NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations

Italy’s NIS framework requires in-scope entities to implement baseline cybersecurity measures and incident obligations under a legal and technical model centered on Legislative Decree 138/2024 and ACN’s baseline determinations. Operationally, organizations need one integrated program that covers governance duties (Article 23), risk-management measures (Article 24), and incident notification (Article 25), with evidence that can be audited over time.

Key takeaways

The NIS implementation model is built around Articles 23, 24, and 25 of Legislative Decree 138/2024.
ACN baseline specifications define practical measures and significant-incident categories.
ACN’s first-application timeline states 9 months (January 2026) for significant-incident notification obligations and 18 months (October 2026) for baseline security-measure adoption.
the first-application incident-notification obligation is already live, while the baseline-measure deadline remains October 2026.
Baseline controls are structured across governance and operational functions aligned with GOV/ID/PR/DE/RS/RC logic.
Execution requires one coordinated operating model across legal, cyber, IT, and management functions.

Compliance architecture at a glance

Layer	What it defines	Why it matters
Legislative Decree 138/2024	Legal obligations and subject model	Determines mandatory duties and accountability
ACN baseline determination	Baseline technical/organizational specifications	Translates legal duties into control expectations
ACN operational guides	Implementation methods and evidence orientation	Supports practical rollout and audit readiness

What this series covers

This series is designed to move from legal framing to implementation details:

legal architecture and role model,
governance and risk controls,
protection, detection, and response operations,
significant incident classification and reporting,
evidence, audit readiness, and continuous improvement.

The goal is to make each obligation actionable with policy/process-level guidance.

Baseline obligations map

Governance and accountability

Article 23 obligations and related baseline governance controls require explicit responsibilities, management oversight, and documented policy ownership.

Risk management and protective controls

Article 24 obligations require proportionate technical, operational, and organizational measures, including documented risk treatment and control coverage.

Incident handling and notification

Article 25 obligations require incident handling capability and notification execution for significant incidents under ACN baseline taxonomy and procedures.

Program setup checklist for teams

Confirm governance ownership across legal, cyber, IT, and executive stakeholders.
Build a single control map from legal obligations to baseline requirements and evidence.
Formalize incident lifecycle procedures from detection to notification and post-incident learning.
Define audit-ready evidence sets and document update cadence.
Track milestone progress against the live incident-notification regime and the October 2026 baseline-measure deadline.

FAQ

Is this overview itself the full compliance standard?

No. It is a structured operational summary. Binding obligations are defined in legislative and ACN official acts.

Which subjects are targeted by this framework?

The NIS framework distinguishes subjects and obligations in the legal text and subsequent ACN implementation material. Detailed scope classification must follow official criteria.

What should be prioritized first in implementation?

A governance-led control mapping and evidence strategy that integrates Articles 23, 24, and 25 with the ACN baseline specifications.

Contacts

Follow us

NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations