Key Takeaways
- ACN published the categorization determination, Annex 1, Annex 2, FAQ, and reading guide for the Article 30 NIS process.
- Annex 1 applies to a defined set of NIS subject types in energy, transport, health, water, wastewater, space, selected Annex II sectors, and local public transport. Annex 2 applies by exclusion to the other NIS subjects.
- NIS subjects must communicate and update the categorized list of their activities and services through the ACN platform from 1 May to 30 June each year.
- The obligation applies from calendar year 2026, and the determination applies from 1 May 2026.
- The model uses 10 macro-areas and 4 relevance categories:
impatto minimo,impatto basso,impatto medio, andimpatto alto. - The default category is preassigned by macro-area, but a subject may choose a different category if it documents its own impact assessment.
- Activities and services already covered by the Italian national cyber perimeter are treated as
impatto altoand are not included in the Article 3 listing process (ACN categorization determination, ACN FAQ on categorization, Legislative Decree 138/2024).
Scope of this article
This article explains what ACN has now published for the NIS activity and service categorization process, how the model is structured, and what organizations should prepare before submitting through the ACN platform.
It does not replace legal analysis of an entity's NIS perimeter. The official ACN determination, annexes, FAQ, and guide remain the controlling sources for the model.
What ACN published on 24 April 2026
ACN announced the publication of the determination on the process, modalities, and criteria for listing and categorizing activities and services under Article 30 of Legislative Decree 138/2024. The ACN page links the main determination, Annex 1, Annex 2, the FAQ, and the reading guide (ACN news page).
The news page states that the purpose of the exercise is to aggregate activities and services by relevance category. This will support the later identification of portions of network and information systems where more targeted risk mitigation may be needed after the baseline security-measure phase (ACN categorization page).
What the obligation requires
Article 30 of the NIS decree requires essential and important subjects to communicate and update, through the digital platform, a list of their activities and services with the relevant category of relevance. The determination states that this obligation applies from calendar year 2026.
Article 3 of the categorization determination requires NIS subjects to list and categorize all activities performed and services delivered, internally and externally, divided into the model's macro-areas (ACN categorization determination).
For each activity or service, the subject indicates:
- the corresponding macro-area;
- the denomination and description of the activity or service;
- the category of relevance.
Subjects are not required to indicate activities or services for macro-areas where they do not perform or deliver anything (ACN FAQ on categorization).
The 10 macro-areas and relevance categories
The model uses 10 macro-areas. Annex 1 and Annex 2 use the same macro-area structure, with one practical difference: Logistica is preassigned as impatto basso in Annex 1 and impatto minimo in Annex 2.
| Macro-area | Annex 1 category | Annex 2 category |
|---|---|---|
| Monitoraggio e controllo | Impatto alto | Impatto alto |
| Produzione di beni e servizi | Impatto medio | Impatto medio |
| Ricerca, sviluppo e progettazione | Impatto medio | Impatto medio |
| Gestione finanziaria | Impatto basso | Impatto basso |
| Gestione dei clienti | Impatto basso | Impatto basso |
| Gestione delle risorse umane | Impatto basso | Impatto basso |
| Logistica | Impatto basso | Impatto minimo |
| Comunicazione e marketing | Impatto minimo | Impatto minimo |
| Gestione amministrativa | Impatto minimo | Impatto minimo |
| Altri servizi e attività | Impatto minimo | Impatto minimo |
Which annex applies?
Article 2 of ACN Determination 155238/2026 defines the split. In practical terms, the first question is not whether the organization is essential or important; it is whether the organization falls into one of the subject-type groups listed for Annex 1.
| Model | Applies to | Human-readable reading |
|---|---|---|
| Annex 1 | Annex I numbers 1, 2, 5, 6, 7 and 10; Annex II numbers 1, 2, 3, 4 and 5; Annex IV number 1 of the NIS decree | Energy, transport, health, drinking water, wastewater, space, postal/courier, waste management, chemicals, food, selected manufacturing, and local public transport |
| Annex 2 | All NIS subjects not included in the Annex 1 group | Other NIS subject types, including those that fall under the NIS decree but are outside the Article 2(2) list |
The operative consequence is narrow but important: the macro-area table is mostly the same, but Logistica has a higher preassigned category under Annex 1 (impatto basso) than under Annex 2 (impatto minimo). Organizations should confirm their exact statutory subject type against the NIS decree before choosing the model (Annex 1, Annex 2, ACN reading guide).
How to run the analysis
ACN's FAQ and reading guide describe a practical three-step approach:
- identify all activities and services supported, performed, or delivered by network and information systems;
- map each activity or service to the macro-area that best represents its purpose and characteristics;
- assign the category of relevance.
The guide indicates that organizations may use a top-down approach from functions and business processes, a bottom-up approach from the inventory of systems and applications, or a combined approach. ACN does not prescribe one single methodology for identifying activities and services.
The guide also warns against unnecessary fragmentation. Activities and services should be sufficiently unitary to support category assignment, but additional detail is not needed where it would only increase complexity without changing the category (ACN categorization guide).
When the category can differ from the model
The preassigned macro-area category is the default. However, Article 3, paragraph 3, of the categorization determination allows a NIS subject to indicate a different category for a specific activity or service.
That choice must be based on the subject's own assessment of the impact that a possible compromise of the activity or service would have on its ability to correctly perform the NIS activities and services. The subject must preserve the documentation supporting that assessment.
This means that the model is not a blind checkbox exercise. If the organization deviates from the preassigned category, the governance file should show the reasoning, evidence, and approval trail behind the decision (ACN categorization determination).
Coordination with PA cloud classification and the cyber perimeter
The determination includes two coordination rules that should be checked before building the submission.
First, NIS subjects that have performed the data and service classification under Article 3 of ACN Directorial Decree 21007/24 on cloud for public administrations apply that model instead of the categorization model in the new determination.
Second, activities and services subject to obligations under Decree-Law 105/2019 on the national cyber perimeter are assigned the category impatto alto and are not subject to the Article 3 listing and categorization process (ACN FAQ on categorization).
Practical governance checklist
For compliance, cyber, and risk teams, the ACN publication creates a concrete work package for the May–June platform window.
- Confirm which model applies to the entity: Annex 1, Annex 2, PA cloud classification model, or cyber-perimeter treatment.
- Build an activity and service inventory connected to actual network and information systems.
- Map each item to one macro-area; split items that would otherwise fit multiple macro-areas.
- Use the preassigned category as the baseline.
- Document any category change with impact rationale and evidence.
- Align business owners, system owners, compliance, and the NIS point of contact before platform submission.
- Preserve the final categorized list and supporting assessment as audit evidence.
FAQ
When does the 2026 categorization window run?
For the 2026 cycle, the platform communication window runs from 1 May to 30 June 2026. The recurring Article 30 window is 1 May to 30 June each year, starting from the first communication under Article 7, paragraph 3, letter a) (ACN categorization determination, ACN platform determination).
Is the ACN model now available?
Yes. ACN published Determination 155238 of 20 April 2026, Annex 1, Annex 2, FAQ, and the reading guide on the official ACN site (ACN news page).
Can one macro-area contain activities with different categories?
Yes. ACN's FAQ explains that a same macro-area may contain activities and services with different relevance categories when the subject's impact assessment justifies that result (ACN FAQ on categorization).
How should an organization decide between Annex 1 and Annex 2?
Start from the subject type under the NIS decree. Use Annex 1 only if the entity falls into the categories listed in Article 2, paragraph 2, of ACN Determination 155238/2026. Use Annex 2 for other NIS subjects, unless a specific coordination rule applies, such as PA cloud classification or national cyber-perimeter treatment.
Are cyber-perimeter services included in the categorized list?
No. ACN states that activities and services subject to the national cyber perimeter obligations are already labelled impatto alto and are not included in the categorized list.
Official Sources
- ACN news page: NIS categorization modalities published
- ACN NIS categorization page
- ACN Determination on activity and service categorization
- ACN Annex 1 categorization model
- ACN Annex 2 categorization model
- ACN categorization model reading guide
- ACN FAQ on NIS categorization
- ACN platform determination
- Gazzetta Ufficiale: Legislative Decree 138/2024