Skip to content Skip to sidebar Skip to footer
Menu
Menu
Data Protection & Cybersecurity

NIS 2 – Deadline for Registration in Italy is Fast Approaching

6 minutes ago
6 minRead time
nis registration italy
Share This Article
Share Post

The NIS 2 Directive has been implemented in Italy through Legislative Decree No. 138/2024, which has expanded the scope of the regulation at the national level, and one of the first obligations imposed by the decree is the registration on the National Cybersecurity Agency (ACN) portal by the end of February 2025.

Who needs to register and by when?

The registration requirement applies to all companies falling within the scope of the NIS 2 regulation. While some categories are clearly definedโ€”such as the energy, healthcare, transport, and large-scale distribution sectorsโ€”other areas are more debated, leading to the inclusion of companies that were initially excluded from the applicability of the Legislative Decree. For instance, the NIS 2 Legislative Decree appears to apply to cloud service providers, potentially including all SaaS providers, even within corporate groups.

Based on the definitions outlined in Annexes I to IV of the Italian NIS 2 Legislative Decree, companies that believe they fall within its scope are required to register on the ACN platform. However, the decree has introduced two different deadlines:

  • By January 17, 2025, domain name system service providers, top-level domain name registry operators, domain name registration service providers, cloud computing service providers, data center providers, content distribution network providers, managed service providers, managed security service providers, as well as online marketplace providers, online search engine providers, and social networking service platform providers were required to complete their registration first; while
  • By February 28, 2025, registration will become mandatory for all other entities falling within the scope of the decree.

How to register on the portal?

The registration process on the portal consists of three phases:

  • Identification of the point of contact;
  • Association of the point of contact with the NIS entity;
  • Completion of the NIS declaration.

The point of contact must access the ACN Portal using the Public Digital Identity System (SPID) and complete their personal profile with the required information (if not already provided through SPID). Once identified, the point of contact must link their account to the designated NIS entity by entering its tax identification code. After this step, the portal will automatically retrieve the companyโ€™s details (e.g., name, address, digital domicile, and legal headquarters contact information), which must be reviewed and confirmed by the point of contact.

The association of the point of contactโ€™s account with the NIS entity requires validation through a request sent to the digital domicile of the NIS entity. Upon completion of the identification and association process, the entity will receive a confirmation notification at its digital domicile.

Only after completing these steps can the NIS declaration be submitted.

This declaration must include, among others:

  • The sectoral law provisions mentioned in Annexes I and II of the NIS Decree that apply to the entity.
  • The turnover, balance sheet, and number of employees to classify the registering entity as a medium or large enterprise according to Recommendation 2003/361/EC. Turnover must be calculated considering any links with other companies, specifically: For affiliated enterprises (i.e., where one company holds the majority of voting rights or has a dominant influence over another), the personnel and turnover data of the controlling company must be fully consolidated. For associated enterprises (i.e., where one company holds between 25% and 50% of another), the data of the holding company must be proportionally consolidated based on the participation share.
  • The types of entities listed in Annexes I, II, III, and IV of the NIS Decree to which the registering entity belongs.

Additionally, there is an obligation to declare any affiliated companies that either meet or satisfy at least one of the criteria outlined in Article 3, paragraph 10, concerning the registering entity. For example, the registering company must indicate affiliated companies providing ICT or security services.

The goal of this procedure is to enable ACN to identify, in addition to the registering company, any affiliated enterprises that perform critical activities related to cybersecurity risk management for the registering company, or vice versa.

The registration process is therefore complex and requires a thorough preliminary analysis of the entityโ€™s structure, as well as its relationships with other companies within the group concerning cybersecurity and, more broadly, IT system management.

Sanctions

It is important to note that failure to register, communicate, or update information on the ACN portal is subject to an administrative fine:

  1. For essential entities, up to a maximum of 0.1% of the total worldwide annual turnover for the previous financial year.
  2. For important entities, up to a maximum of 0.07% of the total worldwide annual turnover for the previous financial year.

Companies falling within the scope of the regulation have little time left to complete their assessments and proceed with registration on the ACN portal.

On the same topic, you can read the article “NIS 2 โ€“ Personal Liability of Directors For Lack of Compliance is a Warning Message“.

(Visited 1 times, 1 visits today)
Tags:
0LikesShare Post