations should prioritize operationally before 2027. This article does not cover: - Portal access procedures in detail. - Supplier-listing or categorizzazione procedures. - Legal interpretation beyond the official ACN and legislative texts. ## What the 2026 Determination Actually Changes The ACN determination states that it sets the implementation terms for obligations under Articles **23, 24, 25, 29, and 32** of Legislative Decree **138/2024** for subjects first inserted into the NIS list during **2026**. It is therefore a timing and proportionality act, not a replacement of the baseline control framework itself ([Gazzetta Ufficiale - Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG), [ACN determination on 2026 timing](https://www.acn.gov.it/portale/documents/d/guest/detacn_misuresicurezza-v4_post)). The legal and operational baseline remains anchored to [Determination 379907/2025](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed). What changes is the calendar for newly listed 2026 subjects. ## Deadline Table for Newly Listed 2026 Subjects | Obligation area | Official rule for subjects first inserted in 2026 | Operational reading | | --- | --- | --- | | Baseline security measures | Due by **31 July 2027** | The adoption window for the baseline measures in Annexes 1 and 2 of Determination 379907/2025 runs into mid-2027. | | Significant-incident notification | Starts on **1 January 2027** | Notification duties described in Annexes 3 and 4 of Determination 379907/2025 become active from the start of 2027. | | Domain-name security, stability, and resilience obligations where applicable | Due by **31 July 2027** | The same date applies to the Article 4 obligations of the 2025 baseline determination for the affected subject set. | | Applicability of the 2026 determination | From **30 April 2026** | Organizations should use this date as the formal transition point for the new timing framework. | ## New 2026 Subjects vs Subjects Already Present Since 2025 The determination does not create a blanket new deadline for every NIS subject. It makes an explicit distinction: | Subject category | Timing rule | | --- | --- | | First inserted into the NIS list during **2026** | Follows the new timing: notification from **1 January 2027**, baseline measures by **31 July 2027**. | | Inserted during **2025** and still present in the **2026** list | Keeps the timing already established by Article 3 of Determination **379907/2025**. | This distinction matters because some organizations will incorrectly assume that the 2026 determination resets everyone's deadlines. The text does not say that. It only creates a differentiated schedule for the newly listed 2026 cohort ([ACN determination on 2026 timing](https://www.acn.gov.it/portale/documents/d/guest/detacn_misuresicurezza-v4_post)). ## Why ACN Introduced a New Timeline The determination expressly notes that the **first-application phase ended on 31 December 2025**. ACN then frames the new timing as a proportionality mechanism, taking into account: - exposure to risk, - subject size, - probability of incidents, - severity and impact, including social and economic impact. That wording is important for boards and GRC owners. It means the 2026 schedule is not presented as a relaxation of obligations in principle; it is framed as a proportionate implementation path after the closure of first application. ## Practical Impact on Governance and Execution The real operational consequence is that newly listed 2026 entities should split their planning into two tracks: ### Track 1: Build the incident-notification operating model before 2027 Because notification duties start on **1 January 2027**, organizations should complete before year-end: - designation of the CSIRT contact and substitutes where relevant, - ownership of the notification chain, - escalation rules and decision authority, - evidence and timestamp discipline, - draft-ready incident procedures aligned with the 2025 baseline framework. ACN's news page explicitly states that designating the **CSIRT contact** before the end of **2026** is necessary for the new subject cohort. ### Track 2: Deliver baseline implementation before 31 July 2027 The baseline-measure deadline gives more runway, but it does not remove the workload. For most organizations, the gating items are: - scoping the applicable baseline measures, - assigning accountable owners, - closing documentary gaps, - building evidence structures for verification, - sequencing implementation and governance approvals in a controlled roadmap. ## Board-Level Reading of the 2026 Timing For senior stakeholders, the 2026 determination should be read as a sequencing rule: 1. Confirm whether the entity is truly a first-time 2026 entrant or an already-listed 2025 subject. 2. Treat **1 January 2027** as the hard activation point for significant-incident notification duties for the new cohort. 3. Treat **31 July 2027** as the hard delivery date for baseline-measure adoption for the new cohort. 4. Use **30 April 2026** as the effective date from which this specific timing framework applies. This is also why governance records matter early. If the organization classifies itself incorrectly or plans on the wrong deadline track, remediation programs and incident readiness can drift out of alignment with the ACN framework. ## 2026 Readiness Checklist for Newly Listed Subjects 1. Confirm the legal status of the organization under the 2026 list logic and document the basis for classification. 2. Map the applicable baseline obligations back to [Determination 379907/2025](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed). 3. Appoint and formalize the notification governance chain before **31 December 2026**. 4. Build the incident-notification process so it is operational by **1 January 2027**. 5. Sequence the implementation roadmap for baseline measures to land by **31 July 2027**. 6. Keep board and executive oversight tied to the correct ACN cohort logic rather than generic NIS messaging. For many organizations, this is where external support becomes useful: not to reinterpret the law, but to make sure classification, incident readiness, and baseline implementation are translated into one defensible execution plan. ## FAQ ### Does the 2026 determination replace the 2025 baseline determination? No. It expressly refers back to [Determination 379907/2025](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed) and changes the timing for subjects first inserted in 2026. ### When do significant-incident notification obligations start for newly listed 2026 subjects? They start on **1 January 2027** under Article 1 of the 2026 timing determination. ### What is the deadline for baseline security measures for newly listed 2026 subjects? The deadline is **31 July 2027** under the same determination. ### Does the same 31 July 2027 date also matter for domain-name resilience obligations? Yes, for the subjects covered by Article 2 of the determination, the deadline is also **31 July 2027**. ### When does this 2026 timing determination apply? It applies from **30 April 2026**. ## Conclusion The 2026 ACN timing determination is best understood as a controlled transition rule for newly listed entities, not as a general reset of NIS deadlines. If your organization entered the NIS perimeter during **2026**, the priority is to make incident-notification governance operational for **1 January 2027** and to drive baseline implementation toward **31 July 2027** without losing sight of the underlying 2025 baseline framework. ## Official Sources - [ACN - NIS: online le determine sugli adempimenti per i nuovi soggetti e sulle modalita di accesso alla piattaforma ACN](https://www.acn.gov.it/portale/w/nis-online-le-determine-sugli-adempimenti-per-i-nuovi-soggetti-e-sulle-modalita-di-accesso-alla-piattaforma-acn) - [ACN - Determinazione sui termini per i nuovi soggetti NIS 2026](https://www.acn.gov.it/portale/documents/d/guest/detacn_misuresicurezza-v4_post) - [ACN - Determinazione 379907/2025 sulle specifiche di base](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed) - [Gazzetta Ufficiale - Decreto Legislativo 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG) Share this post ## Related News [![ACN NIS 2026 Platform Rules and New Deadlines: Master Overview](/static/images/cms/nis2-basic-measures-acn.webp)](/en/cms/insights/nis-acn-platform-2026-new-deadlines-overview/) [ACN NIS 2026 Platform Rules and New Deadlines: Master Overview](/en/cms/insights/nis-acn-platform-2026-new-deadlines-overview/) [ACN's April 2026 package sets new NIS deadlines for subjects listed for the first time in 2026 (incident notification from 1 January 2027, baseline measures by 31 July 2027) and updates the platform operating rules for registration, annual and continuous updates, relevant suppliers, and categorization.](/en/cms/insights/nis-acn-platform-2026-new-deadlines-overview/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +8 [![NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/) [NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/) [NIS2 implementation guidance distinguishes the legal Point of Contact from the operational CSIRT contact role. Practical guide to role formalization, substitute model, competence mapping, and audit-ready evidence.](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +10 [![NIS2 Significant Incident IS-3: Violation of Expected Service Levels](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-significant-incident-is-3-service-level-violation/) [NIS2 Significant Incident IS-3: Violation of Expected Service Levels](/en/cms/insights/nis2-significant-incident-is-3-service-level-violation/) [IS-3 in the ACN baseline model covers service-level violation incidents affecting entity services and activities. Practical guide to qualification, service-impact mapping, and escalation workflow.](/en/cms/insights/nis2-significant-incident-is-3-service-level-violation/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +10 ### NIS 2 Compliance with Aegister Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support. [Discover](/en/solutions/compliance/nis2/)