ACN's April 2026 package does two things at once: it sets a differentiated compliance timeline for entities first inserted into the NIS list in 2026, and it updates the operating rules of the ACN platform used for registration, annual updates, continuous updates, relevant-supplier listing, and service categorization. In practical terms, first-time 2026 entities move to significant-incident notification from 1 January 2027 and must adopt baseline security measures by 31 July 2027, while the platform determination defines who must access the portal, what must be filed, and when those updates must be maintained (ACN news page, ACN determination on 2026 deadlines, ACN platform determination).
Key Takeaways
- ACN published the update on 13 April 2026 and states that the first phase of NIS application ended with the end of 2025.
- For entities first inserted into the NIS list during 2026, baseline security measures are due by 31 July 2027 and significant-incident notification starts on 1 January 2027.
- Entities already inserted in 2025 and still present in the 2026 NIS list keep the timing already defined by the previous baseline determination.
- The platform determination formalizes the operating cycle for registration, annual updates, continuous updates, relevant suppliers, and categorizzazione of activities and services.
- The issue is not only filing on time. Organizations must keep roles, legal data, contact data, suppliers, and service mappings coherent across the entire ACN workflow.
Scope of This Article
This article covers:
- What ACN changed in April 2026.
- Which deadlines apply to newly listed 2026 entities.
- How the ACN platform workflow is structured at a high level.
- Which role and data-management decisions matter most for governance.
This article does not cover:
- Private portal screenshots or account-specific walkthroughs.
- Client-specific filing strategies.
- Legal interpretation beyond the official ACN and legislative texts.
What Changed on 13 April 2026
The ACN news item published on 13 April 2026 presents two determinations examined in the eighth NIS table meeting:
| Official act | Core effect | Operational meaning |
|---|---|---|
| Determina 127434/2026 | Sets the terms for entities inserted for the first time into the NIS list in 2026. | New 2026 entities follow a dedicated timeline for incident notification and baseline security measures. |
| Determinazione 127437/2026 | Updates the terms, modalities, and procedures for use of and access to the ACN platform. | Organizations must manage portal users, declarations, annual updates, supplier data, and categorizzazione through a more structured operating model. |
| Determination 379907/2025 on baseline obligations | Remains the baseline obligation framework referenced by the new 2026 determination. | The new determination changes timing for newly listed 2026 entities, but not the underlying baseline control set. |
New 2026 Subjects vs Already Listed Subjects
The new timing determination draws a clear distinction between entities first inserted in 2026 and entities already inserted in 2025 that remain in the NIS list in 2026.
| Subject status | Significant-incident notification | Baseline security measures | Practical reading | |---|---|---| | First inserted into the NIS list in 2026 | From 1 January 2027 | By 31 July 2027 | These entities get a differentiated transition window after the end of the first-application phase. | | Inserted in 2025 and still in the 2026 list | Unchanged | Unchanged | ACN states that the terms already fixed by the 2025 baseline determination remain in force. |
The ACN news page also adds a practical governance point: because incident-notification duties for newly listed 2026 entities start on 1 January 2027, organizations need to designate the CSIRT contact before the end of 2026 (ACN news page).
ACN Platform Operating Cycle
The platform determination breaks the workflow into recurring services and fixed windows.
| Process | Official timing | Service / procedure | Why it matters |
|---|---|---|---|
| Registration | 1 January - 28 February every year | Servizio NIS/Dichiarazione |
Used to register the subject and submit the initial declaration. |
| Annual update | 15 April - 31 May every year | Servizio NIS/Aggiornamento annuale informazioni |
Used to verify and confirm the organization, role, supplier, and contact data maintained on the platform. |
| Continuous update | After annual update, until 14 April of the following year | Servizio NIS/Aggiornamento continuo informazioni |
Used when filed information changes; the decree framework still requires prompt updates and, in any case, within fourteen days of the change. |
| Activity and service categorization | 1 May - 30 June every year | Servizio NIS/Categorizzazione |
Used to transmit the categorized list of activities and services under Article 30 logic. |
The same determination states that portal use and related procedures apply from 30 April 2026 (ACN platform determination).
Roles and Access Logic on the ACN Platform
The platform determination is explicit that access is role-based and traceable. Users authenticate through personal CIE or SPID; where national identity tools are not available under applicable rules, a personal-credential procedure can be used according to the section published on the ACN site.
At a high level, the operating roles are:
| Role | Core function | Key governance implication |
|---|---|---|
| Point of contact | Main accountable user for transmission and confirmation | This role drives declarations, confirms updates, and remains central for ACN interactions. |
| Substitute point of contact | Backup for the point of contact | The substitute must be formally associated and kept aligned with the same governance logic. |
| Segreteria | Support role for effective interaction | Useful where organizational coordination needs support without shifting accountability. |
| Operator | Operational support user | Can operate in the platform but cannot perform transmissions reserved to the point of contact flow. |
| CSIRT contact and substitutes | Incident-notification interlocutors | Must be aligned before incident-notification duties become active. |
The point of contact association is validated through the subject's digital domicile, and delegated users must upload the delegation that authorizes access to the portal and NIS services (ACN platform determination).
What Data Must Be Maintained
The annual-update process is broader than many organizations expect. The determination requires verification of at least:
- subject identification and contact data,
- legal representative and general attorney data where relevant,
- members of governing and management bodies,
- EU services and member states where applicable,
- public IP space and domain names used or available to the subject,
- information-sharing agreements,
- CSIRT contact and substitutes,
- relevant suppliers,
- EU establishment data where the legal framework requires it.
For governing and management bodies, the determination also defines a specific process to list the natural persons involved, including their tax code and certified email address, with acceptance through the portal itself (ACN platform determination).
Two New High-Impact Data Sets: Relevant Suppliers and Categorizzazione
The ACN news page highlights two platform additions that materially change the operating workload.
1. Relevant suppliers
Article 18 of the platform determination requires listing relevant NIS suppliers. The filed data includes:
- supplier name,
- tax code,
- country of registered office,
- relevant CPV codes for the supplied goods or services,
- the relevance criterion used.
The determination defines two relevance logic paths:
- ICT supply relevance,
- non-fungible supply relevance, where interruption or compromise would significantly affect the subject's ability to deliver the activity or service that places it within NIS scope.
2. Categorized list of activities and services
Articles 20 and 21 regulate the yearly process through which NIS subjects communicate and update the categorized list of activities and services. This matters because ACN links that data set to the Article 30 categorization framework and makes the submission definitive after the annual window closes, except for documented technical-operational issues not attributable to the subject (ACN news page, ACN platform determination).
Practical Governance Checklist
For most organizations, the first useful control step is to separate platform compliance into workstreams rather than treating it as a single filing exercise.
- Confirm whether the entity is first inserted in the NIS list during 2026 or already carried over from 2025.
- Lock accountable owners for the point of contact, substitute, CSIRT contact, and portal support roles.
- Reconcile legal entity data, digital domicile, PEC references, domains, IPs, and organizational structure before opening the filing windows.
- Build a supplier-extraction process that can support the relevant-supplier fields required by ACN.
- Prepare the internal model for activity and service categorization before the 1 May - 30 June window.
- Keep update evidence and filing receipts under governance control instead of leaving them only inside the portal workflow.
This is where organizations usually need operational support: the regulatory text is not especially long, but it creates a recurring data-governance model that must remain coherent across compliance, legal, IT, and executive ownership. That is the gap Aegister typically helps close when building NIS operating workflows.
FAQ
Did ACN change the baseline controls themselves for newly listed 2026 entities?
No. The 2026 determination changes the timing for newly listed entities, but it explicitly refers back to the baseline measures already defined in Determination 379907/2025.
When does significant-incident notification start for entities first listed in 2026?
For entities first inserted into the NIS list during 2026, the obligation starts on 1 January 2027 according to the ACN determination on 2026 deadlines.
By when must newly listed 2026 entities adopt baseline security measures?
The deadline is 31 July 2027 for entities first inserted into the NIS list in 2026 under the same determination.
What is the annual update window on the ACN platform?
The annual-update process runs from 15 April to 31 May each year through Servizio NIS/Aggiornamento annuale informazioni (ACN platform determination).
What new information did ACN emphasize in the platform update?
The ACN news page highlights two areas: the listing of relevant suppliers and the procedural regulation of activity and service categorization.
Conclusion
The April 2026 ACN package should be read as a governance reset, not just a deadline notice. Newly listed 2026 subjects now have a differentiated implementation timeline, but they also enter a more structured platform model that requires disciplined ownership of contacts, suppliers, services, and legal data. The organizations that will handle this well are the ones that treat the ACN platform as an operating control surface, not as a once-a-year upload task.
Official Sources
- ACN - NIS: online le determine sugli adempimenti per i nuovi soggetti e sulle modalita di accesso alla piattaforma ACN
- ACN - Determinazione 127434/2026 sui termini per i nuovi soggetti NIS
- ACN - Determinazione 127437/2026 sulle modalita di utilizzo e accesso alla piattaforma ACN
- ACN - Determinazione 379907/2025 sulle specifiche di base
- Gazzetta Ufficiale - Decreto Legislativo 138/2024