--- title: "PSNC: Italian Cyber Perimeter & NIS 2 Coordination" description: "PSNC explained: who falls in the Italian national cyber security perimeter, obligations under Decree-Law 105/2019, and how it coordinates with NIS 2." canonical: https://www.aegister.com/en/cms/insights/psnc-italian-cyber-security-perimeter/ url: /en/cms/insights/psnc-italian-cyber-security-perimeter/ lang: en --- ![](/static/images/header-contact.webp) # Italian Cyber Security Perimeter (PSNC): Scope, Obligations, and NIS 2 Coordination --- ![Italian Cyber Security Perimeter (PSNC): Scope, Obligations, and NIS 2 Coordination](/static/images/cms/psnc-italian-cyber-security-perimeter.webp) ## Italian Cyber Security Perimeter (PSNC): Scope, Obligations, and NIS 2 Coordination April 18, 2026 [critical infrastructure](/en/cms/keyword/critical-infrastructure/) [NIS 2 coordination](/en/cms/keyword/nis-2-coordination/) [PSNC](/en/cms/keyword/psnc/) [Italian cyber perimeter](/en/cms/keyword/italian-cyber-perimeter/) +6 The Italian Cyber Security Perimeter, usually called PSNC or perimetro cibernetico, is a national security regime for public and private entities whose networks, information systems, or IT services support essential State functions or essential civil, social, or economic activities. It predates NIS 2 and can overlap with it. Sources: [Decree-Law 105/2019](https://www.normattiva.it/eli/stato/DECRETO-LEGGE/2019/09/21/105/CONSOLIDATED/20220629), [DPCM 81/2021](https://www.normattiva.it/atto/caricaDettaglioAtto?atto.codiceRedazionale=21G00089&atto.dataPubblicazioneGazzetta=2021-06-11&bloccoAggiornamentoBreadCrumb=true&classica=true&generaTabId=true&tipoDettaglio=originario&title=lbl.dettaglioAtto), [ACN cyber perimeter page](https://www.acn.gov.it/portale/perimetro-cibernetico), [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG). ## Key takeaways - PSNC was established by Decree-Law 105/2019 to protect systems relevant to national security. - Inclusion is communicated individually; the list of entities is not public. - PSNC obligations include asset listing, security measures, incident notification, and ICT supply controls. - DPCM 81/2021 regulates incident notifications and security measures for PSNC systems. - NIS 2 is broader, but Italian law coordinates the two regimes where an entity is subject to both. ## Scope of this article This article explains what PSNC is, who can fall within it, what obligations matter in practice, and how it interacts with NIS 2. It does not identify whether a specific entity is included in the classified PSNC list. ## What is PSNC? Decree-Law 105/2019 established the national cyber security perimeter to ensure a high level of security for networks, information systems, and IT services of administrations, entities, and operators located in Italy where disruption could prejudice national security. Compared with NIS 2, PSNC is not a general cybersecurity compliance regime. It is a national-security perimeter. The key question is whether the system supports functions and services whose disruption would affect essential State interests. ## Who falls within PSNC? Entities are identified according to criteria in the law and implementing acts. Inclusion is communicated to each entity and the administrative list is not published. This means an organization cannot infer inclusion only from sector membership. For practical compliance work, the first step is to separate three questions: 1. Is the organization included in PSNC? 2. Is it also in scope under Italian NIS 2 implementation? 3. Which networks, systems, and IT services are covered by each regime? ## PSNC obligations | Obligation area | Practical meaning | Typical evidence | | --- | --- | --- | | Asset listing | Prepare and update lists of relevant networks, systems, and IT services. | Architecture inventory, component list, update record. | | Security measures | Adopt measures for organization, risk, incident management, protection, operations, monitoring, training, and ICT supply. | Policies, controls, test records, evidence matrix. | | Incident notification | Notify incidents affecting covered systems through the relevant channels. | Incident procedure, CSIRT records, notification log. | | ICT supply controls | Assess and communicate relevant ICT supply cases where required. | Supplier risk file, procurement clauses, technical assessment. | ## PSNC and NIS 2 coordination Italian Legislative Decree 138/2024 coordinates NIS 2 with the cyber perimeter. For entities included in both regimes, an incident notification under the perimeter can satisfy NIS 2 incident-notification obligations where the legal conditions apply. The practical lesson is to design one incident process with clear routing, not two disconnected playbooks. For NIS 2 categorization and role governance, see [ACN NIS activity and service categorization](/en/cms/insights/nis-activity-service-categorization-acn-2026-model/), [NIS2 legal architecture and role model](/en/cms/insights/nis2-legal-architecture-role-model-italy/), and [ACN platform roles and access association](/en/cms/insights/acn-nis-platform-roles-access-user-association/). ## Managing an entity in both perimeters 1. Create one legal-obligation register for PSNC, NIS 2, and sector rules. 2. Map systems once, then tag each system by regime and obligation. 3. Use one incident classification workflow with regulatory-routing logic. 4. Align board reporting with both national-security and NIS 2 accountability. 5. Keep supplier evidence and ICT procurement controls in the same GRC repository. A managed governance function such as [Aegister vCISO](https://aegister.com/en/solutions/virtual-ciso/) can help maintain the control map and evidence model across overlapping regimes. ## Normative architecture in practice PSNC implementation is based on a layered model. Decree-Law 105/2019 establishes the perimeter and core obligations. Implementing decrees and regulations define criteria, notification procedures, security measures, and ICT supply controls. ACN then acts as the central cyber authority in the current institutional architecture. For compliance teams, this layered architecture matters because obligations can be distributed across several instruments. A PSNC register should therefore map each requirement to its source, covered systems, evidence owner, and review frequency. ## Operational governance model | Function | Typical responsibility | | --- | --- | | Legal/compliance | Track obligations, notifications, and regulatory interpretation. | | CISO/security lead | Own security measures, monitoring, incident process, and evidence. | | IT operations | Maintain inventories, architectures, hardening, backup, and continuity. | | Procurement | Integrate ICT supply controls and supplier-risk clauses. | | Management | Approve risk decisions and ensure resources. | ## Practical control areas - Covered-system inventory and architecture documentation. - Risk assessment for relevant networks, systems, and services. - Incident classification and notification workflow. - Access control and privileged-account governance. - Monitoring, testing, and operational control evidence. - ICT supplier due diligence and contractual safeguards. ## Where PSNC and NIS 2 teams should align The strongest operating model uses one asset taxonomy, one incident intake workflow, one supplier-risk register, and one executive reporting pack. The regulatory outputs can differ, but the facts should not. This reduces duplicated work and lowers the risk of contradictory regulatory positions. ## Annual operating cycle PSNC work should be managed as a recurring operating cycle. The cycle starts with confirmation of covered systems and architecture changes, then updates risk assessment, security measures, supplier records, incident contacts, and evidence files. The output is not just a document refresh. It is confirmation that the perimeter still reflects the real environment. ## Incident coordination runbook For an entity also subject to NIS 2, the incident runbook should include a decision tree. The first branch checks whether the affected system is in the PSNC asset perimeter. The second branch checks whether NIS 2 significant-incident criteria may apply. The third branch checks whether personal data or sector-specific notification duties exist. This avoids late legal analysis during an incident. ## Supplier and procurement implications PSNC obligations can affect ICT procurement, especially where systems or services are intended for covered networks and information systems. Procurement should therefore involve security and compliance before contract signature. Evidence should include risk assessment, contractual requirements, supplier responsibilities, and any required communication or assessment workflow. ## Management questions - Do we know which systems are covered and who owns them? - Can we prove the latest architecture and component list? - Are incident contacts current and tested? - Are ICT suppliers mapped to covered systems? - Are PSNC and NIS 2 reports consistent? ## FAQ ### What is PSNC? It is Italy’s national cyber security perimeter for entities and systems whose disruption could prejudice national security. ### Do PSNC and NIS 2 apply together? They can. PSNC is a national-security regime, while NIS 2 is a broader cybersecurity resilience framework. Italian law coordinates overlapping obligations. ### How does an organization enter PSNC? Inclusion follows the statutory and administrative process. The entity is notified individually, and the list is not public. ## Official sources - [Decree-Law 105/2019](https://www.normattiva.it/eli/stato/DECRETO-LEGGE/2019/09/21/105/CONSOLIDATED/20220629) - [DPCM 81/2021](https://www.normattiva.it/atto/caricaDettaglioAtto?atto.codiceRedazionale=21G00089&atto.dataPubblicazioneGazzetta=2021-06-11&bloccoAggiornamentoBreadCrumb=true&classica=true&generaTabId=true&tipoDettaglio=originario&title=lbl.dettaglioAtto) - [ACN page on the cyber perimeter](https://www.acn.gov.it/portale/perimetro-cibernetico) - [MIMIT page on the cyber perimeter](https://www.mimit.gov.it/it/comunicazioni/internet-e-connettivita/sicurezza-informatica/perimetro-sicurezza) - [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG) Share this post ## Related News [![EU AI Act: Cybersecurity Implications for Compliance Teams](/static/images/cms/eu-ai-act-cybersecurity-implications.webp)](/en/cms/insights/eu-ai-act-cybersecurity-implications/) [EU AI Act: Cybersecurity Implications for Compliance Teams](/en/cms/insights/eu-ai-act-cybersecurity-implications/) [Focused guide to the cybersecurity implications of the EU AI Act for compliance teams, including staged application dates, high-risk AI controls, and coordination with NIS 2 and CRA.](/en/cms/insights/eu-ai-act-cybersecurity-implications/) [Cyber Resilience Act](/en/cms/keyword/cyber-resilience-act/) [EU AI Act](/en/cms/keyword/eu-ai-act/) +8 [![NIS 2 Italy 2025 Deadline Extension: What Changed and Lessons for 2026](/static/images/cms/nis2-extension-companies-july-2025.webp)](/en/cms/insights/nis2-extension-companies-july-2025/) [NIS 2 Italy 2025 Deadline Extension: What Changed and Lessons for 2026](/en/cms/insights/nis2-extension-companies-july-2025/) [ACN extends the NIS 2 compliance deadline to July 31, 2025, for organizations that have requested support, providing additional time for data updates and management awareness sessions.](/en/cms/insights/nis2-extension-companies-july-2025/) [ACN](/en/cms/keyword/acn/) [compliance](/en/cms/keyword/compliance/) +6 [![Understanding NIS 2: A Comprehensive Guide to the New EU Cybersecurity Directive](/static/images/cms/nis-2-guide.webp)](/en/cms/insights/aegister-nis-2-guide/) [Understanding NIS 2: A Comprehensive Guide to the New EU Cybersecurity Directive](/en/cms/insights/aegister-nis-2-guide/) [Master the NIS 2 Directive with our comprehensive guide covering implementation strategies, compliance requirements, and practical steps for strengthening your organization's cybersecurity framework.](/en/cms/insights/aegister-nis-2-guide/) [cybersecurity compliance](/en/cms/keyword/cybersecurity-compliance/) [risk management](/en/cms/keyword/risk-management/) +13