Table of contents
- What the NIS2 directive provides
- ACN registration exemption for schools
- Obligations for universities and other institutions
- Risk management and digital infrastructures
The NIS2 directive is a crucial step in strengthening cyber security across the European Union, imposing new obligations on public and private entities to ensure the security of digital infrastructures and reduce the risks of cyberattacks.
However, a recent interpretation of Legislative Decree 138/2024 clarifies that primary and secondary schools are not required to register on the platform of the National Cyber Security Agency (ACN), distinguishing them from other public administrations.
This article explores the details of the regulation, the reasons behind the schools’ exemption, and the importance of risk management in more critical sectors.
What the NIS2 Directive provides
The exclusion of primary and secondary schools from the obligation to register on the ACN platform is an important exception in the application of the NIS2 directive.
This decision is based on the consideration that schools do not operate in strategic sectors considered to be “highly critical,” such as energy, healthcare, or transport. However, this does not mean that schools are free from the risk of cyberattacks.
Schools handle sensitive data daily, such as personal information about students, families, and school staff, and they use digital platforms for teaching and administrative management.
Despite the exemption from ACN registration, protecting this data remains a priority. This highlights the importance of implementing basic risk management measures even in contexts outside the directive’s scope.
Why schools are exempt
The exemption was decided to avoid burdening primary and secondary schools with complex administrative and technical obligations, considering that their digital infrastructure and societal role do not classify them as operators of essential services.
The NIS2 directive aims to protect critical digital infrastructures that, if compromised, could cause large-scale disruptions or serious harm to national security.
While schools play an essential role in educating future generations, they do not directly operate in high-risk strategic sectors.
This pragmatic approach avoids diverting resources to less critical areas, allowing for more targeted interventions in genuinely vulnerable sectors.
The importance of cyber security best practices
Although primary and secondary schools are not subject to ACN registration obligations, it is essential that they adopt a minimum level of risk management measures to prevent and mitigate potential significant incidents.
Cyberattacks on schools, such as ransomware or data theft, are increasing and can have severe impacts on the continuity of educational and administrative activities.
Examples of best practices include:
- Using up-to-date antivirus software;
- Implementing backup systems to protect school data;
- Training school staff to recognize common cyber threats, such as phishing and malware;
- Using secure connections and regularly updating devices connected to the school network.
However, the exemption for primary and secondary schools reflects a targeted approach to the regulation, differentiating between sectors of varying criticality.
ACN registration exemption for schools
One of the most significant developments for the education sector is the exemption of primary and secondary schools from the obligation to register on the ACN national platform. This means that schools are not required to report their presence or formally adopt all measures mandated by the NIS2 directive.
The exemption is justified by the fact that schools are not classified as “highly critical” sectors under the directive, although they are still expected to follow best practices for risk management and protection against significant incidents.
Conversely, the Ministry of Education and Merit is included among the obligated entities due to its strategic role in managing educational infrastructures.

Obligations for universities and other institutions
While schools benefit from an exemption, the same cannot be said for universities and cultural institutions, whose status depends on decisions by sectoral NIS authorities. The Ministry of Universities and Research and the Ministry of Culture must identify which institutions are required to register and comply with the security measures provided.
These obligations reflect growing attention toward sectors that, while not directly tied to national security, are vulnerable to cyberattacks and may represent a weak link in the digital supply chain.
Risk management and digital infrastructures
A cornerstone of the NIS2 directive is the obligation to adopt risk management measures to prevent and mitigate the effects of significant incidents. This approach not only protects IT systems but also contributes to the security of the digital supply chain, ensuring the operational continuity of essential services.
In the case of schools, while not subject to registration, it is crucial to adopt basic practices to protect their digital infrastructures against potential cyber threats.
In conclusion
The exemption of primary and secondary schools from ACN registration highlights a flexible application of the NIS2 directive, focusing cyber security efforts on higher-risk sectors.
However, it is essential that all institutions, even those exempt, promote awareness and adopt best practices to prevent the growing threats in the digital landscape.
Questions and answers
- What is the NIS2 directive?
It is a European regulation to improve the security of networks and information in essential sectors.
- Do schools need to register on the ACN platform?
No, primary and secondary schools are exempt from registration.
- Which entities must register on the ACN platform?
Public entities, universities, and essential service operators identified by the competent authorities.
- What is meant by the security of the supply chain?
It refers to measures to protect all stages of the digital supply process against cyber threats.
- Why are schools exempt from NIS2?
Because they are not considered high-criticality sectors under the regulation.
- What are the penalties for non-compliance with NIS2?
Penalties can reach up to €50,000 for failure to register.
- Do universities need to comply with NIS2?
Yes, but only those identified by the Ministry of Universities and Research.
- What is the role of the Ministry of Education in NIS2?
It is obligated to meet security standards like other public administrations.
- What are significant incidents?
Events that compromise the continuity or security of essential services.
- When will the NIS2 directive be fully implemented?
The compliance deadline in Italy is February 28, 2025.