--- title: "NIS2 Basic Measures ACN: Full Guide" description: All NIS2 basic security measures defined by ACN for essential and important entities. Operational checklist for Italian cybersecurity framework compliance. canonical: https://www.aegister.com/en/cms/insights/nis2-basic-measures-acn/ url: /en/cms/insights/nis2-basic-measures-acn/ lang: en --- ![](/static/images/header-contact.webp) # NIS 2: Basic Security Measures Defined by ACN for Essential and Important Entities --- ![NIS 2: Basic Security Measures Defined by ACN for Essential and Important Entities](/static/images/cms/nis2-basic-measures-acn.webp) ## NIS 2: Basic Security Measures Defined by ACN for Essential and Important Entities May 26, 2025 [ACN](/en/cms/keyword/acn/) [cybersecurity compliance](/en/cms/keyword/cybersecurity-compliance/) [NIS 2](/en/cms/keyword/nis-2/) [virtual CISO](/en/cms/keyword/virtual-ciso/) +3 With Determination [n. 164179 dated April 14, 2025](https://www.acn.gov.it/portale/documents/d/guest/detacn_nis_specifiche_2025_164179_signed), the Italian National Cybersecurity Agency (ACN) introduced baseline obligations for **essential and important entities** within the scope of the first implementation phase of [NIS 2](/en/cms/insights/aegister-nis-2-guide). For detailed information about upcoming obligations and deadlines, please refer to our [comprehensive article on NIS2 obligations](/en/cms/insights/nis2-obligations-italian-organizations-2025). The measures are defined in four annexes and include: - Annex I: 37 measures for important entities - Annex II: 43 measures for essential entities - Annex III–IV: notification criteria for significant incidents ## Deadlines - Within 9 months: obligation to report significant incidents - Within 18 months: complete adoption of baseline measures A second phase is planned for April 2026 with sector-specific, long-term measures. ## Technical Areas of Application - Risk management - Supply chain and asset inventory - Vulnerability management, backup, disaster recovery - Access control including MFA - Physical security and incident response Essential entities must meet stricter requirements than important entities. Measures include specific codes, descriptions, and technical or administrative criteria. ## Risk-Based Flexibility The NIS 2 framework encourages a flexible, risk-based approach, with ACN defining four clauses for proportional application of controls, including applicability to only relevant network systems and exemptions for documented reasons. ## Comparison with Regulation 2024/2690 [Regulation (EU) 2024/2690](https://eur-lex.europa.eu/legal-content/IT/TXT/?uri=CELEX%3A32024R2690) enforces stricter and more formalized requirements, but shares many goals with ACN's approach: - Common focus on access management, MFA, system configuration - Different formalization levels but complementary structures Read more on our insights: - [Aegister's Guide to NIS 2 Compliance](/en/cms/insights/aegister-nis-2-guide) - [Impact of NIS 2 on Corporate Compliance](/en/cms/insights/nis-2-directive-impact) ## Continuity and Business Impact Regulation 2690 requires a structured BIA. While ACN does not impose it, it mandates the definition and periodic review of a **business continuity plan** based on risk assessments. Organizations should act now. Aegister supports businesses with tailored [Virtual CISO](/en/solutions/virtual-ciso/) services and [NIS2 compliance](/en/solutions/compliance/nis2) consulting. ## FAQ ### What is the focus of this article? The article provides an official overview of the topic and the operational context discussed in the body. ### Where can readers find official references? Official references are listed in the dedicated source section at the end of this article. ### How can organizations request follow-up details? Organizations can contact Aegister through official channels to continue the assessment or implementation path. ## Official sources - [Official reference 1](https://www.enisa.europa.eu/) - [Official reference 2](https://www.nist.gov/cyberframework) - [Official reference 3](https://www.agid.gov.it/) - [Official reference 3](https://www.acn.gov.it/portale/documents/d/guest/detacn_nis_specifiche_2025_164179_signed) - [Official reference 3](https://eur-lex.europa.eu/legal-content/IT/TXT/?uri=CELEX%3A32024R2690) Share this post ## Related News [![SECURE First Open Call 2026: What mSMEs Need to Submit Before 29 March 2026](/static/images/cms/secure-cra-open-call.webp)](/en/cms/insights/secure-first-open-call-cra-readiness-2026/) [SECURE First Open Call 2026: What mSMEs Need to Submit Before 29 March 2026](/en/cms/insights/secure-first-open-call-cra-readiness-2026/) [The SECURE First Open Call (28 Jan – 29 Mar 2026) offers up to EUR 30,000 per project at 50% co-financing to help mSMEs achieve Cyber Resilience Act readiness. Full breakdown of eligibility, evaluation, and operational checklist.](/en/cms/insights/secure-first-open-call-cra-readiness-2026/) [ACN](/en/cms/keyword/acn/) [SECURE](/en/cms/keyword/secure/) +8 [![NIS 2: Deadline Extension for Companies Until July 31](/static/images/cms/nis2-extension-companies-july-2025.webp)](/en/cms/insights/nis2-extension-companies-july-2025/) [NIS 2: Deadline Extension for Companies Until July 31](/en/cms/insights/nis2-extension-companies-july-2025/) [ACN extends the NIS 2 compliance deadline to July 31, 2025, for organizations that have requested support, providing additional time for data updates and management awareness sessions.](/en/cms/insights/nis2-extension-companies-july-2025/) [ACN](/en/cms/keyword/acn/) [compliance](/en/cms/keyword/compliance/) +6 [![Understanding NIS 2: A Comprehensive Guide to the New EU Cybersecurity Directive](/static/images/cms/nis-2-guide.webp)](/en/cms/insights/aegister-nis-2-guide/) [Understanding NIS 2: A Comprehensive Guide to the New EU Cybersecurity Directive](/en/cms/insights/aegister-nis-2-guide/) [Master the NIS 2 Directive with our comprehensive guide covering implementation strategies, compliance requirements, and practical steps for strengthening your organization's cybersecurity framework.](/en/cms/insights/aegister-nis-2-guide/) [cybersecurity compliance](/en/cms/keyword/cybersecurity-compliance/) [risk management](/en/cms/keyword/risk-management/) +13 ### NIS 2 Compliance with Aegister Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support. [Discover](/en/solutions/compliance/nis2/)