Table of cotents
- A turning point for digital security
- Why NIS2 was a critical step for Italy
- Who was affected and what had to be done
- What non-compliant companies now risk
A turning point for digital security
July 31, 2025 marked a crucial deadline for more than 25,000 organizations in Italy, which were required to comply with the cyber security obligations under the European NIS2 directive, transposed into Italian law through Legislative Decree No. 138/2024.
Companies classified by the National Cyber Security Agency (ACN) as “essential” or “important” had to complete or update their data on the official ACN platform by that date.
Those who failed to comply are now facing administrative fines: up to 0.1% of annual turnover for essential entities and 0.07% for important ones.
Why NIS2 was a critical step for Italy
According to Clusit, 10% of global cyberattacks target Italy. The Cisco Cyber Security Readiness Index 2025showed that 82% of Italian companies experienced at least one AI-related incident. Even more worrying, 56% of SMEs were unprepared or unaware of cyber risks.
NIS2 aimed to address this situation by increasing digital resilience across the EU. The directive raised cyber security standards for critical infrastructure in both public and private sectors, affecting 18 key industries including energy, healthcare, transport, cloud, space, digital services, and data centers.
Who was affected and what had to be done
Companies notified by ACN as “essential” or “important” were required to:
- Submit or update data on public IP addresses, domain names, and responsible executives;
- Declare the EU countries where they operate relevant services;
- Start implementing a cyber security governance system;
- Prepare to notify major incidents by January 2026.
The July 31, 2025 deadline marked the first formal step in the annual compliance process.
What non-compliant companies now risk
Companies that failed to register correctly or missed the deadline are now subject to:
- Fines up to 0.1% of annual turnover for essential entities;
- Fines up to 0.07% for important entities.
And that’s not all. By October 2026, affected organizations must also:
- Adopt risk management policies;
- Implement technical and organizational security measures;
- Complete a baseline cyber security assessment.