Italy's NIS implementation architecture is defined by Legislative Decree 138/2024 and ACN implementation acts. For governance teams, the critical point is not only which controls to apply, but which internal functions are legally and operationally accountable for decisions, evidence, incident escalation, and authority interactions.

Sources: Legislative Decree 138/2024, ACN baseline determination, ACN baseline reading guide

Key takeaways

• Legislative Decree 138/2024 is the primary legal basis for NIS obligations in Italy.
• ACN, as competent authority, defines implementation specifications in phase-one baseline acts.
• The operational model distinguishes legal accountability (organs and management), execution accountability (security organization), and reporting accountability (incident and notification chain).
• NIS subjects are categorized and obligations are calibrated by framework rules and implementing specifications.

Sources: Legislative Decree 138/2024, ACN baseline reading guide

Normative stack at a glance

Sources: Legislative Decree 138/2024, ACN baseline determination, ACN baseline reading guide

Role model to implement internally

Based on legal text and ACN implementation material, organizations should structure at least three accountability layers.

1. Strategic and governance accountability

Organs of administration and top management are responsible for oversight and governance duties tied to NIS obligations.

2. Operational cybersecurity accountability

A defined cybersecurity organization must maintain roles, responsibilities, policies, and evidence, including recurring updates and review cycles.

3. Notification and external interface accountability

The incident-reporting and notification chain must be assigned, documented, and operationalized through designated roles and procedures interacting with CSIRT/authority channels.

Sources: Legislative Decree 138/2024, ACN baseline determination, ACN incident-management guidance

Scope and subject classification

The framework distinguishes NIS subjects and provides differentiated baseline specifications. Governance programs should maintain a documented rationale for subject classification and obligation mapping, including traceability to the applicable baseline annexes.

Details are defined in the official legal and ACN documents.

Sources: Legislative Decree 138/2024, ACN baseline determination, ACN - Allegato 1, ACN - Allegato 2

Governance checklist for immediate execution

1. Confirm legal scope and subject classification with documented rationale.
2. Define a formal role-responsibility matrix for governance, cyber operations, and notifications.
3. Map each obligation to an accountable owner, process, control, and evidence item.
4. Align policy approval and review cadence with baseline expectations.
5. Establish an authority-facing reporting chain with tested escalation paths.

FAQ

Is the legal decree enough to execute compliance without ACN acts?

No. The decree sets the legal framework; ACN implementing acts and baseline specifications are required for operational execution. Sources: Legislative Decree 138/2024, ACN baseline determination

Which roles must be formally assigned first?

At minimum, organizations should formalize governance ownership, cybersecurity operational roles, and the incident-notification interface chain according to applicable legal and ACN requirements. Sources: ACN baseline reading guide, ACN incident-management guidance

Do important and essential subjects follow the same baseline annexes?

No. Baseline specifications are differentiated by subject category in dedicated annexes. Sources: ACN - Allegato 1, ACN - Allegato 2, ACN - Allegato 3, ACN - Allegato 4

Official sources

• Gazzetta Ufficiale - Legislative Decree 138/2024
• ACN - Baseline obligations determination
• ACN - Guide to reading baseline specifications
• ACN - Incident-management guidance
• ACN - Allegato 1
• ACN - Allegato 2
• ACN - Allegato 3
• ACN - Allegato 4