What the new ACN determinations mean for NIS2 compliance

The Italian National Cybersecurity Agency (ACN) has published two key determinations — 379887 and 379907 — that mark a turning point for businesses operating in Italy and across the European Union. These documents translate the NIS2 directive from policy language into concrete, enforceable obligations. Starting January 2026, companies that fall within scope will need to demonstrate real compliance, not just good intentions.

For small and medium businesses that have been watching NIS2 from the sidelines, the clock is now ticking. Understanding what these determinations require is no longer optional — it is a business priority.

A quick recap: what is NIS2 and why it matters

The NIS2 directive (EU 2022/2555) is the European Union’s updated framework for network and information security. It replaced the original NIS directive to address the growing sophistication of cyber threats targeting critical infrastructure, supply chains, and essential services across member states.

What makes NIS2 different from its predecessor is its significantly expanded scope. While the original directive mostly affected large operators in sectors like energy and transport, NIS2 pulls in a much wider net. Medium-sized companies with 50 or more employees, or those with annual turnover exceeding €10 million, can now fall under its requirements. Sectors covered include healthcare, digital infrastructure, public administration, waste management, food production, postal services, and manufacturing of critical products.

According to ENISA’s 2024 threat landscape report, ransomware and supply chain attacks remain the top threats facing European organisations, with SMBs increasingly targeted as entry points into larger networks. NIS2 was designed precisely to close these gaps.

ACN determinations 379887 and 379907: what they actually say

Italy transposed the NIS2 directive into national law through Legislative Decree 138/2024. The ACN determinations 379887 and 379907 are the implementing measures that give this law its teeth. They specify the technical and organisational requirements that in-scope entities must meet, along with reporting obligations and supervisory mechanisms.

Determination 379887: security measures and risk management

This determination focuses on the baseline cybersecurity measures that organisations must adopt. It covers areas such as:

Risk assessment and management — companies must implement a structured process for identifying, analysing, and mitigating cyber risks relevant to their operations.
Incident handling — clear procedures must be in place for detecting, responding to, and recovering from security incidents.
Supply chain security — organisations are expected to evaluate and manage cybersecurity risks originating from their suppliers and service providers.
Business continuity — plans for maintaining essential operations during and after a cyber incident are mandatory, including backup management and disaster recovery.
Access control and encryption — appropriate technical controls must protect sensitive systems and data.

For SMBs, this means cybersecurity can no longer be an afterthought delegated to “the IT person.” It requires a documented, systematic approach that is proportionate to the size and risk profile of the organisation.

Determination 379907: incident notification and reporting

This determination establishes the timeline and procedures for notifying the ACN and other relevant authorities when a significant cyber incident occurs. The reporting framework follows a tiered structure:

Early warning within 24 hours of becoming aware of a significant incident.
Incident notification within 72 hours, providing an initial assessment of severity, impact, and known indicators of compromise.
Final report within one month, detailing root cause analysis, remediation actions taken, and cross-border impact where applicable.

These are tight deadlines, especially for businesses that have never formalised their incident response processes. Without preparation, meeting the 24-hour early warning requirement alone can be extremely challenging.

Who needs to comply and by when

The January 2026 operational deadline applies to all entities that have been identified as essential or important under the Italian NIS2 transposition. If your organisation operates in one of the covered sectors and meets the size thresholds, you are likely in scope.

ACN has been conducting a registration and identification process, and entities that have received formal notification from the agency should already be aware of their status. However, even without direct notification, companies that meet the criteria are expected to self-assess and take action.

The European Commission estimates that over 100,000 organisations across the EU fall under NIS2’s expanded scope. In Italy alone, thousands of medium-sized businesses in sectors like food production, manufacturing, and digital services are affected for the first time.

Sanctions: what happens if you do not comply

NIS2 introduces a significant sanctions regime. For essential entities, fines can reach up to €10 million or 2% of global annual turnover, whichever is higher. For important entities — which is the category where most SMBs will fall — the maximum is €7 million or 1.4% of global turnover.

Beyond financial penalties, ACN has the authority to issue binding instructions, conduct audits, and in severe cases, temporarily suspend certain business activities or ban individuals from management roles. These are not theoretical risks. The regulatory framework is designed to ensure that non-compliance carries real consequences.

Practical steps for SMBs to prepare

With the January 2026 deadline approaching, businesses that have not yet started their compliance journey need to act quickly. Here are the most important steps to take:

Conduct a gap analysis. Compare your current cybersecurity posture against the requirements laid out in determination 379887. Identify where your organisation falls short in risk management, incident handling, access controls, and supply chain oversight.

Build or formalise your incident response plan. The reporting timelines in determination 379907 demand a structured, rehearsed response capability. Assign roles, define escalation paths, and test the process through tabletop exercises.

Document everything. Compliance under NIS2 is not just about having security tools in place — it is about demonstrating that you have a managed, auditable approach. Keep records of risk assessments, policy decisions, training activities, and incident responses.

Assess your supply chain. If you rely on third-party providers for IT services, cloud hosting, or software, evaluate their security posture. Your compliance obligations extend to managing risks introduced by your suppliers.

Invest in training. Human error remains the leading cause of security breaches. Regular awareness training for all employees — not just technical staff — is both a regulatory expectation and a practical necessity.

The bigger picture for European businesses

The ACN determinations are Italy’s implementation of a broader European push toward resilient digital infrastructure. Similar enforcement mechanisms are being rolled out across EU member states, meaning that businesses operating in multiple countries will need to navigate overlapping but aligned requirements.

For SMBs, NIS2 represents both a challenge and an opportunity. The compliance burden is real, but so is the competitive advantage of being able to demonstrate robust cybersecurity to clients, partners, and regulators. In a market where data breaches regularly make headlines and supply chain trust is increasingly scrutinised, taking security seriously is not just about avoiding fines — it is about building a sustainable business.

Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.

Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.