Article 25 of Legislative Decree 138/2024 requires NIS entities to notify significant incidents to CSIRT Italia. The operating model should combine incident qualification, notification timing, and assigned accountability, with a documented process that can be executed under pressure.
Sources: Legislative Decree 138/2024, ACN incident management guidance, NIS baseline reading guide
Key takeaways
- Article 25 applies to significant incidents as defined in the NIS baseline framework.
- Notification timing is structured: pre-notification within 24 hours and notification within 72 hours from awareness of the significant incident.
- Follow-up reporting includes intermediate updates (on request), final report, and monthly progress updates when final closure is not yet possible.
- The CSIRT contact role should be formally designated with named substitutes and clear procedures.
Sources: ACN incident management guidance, Legislative Decree 138/2024
Notification sequence to operationalize
1. Qualification and evidence of significant incident
The organization should identify whether the incident meets the baseline significant-incident criteria and record the point of awareness used to start timing obligations.
2. Pre-notification within 24 hours
Without undue delay and in any case within 24 hours from awareness, the entity transmits the pre-notification through the official channel.
3. Notification within 72 hours
Without undue delay and in any case within 72 hours from awareness, the entity transmits the incident notification with initial assessment details and updates to the pre-notification information.
4. Intermediate and final reporting
On CSIRT request, the entity provides intermediate reporting. A final report is due within one month from the notification; if incident handling is still open, monthly progress reporting applies and final reporting is due within one month from closure.
Sources: ACN incident management guidance, Legislative Decree 138/2024
Roles and evidence requirements
| Element | Practical requirement | Typical evidence |
|---|---|---|
| CSIRT interface accountability | Designated CSIRT contact and substitutes | Formal appointment records, role matrix |
| Notification procedure | Documented flow for 24h/72h and follow-up obligations | Incident notification SOP, escalation procedure |
| Traceable timing | Recorded timestamps from awareness to submissions | Incident logs, ticket timeline, transmission records |
| Governance oversight | Management visibility on notifiable incidents and reporting status | Management briefings, decision records |
Sources: ACN incident management guidance, NIS baseline reading guide
90-day execution checklist
- Formalize CSIRT contact governance, including backup roles and availability model.
- Validate incident classification criteria for significant incidents against baseline definitions.
- Test a 24h/72h notification drill with legal, cyber, and operations stakeholders.
- Ensure tooling captures awareness timestamp and notification evidence end-to-end.
- Align incident-response procedure with mandatory follow-up reporting obligations.
FAQ
Does notification require full root-cause analysis before 24h/72h submissions?
No. The sequence is time-based from awareness of a significant incident. Initial submissions can be updated as investigation progresses. Source: ACN incident management guidance
Who is expected to submit notifications to CSIRT Italia?
The designated CSIRT contact role is responsible for interfacing with CSIRT Italia and handling mandatory notifications, with substitutes where defined. Source: ACN incident management guidance
If the incident is not closed within one month, what changes?
The entity submits monthly progress reporting and then sends the final report within one month from incident management closure. Source: ACN incident management guidance
Related guides in this series
- incident typology model
- confidentiality loss incidents
- integrity loss incidents
- service level violations
- point of contact and CSIRT accountability