Introduction
The Network and Information Security Directive, EU Directive 2022/2555, (“NIS 2 Directive”), transposed in Italy by Legislative Decree No. 138 of September 4, 2024, introduced a number of new requirements, and updated others, in respect to the cybersecurity measures that in-scope entities are required to adopt. One of the most significant aspects concerns the obligation for any entity falling within the scope of the NIS 2 Directive (“NIS 2 Entity”) to report security incidents. This obligation will come into full force in January 2026, except for entities that are also included in the National Cybersecurity Perimeter pursuant to Legislative Decree 105/2019, or are “essential services providers” under Legislative
Decree 65/2018 (which implemented the first NIS Directive), and for telecommunication networks and services providers that serve at least 1% of the national customer base, for which the obligation is already in force.
The rules governing incident handling and reporting mark another step towards a structured, proactive and collaborative approach to cybersecurity, which emphasizes prevention, speed of response, and ongoing learning, in line with other recent EU legislation touching on the same topic (eg. DORA).
Which entities are subject to the obligation
The obligation to report security incidents applies to both “essential” and “important” entities as defined in Legislative Decree 138/2024. Essential entities are those operating in the energy, transportation, financial services, healthcare, water management, digital infrastructure and business-to-business IT services industries (which exceed certain
headcount and annual turnover thresholds) along with telecommunication infrastructure and services providers, domain-name services providers and public sector organizations (both central and local). Important entities include mail and courier service providers,
waste management service providers, food and chemicals manufacturers and distributors, electric equipment, electronics, medical devices and automotive manufacturers, digital service providers and research organizations, in addition to those entities operating in the industries served by essential entities but which do not exceed the headcount and annual turnover thresholds mentioned above). It also applies to entities included in the National Cybersecurity Perimeter with respect to the IT and network systems that fall outside the perimeter and to those entities that were identified as “essential services providers” under Legislative Decree 65/2018.
What incidents need to be reported
Article 25 of Legislative Decree 138/2024 sets out that NIS 2 Entities must report “significant” security incidents. An incident is deemed to be significant when it causes or is capable of causing serious operational disruption or financial losses to the affected entity or it has repercussions on other entities or individuals, which may incur significant losses (whether tangible or not) as a consequence of it. The definition is quite broad and therefore open to different interpretations. A significant incident may not necessarily coincide with a reportable data breach pursuant to the GDPR.
Decision n. 164179 of the National Cybersecurity Agency (“ACN”) of April 14, 2025, as well as the guidelines issued by ACN in September 2025 to clarify some of the content of the above Decision (“Guidelines”), gave an indication as to what is meant by a significant security incident. The Guidelines list the following scenarios as falling within the definition:
● a NIS 2 Entity becomes aware of a loss of confidentiality of digital data under its control (wholly or partially);
● a NIS 2 Entity becomes aware of a loss of integrity to data under its control (wholly or partially) which impacts third parties;
● a NIS 2 Entity becomes aware of a “violation” of the service levels applicable to its activities or services against the expected service levels for those activities or services; and
● a NIS 2 Entity becomes aware of an unauthorized access (including a misuse of any access privilege) to digital data under its control (wholly or partially). This category only applies to essential NIS 2 Entities.
With respect to unauthorized access, the Guidelines specify that misuse of access privileges occurs when a user of an IT system abuses its access privileges to an IT system, for instance by violating the relevant organization’s policies or by accessing the IT system for purposes different from those for which it was granted access rights.
The Guidelines also specify that the trigger for a NIS 2 Entity’s obligation to report a security incident is the fact the entity becomes aware of the incident, meaning it obtains evidence (“it acquires objective elements”) that such incident has occurred. The purpose is ensuring that any reporting obligation and ensuing activities by any stakeholders involved in the process are grounded on objective evidence that an incident has actually occurred.
The Guidelines also provide a number of examples of circumstances in which a NIS 2 Entity may gain actionable evidence that an incident has occurred:
● upon an internal analysis triggered by a communication from a third party (eg. the Computer Security Incident Response Team (“CSIRT Italia”), the organization set up and operating within the ACN as the central hub for managing incident notifications and relevant interactions with the NIS 2 Entities, in addition to implementing actions and measures for incident prevention and mitigation);
● upon an internal analysis triggered by a communication from an internal stakeholder (eg. a service user that reports an issue to the organization’s help desk); and
● upon an analysis of the security events recorded by the internal monitoring system.
The incident reporting and handling process
Art. 25 of Legislative Decree 138/2024 sets out the process for reporting security incidents and the interaction between a NIS 2 Entity and CSIRT Italia.
Every NIS 2 Entity must:
a) without undue delay, and in any case no later than 24 hours from the moment it became aware of the occurrence of an incident, inform CSIRT Italia of such incident. Where possible such communication must include a preliminary assessment whether the incident may be the consequence of a criminal act and whether it may have a potential cross-border impact;
b) without undue delay, and in any case no later than 72 hours from the moment when it became aware of the occurrence of the incident, formally notify CSIRT Italia about the incident, providing an update of the situation where possible, along with an initial assessment of the incident, including an assessment of its seriousness and expected impact and any relevant available metrics. The notice period is reduced to 24 hours for digital service providers (ie. online platforms, search engines, cloud providers) when a security incident has an impact on the delivery of their services;
c) upon request from CSIRT Italia, provide a preliminary report with any relevant updates;
d) within a month from delivery of the initial notice, provide a final report to CSIRT Italia, which must contain:
i) a detailed description of the incident, including an analysis of its
seriousness and impact;
ii) the type of threat or the root cause that likely originated the incident;
iii) any mitigation actions implemented so far; and
iv) where available, a description of any cross-border impact of the incident; and
e) if the incident is still ongoing when the NIS 2 Entity delivers its initial report to CSIRT Italia, the entity must provide a monthly report on progress and a final report within a month of completion of the incident management activities.
Without undue delay and where possible within 24 hours of its receipt of the notice from a NIS 2 Entity, CSIRT Italia will provide a response acknowledging the incident and if so requested by the NIS 2 Entity, it will provide guidance in respect to potential mitigation actions which may apply. Upon request by the NIS 2 Entity, CSIRT Italia may also provide technical support.
Where there is a suspicion that an incident may be the consequence of criminal conduct CSIRT Italia will provide guidance to the NIS 2 Entity on how to report to the competent department of the Ministry of the Interior.
Upon consultation with CSIRT Italia a NIS 2 Entity must, where appropriate and possible and without undue delay, notify customers about those incidents that may have an adverse impact on delivery of its services. In such cases, a NIS 2 Entity must inform any users of its services, who may be impacted by a significant threat of the nature of such threat and the mitigation measures that those users may put in
place.
The ACN may inform the public with respect to a significant incident for the purposes of avoiding the occurrence of other similar incidents or handling the existing one, or where it deems that such information is in the general public’s interest. Before doing so, the ACN may consult where appropriate with any relevant public authorities and other
countries’ CSIRT organizations.
Conclusions
The rules described above are intended to strengthen the Italian national cybersecurity framework. They are aimed at favoring a responsible and transparent approach to security incidents by all entities involved, in order to enable the competent authorities (the ACN and CSIRT Italia in the first place) to put in place a prompt, consistent and appropriate response. The system is not centered around a punitive approach, but rather on open and transparent cooperation whereby companies do not report incidents just to comply with the law and avoid fines, but are required to work with the authorities to make the national cybersecurity system more robust and resilient.
Accurate, timely and standardized communications around security incidents and potential threats allow the ACN to monitor systemic risks, support businesses in prevention and mitigation activities and protect the continuity of essential services for citizens and the whole economic system, and are therefore a fundamental component of the national security framework.
For NIS 2 Entities, and for those entities that have commercial relations, or interact, with them, that means not only ensuring they have appropriate policies and processes in place, but are also investing in training and awareness of their employees as well as implementing robust and reliable mapping and monitoring systems of their assets, their
data and their IT and network systems. For Italy, these measures represent a collective investment in resilience, aimed at ensuring that the digital environment that underpins the Italian social and economic system remains reliable, secure and trustworthy.
October 7, 2025
Federico Fiorani
SWOT Legal Collaborator