NIS2: The July 31 deadline has passed. Now cyber security obligations and fines begin

18 August 2025

Table of cotents

A turning point for digital security
Why NIS2 was a critical step for Italy
Who was affected and what had to be done
What non-compliant companies now risk

A turning point for digital security

July 31, 2025 marked a crucial deadline for more than 25,000 organizations in Italy, which were required to comply with the cyber security obligations under the European NIS2 directive, transposed into Italian law through Legislative Decree No. 138/2024.

Companies classified by the National Cyber Security Agency (ACN) as “essential” or “important” had to complete or update their data on the official ACN platform by that date.

Those who failed to comply are now facing administrative fines: up to 0.1% of annual turnover for essential entities and 0.07% for important ones.

Why NIS2 was a critical step for Italy

According to Clusit, 10% of global cyberattacks target Italy. The Cisco Cyber Security Readiness Index 2025showed that 82% of Italian companies experienced at least one AI-related incident. Even more worrying, 56% of SMEs were unprepared or unaware of cyber risks.

NIS2 aimed to address this situation by increasing digital resilience across the EU. The directive raised cyber security standards for critical infrastructure in both public and private sectors, affecting 18 key industries including energy, healthcare, transport, cloud, space, digital services, and data centers.

Who was affected and what had to be done

Companies notified by ACN as “essential” or “important” were required to:

Submit or update data on public IP addresses, domain names, and responsible executives;
Declare the EU countries where they operate relevant services;
Start implementing a cyber security governance system;
Prepare to notify major incidents by January 2026.

The July 31, 2025 deadline marked the first formal step in the annual compliance process.