NIS2 sanctions under art. 38 (d.lgs. 138/2024) — the response playbook

This playbook fires the moment an ACN enforcement signal arrives for an entity in the NIS2 perimeter under d.lgs. 138/2024, which transposes Directive (EU) 2022/2555. Concretely, it fires on any of:

• An inspection or information request from ACN (proactive *ex ante* supervision for essential entities; reactive *ex post* for important entities, usually after an incident or a complaint).
• A notification of preliminary conclusions — ACN's written statement that it believes you are non-compliant.
• A self-assessment that surfaces a gap as a hard deadline approaches.

What is not in scope here: the incident-reporting cadence itself (24h pre-notification, 72h notification, 1-month final report) — that is covered by the NIS2 Title 13 incident-timeline playbook. This playbook is about the *supervisory and sanctioning* track, which runs on its own clock and its own evidence.

The 2026 calendar that feeds this track: registration and renewal on the ACN platform (Jan–Feb), annual data update (Apr–May), service and activity categorisation by 30 June 2026, and the 31 October 2026 deadline for the basic security measures (37 measures / 87 requirements for important entities; 43 measures / 116 requirements for essential entities, per the ACN security-measures determination). From October 2026 ACN moves into the formal-inspection phase (see ACN's 2026 NIS2 supervision and audit calendar). Miss one of these and you become a candidate for the enforcement track described below.

Art. 38 of d.lgs. 138/2024 sets the monetary ceilings:

• Essential entities: up to €10,000,000 or 2% of total annual worldwide turnover, whichever is higher.
• Important entities: up to €7,000,000 or 1.4% of total annual worldwide turnover, whichever is higher.

The monetary fine is rarely the worst outcome. For non-compliant essential entities that fail to remedy after a diffida, ACN can order the temporary suspension — partial or total — of activities or services: an operational shutdown of the service delivered through the affected information systems.

The accountability is personal. Under art. 23, the management body has three non-delegable duties: approve the security measures, oversee their implementation, and complete dedicated training. The liability test is not whether a director personally ordered a deficient control — it is whether they adequately supervised implementation. As an accessory measure, ACN may suspend executives from their functions until corrective measures are adopted. This is why a board minute approving the measures, with a documented oversight cadence, is itself load-bearing evidence — its absence is a finding on its own.

ACN cannot fine you by surprise. The sequence has defined gates, each of which is an opportunity to act:

1. Preliminary notification. ACN communicates its preliminary conclusions — the alleged deficiencies and the legal basis.
2. Observations window. You get a reasonable period — *no less than 15 days* — to submit written observations and supporting evidence.
3. Diffida (formal warning). If ACN maintains the finding, it issues an order to bring the entity into compliance within a specified deadline.
4. Enforcement. Only on failure to comply with the diffida does ACN proceed to interdictory measures (suspension of activity, suspension of directors) and the monetary sanction.

There is one exception: ACN can take immediate action, bypassing this sequence, where necessary to prevent or contain an incident with serious impact. Outside that exception, every gate above is a window you control. The single most expensive mistake is treating the preliminary notification as a verdict rather than as the start of a defence you are entitled to mount.

This is the most important document you will write in the whole procedure. The reply to ACN's preliminary conclusions is where a procedure is most cheaply stopped — before a diffida, before any public-facing measure.

Goal: rebut the findings that are wrong, and for the findings that are right, demonstrate that remediation is already underway with dates.

Checklist for the observations file:

• Point-by-point response to each alleged deficiency, citing the specific control and the evidence that it exists (or the dated plan to implement it).
• The board-approval record under art. 23 — the minute approving the security measures and the oversight cadence. If it exists, lead with it.
• The asset perimeter declaration as registered on the ACN platform, reconciled against the actual estate, to show the categorisation was done correctly.
• The risk-analysis document, formal and with a review date, mapped to the ACN security measures.
• A remediation plan with dates for any genuine gap — a credible, dated plan is far stronger than a denial.
• A single point of contact for the procedure, with email and phone.

Do not pad the reply with marketing claims about your security posture. ACN assesses evidence, not assurances. An observation that says "control X is implemented, see signed artefact Y dated Z" beats a paragraph of narrative.

If the observations did not close the procedure, ACN issues a diffida: a formal order to remediate by a stated deadline. Meeting that deadline is what stops the escalation to interdictory measures. Treat the diffida deadline as the hardest date in the procedure.

Checklist on receipt of the diffida:

• Parse the exact deadline and the exact required state. The diffida specifies *what* compliant looks like — remediate to that specification, not to your own interpretation.
• Stand up a remediation tracker with one row per required measure, an owner, a target date inside the diffida window, and an evidence link per row.
• Escalate to the management body immediately. Art. 23 makes this their problem; the board must be on record approving the remediation and the resourcing.
• Implement and capture evidence at write time — every configuration change, every patch, every policy approval, signed and timestamped as it happens, not reconstructed afterwards.
• File a remediation report to ACN before the deadline, with the evidence dossier attached, demonstrating the required state has been reached.

The failure mode here is treating the diffida as the moment to *start* compliance work. By the time a diffida lands, the deadline is short; entities that begin remediation only then routinely miss it and walk into the interdictory measures.

Across the whole procedure, ACN consumes one underlying body of evidence at three gates (inspection, observations, diffida remediation). Have it ready, signed and timestamped, with chain-of-custody:

• Board-approval minutes under art. 23 (approval of measures + oversight cadence + training records) — consumed first, by the inspection and the observations.
• Asset and service inventory reconciled with the ACN-platform categorisation — consumed by the observations.
• Formal risk-analysis document with review history, mapped to the ACN security measures — consumed by the observations.
• Security-measures implementation records — per-control evidence (configurations, policies, test results) — consumed by both the observations and the diffida remediation.
• Incident-handling records (pre-notification within 24h, notification within 72h) where an incident triggered the procedure — consumed by the diffida.
• Corrective-action tracking with dates and approvers — consumed by the diffida remediation report.

If this dossier is assembled by hand under a 15-day or diffida-length clock, the bandwidth conflict is immediate and the quality shows. The operational discipline peer entities report works is to keep the evidence signed continuously rather than reconstructing it on demand. This is the gap Zero Hunt's Automatic Compliance pillar is built to close: 32 mapped frameworks including NIS2 (with Title 13), severity-weighted scoring, cross-framework control mapping, and ECDSA-signed reports with chain-of-custody by construction, surfaced through a Trust Center with one-click export. When ACN asks for the state of a control on a given date, the answer is an export of a signed record, not a person-week of cross-tool reconciliation.

Five anti-patterns recur across entities that turn a recoverable finding into a sanction:

1. Treating the preliminary notification as a verdict. It is the opening of a defence with a guaranteed window of at least 15 days. Entities that do not file substantive observations forfeit their cheapest off-ramp.

2. Starting compliance work only when the diffida lands. The diffida deadline is short by design. Compliance is a multi-month programme; it cannot be improvised inside a diffida window.

3. No board-approval record under art. 23. When the management-body approval and oversight cadence are undocumented, the absence is itself a finding — and it exposes directors personally to suspension, independent of the technical gaps.

4. Evidence assembled by hand during the procedure. Manual reconstruction under a regulatory clock produces inconsistent, unsigned artefacts that read as weak. Evidence signed at write time reads as strong.

5. A perimeter declaration that does not match reality. A categorisation on the ACN platform that diverges from the actual estate is a finding ACN can spot directly, and it undermines the credibility of everything else you file.

A NIS2 enforcement procedure rarely travels alone. The same governance failure that draws an art. 38 procedure often exposes the entity under adjacent regimes:

• GDPR (Garante). If the underlying incident or deficiency involves personal data, a parallel art. 33 notification and a separate Garante procedure run alongside the ACN track — with their own fines (up to €20M or 4% turnover) and their own evidence requests.
• DORA (Banca d'Italia). Financial entities in the NIS2 perimeter are also DORA entities; the management-body accountability under DORA mirrors art. 23, and a finding on one side is visible to the other. The DORA 4h/72h/1-month playbook covers that incident track.
• Management-body accountability is the common thread. NIS2 art. 23, DORA governance, and GDPR accountability all converge on the same board. Documenting board approval and oversight once, with signed evidence, satisfies all three — the alternative is three separate reconstructions under three separate clocks.

Build the compliance evidence base once and export it per regime. The methodology angle on proactively exercising these scenarios — so the dossier is proven before a supervisor asks — is covered in TLPT (Threat-Led Penetration Testing).