NIS2 Transposition Tracker: Italy's Legislative Decree 138/2024

Overview of D.Lgs. 138/2024

The Italian transposition follows the structure of the NIS2 Directive closely but exercises the discretion afforded to member states in several consequential areas. The decree designates the ACN^[3]as the sole national competent authority and single point of contact, consolidating supervisory functions that in some member states are distributed across sector-specific regulators. This centralisation simplifies the compliance landscape for multi-sector entities but concentrates enforcement authority in an agency that has signalled an active supervisory posture.

The decree establishes the Registro Nazionale NIS, a mandatory registration system administered by the ACN. All entities falling within scope—whether classified as essential or important—must register through a digital platform that collects information on the entity's activities, IT infrastructure, cybersecurity measures, and organisational structure. This registration requirement has no direct parallel in the directive text and represents an Italian-specific obligation that entities must address within the prescribed timeline.

The decree applies to entities established in Italy, entities providing services in Italy irrespective of establishment, and—critically for PE portfolios—entities that form part of a group where the parent or a subsidiary falls within scope. The group-level application extends NIS2 obligations to entities that might not independently meet the size or sector thresholds, creating compliance cascades across portfolio company structures.

ACN Registration Requirements

The ACN registration process is structured in phases. Initial registration requires entities to submit a self-assessment of their NIS2 status—essential or important—together with identification data, sector classification, and a preliminary description of their IT and network systems. The ACN then confirms or reclassifies the entity's status and issues formal notification of obligations.

The registration platform collects substantially more information than a simple notification. Entities must disclose their cybersecurity governance structure, identify the management body members responsible for cybersecurity oversight, and provide details of theirsupply chain dependencies and critical service providers. For Private Equity portfolio companies, this disclosure requirement means that the relationship between the portfolio company and the fund's operational infrastructure—shared services, centralised IT, common platforms—becomes visible to the supervisory authority.

Failure to register within the prescribed period constitutes a standalone infringement subject to administrative sanctions. The ACN has authority to impose penalties on entities that fail to register, that provide inaccurate information, or that fail to update their registration following material changes to their operations or governance structure.

Implementation Timeline

The Italian implementation follows a phased timeline that imposes incremental obligations. The decree entered into force on 16 October 2024. Initial entity self-identification and registration with the ACN was required by 28 February 2025. The ACN then undertakes classification confirmation and issues formal notifications to registered entities, triggering the substantive compliance obligations.

Following classification confirmation, entities have defined periods to achieve compliance with the specific requirements. Article 21cybersecurity risk-management measures must be implemented within the timeframe established by the ACN's implementing regulations, which are being issued progressively. Article 23incident notification obligations apply from the date of formal classification. Management body training obligations under Article 20 must be satisfied within the timeline specified in the ACN's supplementary guidance.

For Private Equity firms with Italian portfolio companies, the phased timeline creates both urgency and opportunity. Entities that have not yet completed self-assessment and registration face immediate compliance gaps. Those that have registered must now prepare for the substantive obligations that follow classification confirmation. The window for voluntary remediation—before supervisory enforcement commences in earnest—is narrow and should be used to establish governance frameworks, conduct gap assessments, and begin implementing technical and organisational measures.

Italian-Specific Obligations Beyond the Directive

D.Lgs. 138/2024 exercises member state discretion in several areas that create obligations specific to the Italian jurisdiction. The decree extends the scope of NIS2 to additional sectors and entity types beyond those specified in the directive's annexes, reflecting the ACN's assessment of Italy's specific critical infrastructure landscape. Entities in the public administration sector, including certain publicly controlled entities and in-house service providers, are brought within scope under Italian-specific provisions.

The decree also establishes enhanced cooperation mechanisms between the ACN and sector-specific regulators—including theBanca d'Italia, CONSOB, and the Garante per la protezione dei dati personali—for entities subject to overlapping regulatory frameworks. For financial services entities that must comply with both NIS2 and the DORA Regulation^[4], the decree provides for coordination mechanisms intended to avoid duplicative requirements, though the practical implementation of this coordination remains to be tested.

The sanctions regime reflects Italy's exercise of discretion within the directive's parameters. Administrative fines for essential entities can reach ten million euros or two percent of total annual worldwide turnover, whichever is higher. For important entities, the ceiling is seven million euros or 1.4 percent of turnover. The decree also provides for sanctions on natural persons—specifically management body members—including temporary prohibition from exercising management functions in essential entities, a provision with direct implications for PE-appointed directors.

Supervision and Enforcement Model

The ACN's supervisory model distinguishes between essential and important entities. Essential entities are subject toex ante supervision: proactive audits, inspections, and compliance verification initiated by the ACN. Important entities are subject to ex post supervision: the ACN acts on evidence of non-compliance, such as incident reports, third-party notifications, or intelligence from other authorities. This distinction has practical implications for compliance investment prioritisation within PE portfolios.

The ACN has established a dedicated NIS2 supervisory unit and is developing technical standards and implementing regulations that will specify the detailed requirements for Article 21 measures. These implementing provisions will determine the precise technical and organisational measures that entities must adopt, moving from the directive's principles-based requirements to specific standards against which compliance will be assessed. Entities should monitor the ACN's regulatory output and participate in consultation processes where available.

Implications for Private Equity Portfolios in Italy

For PE firms with Italian portfolio companies, D.Lgs. 138/2024 creates a structured compliance framework that demands systematic response. The first priority is a comprehensive portfolio-level assessment of NIS2 applicability: which entities fall within scope, whether as essential or important, and whether group-level provisions extend obligations to entities that would not independently qualify. This assessment should consider not only current operations but planned acquisitions and dispositions.

Compliance planning should address the full scope of obligations: ACN registration and ongoing reporting, management body governance and training, Article 21 risk-management measures, Article 23 incident notification capabilities, and supply chain security requirements. The cost of compliance varies significantly based on the entity's current cybersecurity maturity, sector-specific requirements, and classification as essential or important.

We recommend that PE firms approach NIS2 compliance not solely as a regulatory obligation but as an opportunity to strengthen the cybersecurity governance of portfolio companies in a structured, measurable manner. The framework imposed by D.Lgs. 138/2024 provides a clear standard against which to assess and improve cybersecurity posture—an increasingly material factor in portfolio company valuation and exit preparedness. Firms that invest in compliance early will benefit from reduced regulatory risk, enhanced operational resilience, and a demonstrable governance framework that supports value creation throughout the hold period.