NIS2: ACN publishes Italian Critical Infrastructure security measures

The National Agency for Information Security (ACN) has published Resolution 164179, containing the technical specifications for implementing the NIS2 decree (Legislative Decree 138/2024). The NIS2 decree, in implementation of European Directive 2022/2555, has undergone a substantial extension of its scope of application compared to the previous legislation, including previously unexplored sectors and introducing a dichotomy between ‘essential’ and ‘important’ entities. The Resolution, approved by Director General Bruno Frattasi, signifies a pivotal step in implementing the legislation to enhance cybersecurity standards within the European Union. With effect from 30 April 2025, Resolution 164179 establishes varied timeframes based on the importance of the entity concerned, with specific transitional regimes for certain sectors. The technical specifications delineated in Resolution 164179 establish the security measures and requirements for reporting cyber incidents. It is achieved by finding the right balance between the need to rapidly raise the level of security and the need to give organisations the time needed to properly implement the required measures. A salient element in this regard is the emphasis on the involvement of the administrative and management bodies of the organisations bound by the new regulation. It emphasises a paradigm shift in which cyber security is no longer regarded as a purely technical issue but rather as an integral component of corporate governance at the highest levels.