IT Get in touch

NIS2 in practice: the 2026 ACN deadlines and what Italian SMEs must actually do

NIS2 in practice for Italian SMEs and MSPs: the 2026 ACN compliance calendar, the categorisation window closing at the end of June, incident notification and baseline measures. What to do now and where CyberScan supports gap analysis.

CybersecurityComplianceGovernance
CybersecurityComplianceGovernance CybersecurityComplianceNIS2
Cybersecurity

Cybersecurity

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

Where things stand

The Directive (EU) 2022/2555, known as NIS2, was transposed in Italy through Legislative Decree 138/2024, in force since autumn 2024. The competent authority is the ACN — the National Cybersecurity Agency — which also acts as single point of contact and national CSIRT. A point that is often misread: obligations do not start when the law is published, but from the individual notification of inclusion in the register of NIS entities, which each organisation receives from ACN.

Over the final months of 2025 the operating framework was consolidated through two ACN determinations: one on the workings of the NIS Platform, the other on baseline security measures and the handling of significant incidents. The 2026 calendar rests on that basis, and it is the calendar that turns NIS2 from theory into an operational matter for many SMEs and for the MSPs that serve them.

The 2026 ACN calendar, in order

The 2026 obligations fall into a precise sequence:

  • Registration and update on the ACN portal: the annual window falls in the first two months of the year. Entities already listed confirm or update their data.
  • Significant incident notification: the obligation is operational. The schedule has three steps — pre-notification within 24 hours, notification within 72 hours, final report within one month of the event.
  • Categorisation of activities and services: the relevant window closes at the end of June. Once that deadline passes, the categorised list is considered settled.
  • Baseline security measures: for entities already listed since 2025, documentary evidence is expected by the end of October 2026.

Entities registered for the first time during 2026 work to deferred terms: notification operational around early 2027 (roughly nine months from the communication) and measures to be completed by summer 2027.

What the categorisation model changes

The categorisation model introduced by the April 2026 ACN determination structures self-assessment around 10 macro-areas and 4 levels of relevance: minimal, low, medium and high impact. Categorisation is not a formality: it sets the risk profile recognised for the entity and, in turn, the intensity of the measures expected. It is also why the window closing at the end of June deserves priority — afterwards the list is fixed, and corrections become more costly.

The penalties explain the urgency. For essential entities they reach up to EUR 10 million or, if higher, 2% of annual worldwide turnover; for important entities, up to EUR 7 million or 1.4%. The regulation covers 18 sectors and captures many — though not all — SMEs based on size, sector and role in the supply chain: even a small-to-mid technology supplier can fall in scope through an essential customer downstream.

The minimum checklist to close now

For an entity already on the register, the order of work in these weeks is clear:

  1. Verify registration on the ACN portal and confirm that contact data is current.
  2. Complete categorisation before the end-of-June window closes: map activities and services onto the macro-areas and assign the relevance level.
  3. Stand up the incident notification process — roles, channels, runbook — because the 24/72-hour steps and the one-month report require procedure, not improvisation.
  4. Build the documentary evidence for the baseline measures, with an end-of-October 2026 horizon.

Steps 1 and 2 remain the entity’s responsibility on the ACN platform: no tool performs them for you. Steps 3 and 4, by contrast, are the technical ground where gap analysis matters.

Where CyberScan helps (and where it does not)

CyberScan is a vulnerability assessment and gap analysis tool supporting the baseline security measures: continuous scanning, mapping of vulnerabilities to requirements, reports and checklists aligned to the frameworks, ready to produce documentary evidence. It is useful precisely on step 4 of the checklist, and supplies the technical material for step 3. More on the approach is in the CyberScan launch.

One distinction remains firm, and we restate it: CyberScan does not replace registration or categorisation, which stay the entity’s obligations on the ACN platform. No product delivers “automatic NIS2 compliance”. The tool reduces the technical workload and makes evidence repeatable; the formal responsibility stays yours.

What this means in practice

For an Italian SME or MSP the operational signal is the calendar, not the theory. The categorisation window closes at the end of June and the list is settled afterwards: that is the deadline not to miss right now. Incident notification is already live, and evidence of the baseline measures has an end-of-October 2026 horizon. Start from the mapping — knowing whether you are in scope and at which level — then build the technical evidence. On that last stretch, CyberScan is the support; the portal obligations are not.

Links: ACN — NIS legislation · ICT Security Magazine — NIS2 obligations

Need support? Under attack? Service Status
Need support? Under attack? Service Status