NIS2’s First Month: What Operational Reality Looks Like
January 1, 2026, marked the shift from formal compliance to operational reality for thousands of Italian companies subject to the NIS2 Directive. The obligation to notify significant incidents to CSIRT Italia is no longer a future deadline: it is live. The notification windows are tight, with 24 hours for pre-notification, 72 hours for the full notification, and 30 days for the final report, and they leave no room for improvisation.
In this first month, aggregated public data is not yet available, as ACN publishes quarterly reports to ENISA. However, we can draw a clear operational picture by examining technical guidelines, ACN FAQs, and the recurring patterns that CISOs have had to face. The question is no longer whether companies were ready, but what they discovered when they actually had to notify.
The Gap Between Formal Compliance and Operational Capability
Many companies completed their registration on the ACN Portal within the required deadlines, appointed the CSIRT Referent, and declared their essential or important services. On paper, everything was correct. The problem emerges when the first significant incident occurs.
ACN Determination 379907 of December 18, 2025, applicable from January 15, 2026, defines basic significant incidents through a precise taxonomy covering data confidentiality breach, service integrity, service availability, and data availability. But turning this taxonomy into an operational process that works at 3 AM requires more than a signature on a form.
The gap emerges on three fundamental levels. The first concerns the triage process, often nonexistent or improvised: who decides whether an alert becomes an incident and when it becomes significant? The second involves detection systems, inadequate for the required timelines: notifying within 24 hours means detecting the incident in time, and this requires centralized logging, a correlation engine, and automated alerting. The third concerns the lack of roles and responsibilities defined before the incident: who collects technical evidence, who assesses financial impact, who is authorized to press the submit button to CSIRT.
The 24-Hour Window and the Supply Chain Problem
The pre-notification within 24 hours of incident awareness is the first real operational test. It does not require a complete analysis, but it does need the information available at that moment. The real problem is establishing when awareness formally begins.
A concrete case illustrates the issue well: a SIEM alert at 2:30 PM on a Friday flags valid credentials used from a never-before-seen external IP. It takes hours to confirm the compromise, complete the impact analysis, and make the decision to notify. If everything is resolved by midnight, the margin is tight but sufficient. But what if the alert comes in at 10 PM? Does the process hold outside business hours, on weekends, during company holidays?
An even more critical issue concerns the supply chain. ACN FAQs have clarified that if an incident occurs on the systems of a supplier providing services on behalf of a NIS entity, the notification obligation falls on the final NIS entity, not the supplier. This has revealed a widespread contractual gap: how many SLAs with IT and cloud providers include clauses guaranteeing timely information flows in case of an incident? When an MSSP detects a ransomware attempt on Tuesday but only notifies the client on Thursday, the client has lost 48 hours on the notification window.
GDPR and NIS2 Overlap: Dual Notification, Same Incident
A breach involving unauthorized access to personal data may require notification under both GDPR to the Privacy Authority within 72 hours and NIS2 to CSIRT Italia with 24-hour pre-notification and 72-hour full notification. The timelines are similar but not identical, the recipients are different, the required contents do not perfectly overlap, and the penalty consequences are separate.
Organizations that had prepared separate templates and procedures for GDPR and NIS2 found themselves needing to coordinate two parallel workflows, often with different teams (the DPO for GDPR and the CSIRT Referent for NIS2), who had to collaborate in an emergency without ever having tested the integrated process. The result is duplicated effort, risk of conflicting information between the two notifications, and confusion about which authority to inform first.
The final report due 30 days after incident closure raises the bar further: it requires documenting the root cause with proper forensics, mitigation measures adopted, and cross-border impact if applicable. It is not enough to say the threat was contained; process, decisions, evidence, and lessons learned must be documented in a way that can withstand an ACN inspection.
Key Takeaways for SMBs
- Test before the incident: conduct tabletop exercises on realistic scenarios such as ransomware, data breach, and DDoS to verify that the notification process works end-to-end
- Review supplier contracts: ensure that SLAs with IT, cloud, and MSSP providers include immediate communication obligations in case of an incident
- Coordinate GDPR and NIS2: integrate the two notification workflows before a real incident puts them to the test simultaneously
- Ensure 24/7 coverage: the process must work outside business hours, on weekends, and during holidays, not only during working hours
- Prepare for forensics: have internal investigative capabilities or a contract with an external provider with guaranteed SLAs for the 30-day final report
Conclusion
NIS2’s first operational month in Italy has made the distance between formal compliance and real operational capability evident. ACN portal registration and CSIRT referent appointment are necessary but not sufficient. What is needed are adequate detection capabilities, tested triage processes, trained teams, aligned vendor contracts, and a proven GDPR-NIS2 coordination framework. October 2026 will bring the deadline for full implementation of baseline security measures, but the notification obligation is already here and it only works if the organization is truly ready, not just compliant on paper.
Need support on this topic? Contact us for a free consultation, let’s assess your company’s situation together.
Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.