Decreto Legislativo 138/2024 — the Italian NIS2 transposition

Decreto 138 expanded the scope significantly compared to the previous NIS regime. In scope as essential entities: energy, transport, banking, financial market infrastructures, healthcare, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration (central and regional). Important entities: postal/courier, waste management, chemicals, food, manufacturing of medical devices/electronics/machinery/vehicles, digital providers, research.

In practice, most medium-to-large Italian organisations in regulated sectors are now in scope. The exact threshold is determined by the implementing acts and the ACN registry; if you are not sure, the safe operational assumption for 2026 is that you are in.

Article 23 of the decreto introduces a meaningful shift: governing-body members (board, CdA, top management) are now personally responsible for ensuring that the cybersecurity measures are appropriate, proportionate and effective. Non-compliance can trigger administrative sanctions at the corporate level AND personal responsibility.

This changes the procurement conversation. A CISO bringing a security-tooling proposal to the board is no longer arguing technical merit alone — the board has a direct, personal interest in seeing documentary evidence that the chosen tooling demonstrably reduces the gap between declared and operating effectiveness of controls.

Title 13 of the decreto operationalises the NIS2 incident reporting cadence:

• 24 hours from the moment you "should have known" of a significant incident: early warning to ACN/CSIRT Italia with preliminary classification.
• 72 hours from the same start: full notification with impact assessment, indicators of compromise, initial root-cause analysis.
• 1 month: final report with full root-cause, remediation status, lessons learned.

The clock starts at "should have known", not at "did know" — meaning if a regulator concludes that effective detection would have surfaced the incident earlier than it did, the timeline is calculated backwards from that point. This is the operational reason continuous detection (not batch SIEM cadence) becomes a regulatory necessity, not just a technical preference.

ACN (Agenzia per la Cybersicurezza Nazionale) is the competent authority. CSIRT Italia, sitting under ACN, is the national CSIRT — the recipient of incident notifications and the source of sectoral threat intelligence.

ACN can conduct on-site or remote inspections, request documentation, and audit the effectiveness of declared measures. The most common practical request is to see the chain of evidence for a specific control over a defined period — exactly the artefact that a Trust Center with signed evidence (ECDSA, time-stamped logs) produces by default and a manual GRC process struggles to assemble.

Decreto 138 does not exist in a vacuum. It interacts with:

• AgID circulars on cloud qualification for PA (QC1-QC4 tiers, data locality requirements).
• Perimetro di Sicurezza Nazionale Cibernetica (PSNC) — separate, narrower regime for nationally-critical operators; products in production require CVCN evaluation.
• DORA — for financial entities, runs in parallel to NIS2 with its own timelines and TLPT requirements.
• GDPR — every incident involving personal data also fires the Art. 33 72h notification regime; multi-regime notifications are common.

In-scope organisations should map their controls once and re-use the evidence chain across regimes, rather than rebuild it per audit.