Italy was one of the few Member States to transpose NIS2 within the Directive's 17 October 2024 deadline. Legislative Decree No. 138 of 4 September 2024 was published in the Italian Official Gazette (Gazzetta Ufficiale) on 1 October 2024 and entered into force on 16 October 2024. The decree assigns the Italian National Cybersecurity Agency (Agenzia per la Cybersicurezza Nazionale, ACN) primary supervisory responsibility and introduces a tiered penalty system that closely tracks the Directive's maximum thresholds. With Italy's first enforcement window now open through 2025, the contours of the regime are becoming clearer.
What does the decree change in scope?
Italy's pre-NIS2 cybersecurity framework — the perimetro di sicurezza nazionale cibernetica plus the original NIS1 transposition (D.Lgs. 65/2018) — was focused on a narrower set of operators and digital service providers. Decree 138/2024 expands scope dramatically across 11 sectors of high criticality and seven other critical sectors, mirroring NIS2 Annexes I and II. Newly in scope sectors include public administration entities (notable because Italy explicitly extended NIS2 to many central and local authorities), waste management, food production and distribution, manufacturing of medical devices and motor vehicles, postal and courier services, and ICT service management including B2B providers. The decree uses the size-cap rule from Article 2 of NIS2 — entities with 50 or more employees or annual turnover above 10 million EUR — with sector-specific exceptions where smaller entities still fall in scope (e.g. DNS service providers, TLD name registries, qualified trust service providers).
How are entities classified?
Entities classified as "essential" (soggetti essenziali) face the most stringent obligations and the highest penalties. Entities classified as "important" (soggetti importanti) face a slightly lighter risk-management and reporting regime, with proportionately lower penalties. ACN began publishing the official register of in-scope entities through its dedicated platform with a registration deadline structured in waves: entities were required to register and submit core information by 28 February 2025, with sector-specific updates due through 2025. Entities that failed to register or who provided inaccurate information face dedicated lower-tier fines independent of substantive cybersecurity breach penalties.
What is the penalty structure?
The tiered penalty regime in Article 38 of the decree distinguishes three categories. For essential private-sector entities, fines reach a maximum of 10 million EUR or 2% of total worldwide annual turnover for the preceding financial year, whichever is higher — directly aligned with Article 34 of NIS2. For important entities, fines reach a maximum of 7 million EUR or 1.4% of total worldwide annual turnover, again tracking the Directive. For public administrations classified as essential or important, administrative pecuniary sanctions are set at a different range — between 25,000 EUR and 125,000 EUR — reflecting the constitutional constraint on imposing turnover-based fines on public bodies in Italy.
| Category | Maximum fine | Turnover percentage | Minimum (proportional) | |----------|--------------|---------------------|------------------------| | Essential private entity | 10,000,000 EUR | 2% global turnover | 1/20 of maximum | | Important private entity | 7,000,000 EUR | 1.4% global turnover | 1/30 of maximum | | Public administration | 125,000 EUR | n/a | 25,000 EUR |
The decree also introduces lower-tier fines for less serious procedural violations — for example, failing to register with ACN's platform or providing inaccurate information attracts a fine of up to 0.1% of annual worldwide turnover for essentials and 0.07% for importants, and repeated violations may increase the underlying fine by up to threefold.
What management-body liability applies?
Article 23 of the decree implements Article 20 of NIS2 on management body responsibility. Members of the management body of essential and important entities can be held personally liable for breaches of the entity's cybersecurity risk-management obligations under Article 24 (corresponding to NIS2 Article 21). Where the breach is attributable to gross negligence by a member of the management body, ACN can apply a personal administrative sanction. The decree also empowers the supervisory authority to temporarily prohibit individuals from exercising management functions in the entity in cases of repeated non-compliance — a measure consistent with Article 32(5) of NIS2.
How does ACN approach enforcement?
ACN has stated publicly that its initial enforcement posture is progressive: corrective orders, mandatory remediation plans, and improvement notices precede the imposition of fines wherever possible. The Agency has prioritised three early-cycle focus areas. First, evidence that entities have a substantive risk-management framework covering the ten technical and organisational areas listed in Article 24 of the decree (incident handling, business continuity, supply chain security, secure development, vulnerability management, training, cryptography, access control, asset management, and HR security). Second, compliance with the incident reporting regime under Articles 25-27, which mirrors NIS2's 24-hour early warning, 72-hour notification, and one-month final report cadence. Third, supply chain controls — ACN has explicitly highlighted that essential entities must document direct supplier risk in proportion to the criticality of services provided.
# ACN-published technical and organisational measures
# (Article 24 D.Lgs. 138/2024; mirrors NIS2 Article 21(2))
1. Policies on risk analysis and information system security
2. Incident handling
3. Business continuity (backup management, disaster recovery, crisis management)
4. Supply chain security
5. Security in network and information systems acquisition, development, maintenance
6. Policies to assess effectiveness of risk management measures
7. Basic cyber hygiene and cybersecurity training
8. Policies on cryptography and encryption use
9. Human resources security, access control, asset management
10. Multi-factor authentication, secured emergency communications
What about the supply chain dimension?
Article 24(2)(d) of the decree requires entities to assess the cybersecurity of direct suppliers and service providers, taking into account the specific vulnerabilities of each provider, the overall quality of products and cybersecurity practices, and the results of coordinated EU-level supply chain risk assessments conducted under Article 22 of NIS2. ACN has indicated that essential entities should retain documented evidence of supplier security assessments at contract execution and on a recurring cycle aligned to risk. This obligation effectively imports CRA-style supply chain transparency into financial, energy, transport, and other essential operators' procurement processes well before the CRA itself applies in December 2027.
How Safeguard Helps
Safeguard provides Italian essential and important entities with the evidence base ACN expects under Article 24: continuous software inventories, SBOM-backed component visibility, and reachability-validated vulnerability findings that distinguish exposed risk from inert dependencies. Supplier risk scoring under the TPRM module maps directly to the supply chain security obligation in Article 24(2)(d), keeping a documented register of supplier attestations and recurring assessments that survives an ACN inspection. The platform's incident workflow aligns to the 24/72-hour/one-month reporting cadence, generating structured submissions to the ACN portal in the format the Agency expects. Policy gates enforce the technical and organisational measures of Article 24 inside CI/CD pipelines, so secure-development obligations become evidenced controls rather than written-policy artefacts.