How long does full NIS2 compliance take?

For a company starting from scratch, 3-6 months. If you already have an active NOC service, timelines are halved. The critical deadline is October 2026 for security measures.

D.Lgs. 138/2024

NIS2 Compliance
for your SME.

Gap analysis, compliance plan, security measures implementation and ACN registration. We bring you into compliance without disrupting your business.

Start with the gap analysis → How we work

Security measures

October 2026

Implementation deadline

Maximum fines

€10M

or 2% of global turnover

Registered entities

30,000+

On the ACN platform

Who must comply with NIS2

D.Lgs. 138/2024 transposes Directive (EU) 2022/2555 and broadens the scope to 18 sectors and over 80 types of entities. If you operate in a critical sector with more than 50 employees or over 10 million in revenue, you are almost certainly included.

But even SMEs below the threshold can be affected as supply chain providers to essential entities. Your larger clients are starting to require NIS2 compliance: the risk comes from the supply chain.

Check if you are required to comply →

Essential Entities

Fines up to €10M or 2% of turnover

⚡ Energy
🚛 Transport
🏥 Healthcare
💧 Drinking water & wastewater
💻 Digital infrastructure
🔧 ICT service management (B2B)
🏦 Banking & financial sector
🏣 Public administration
🚀 Space

Important Entities

Fines up to €7M or 1.4% of turnover

🏭 Manufacturing
📦 Postal & courier services
♻️ Waste management
🍞 Food production & distribution
🔬 Manufacturing (chemicals, electronics, medical devices)
🌐 Digital service providers
🎓 Research

🔗 Suppliers in the supply chain of essential entities may also be involved

NIS2 deadlines: the 2025–2026

The compliance journey has precise milestones. Some have already passed.

Feb 2025

ACN Registration

Mandatory registration on the Agenzia per la Cybersicurezza Nazionale platform. Over 30,000 entities registered.

Apr 2025

Point of Contact

Designation of the Point of Contact responsible for communications with ACN.

Dec 2025

CSIRT Liaison

Designation of the CSIRT Italia liaison and any alternates through the ACN portal.

Jan 2026

Incident notification goes live

Mandatory notification to CSIRT Italia for significant incidents: pre-notification 24h, notification 72h, final report 30 days.

Apr 2026

Governance & documentation

Formal approval of security policies, risk register, RACI, business continuity plans. Management must sign off.

Oct 2026

Security measures implemented

37 measures for important entities, 43 for essential entities. From October 2026, ACN begins inspections.

What NIS2 compliance requires

Concrete technical and organisational measures - documented, verifiable. A formal checkbox exercise is not enough.

⚠️

Risk management

Formal processes to identify, assess and treat cyber risks. Documented risk assessments, regularly updated and approved by management. This is the starting point of every ACN inspection.

🚨

Incident notification to CSIRT

Procedures for detection, response and notification to CSIRT Italia. Pre-notification within 24h, formal notification 72h, final report 30 days. Operational since 1 January 2026.

🔒

Network & systems security

Patch management, MFA, encryption, network segmentation. Specific and measurable technical controls.

🔗

Supply chain security

Verification and monitoring of critical suppliers. Contractual security clauses, periodic audits.

♻️

Business continuity

Backup plans, disaster recovery, operational continuity. Periodically tested, not just documented.

👔

Management accountability

Executives are personally liable. They must approve policies, monitor implementation and attend training.

🎓

Mandatory training

Security awareness for employees and management. The board must attend specific training and approve security policies.

📋

ACN registration & CSIRT liaison

Registration on the ACN platform, designation of the Point of Contact and the CSIRT Italia liaison.

CSIRT Italia: incident notification

Since 1 January 2026, notification of significant incidents to CSIRT Italia is fully operational.

24 hours

Pre-notification

Initial report to CSIRT Italia within 24 hours of becoming aware of a significant incident. Even with partial information.

72 hours

Formal notification

Update with technical details: nature of the incident, impact, mitigation measures taken.

30 days

Final report

Complete report: root cause, actual impact, corrective measures implemented, lessons learned.

Who is the CSIRT liaison?

A natural person designated by the Point of Contact with basic skills in cybersecurity and incident management. Can be internal or external (e.g. SOC/CERT manager). One or more alternates can be designated to ensure 24h pre-notification coverage.

What must be notified?

Significant incidents: those that cause or may cause serious operational disruption, significant financial losses, or repercussions on third parties. Threats and near misses are reported on a voluntary basis.

CSIRT Italia contacts

ACN Portal: csirt.gov.it
Email: csirt@pec.acn.gov.it
Notification is submitted through the ACN Services Portal in the dedicated section.

Our NIS2 compliance plan

A four-phase journey. We start from what you already have.

Gap Analysis

We assess the distance between your current situation and the D.Lgs. 138/2024 requirements. We review documentation, processes and actual system configuration. This is hands-on, not theoretical.

2–3 weeks Gap report + priorities

Compliance plan

Not a generic checklist. A plan with priorities, timelines and concrete costs. What to do now, what to schedule, what to delegate to us. Clear budget from the start.

1 week Plan with budget

Implementation

We handle the technical implementation: patch management, MFA, backup, firewall, SIEM, process documentation. With NOC10 active, many NIS2 measures are already covered.

4–12 weeks 37–43 operational measures

Documentation & CSIRT

Production of all documentation: security policies, risk register, RACI, continuity plans. Designation of the CSIRT liaison and configuration of the notification procedure.

1–2 weeks Complete NIS2 dossier

NOC10

With NOC10, you're already halfway there

If you have NOC10 active, most NIS2 technical measures are already implemented. 24/7 monitoring, CVSS patch management, backup monitoring, incident response, SIEM, managed firewalls. Periodic VAPT completes the picture.

For NOC10 clients, NIS2 compliance is a matter of documentation and formalisation - not a ground-up IT overhaul. And the CSIRT liaison? We can serve as your external SOC manager.

✓ CVSS patch management

✓ 24/7 monitoring + SIEM

✓ Backup monitoring

✓ Incident response

✓ Managed firewalls

✓ Periodic VAPT

Discover NOC10 →

Frequently asked questions about NIS2

We're an SME with 30 employees. Are we required to comply?

It depends on your sector and position in the supply chain. The direct thresholds are 50 employees or 10 million in revenue, but many SMEs below the threshold are involved as suppliers to essential entities. NIS2 requires obligated entities to verify the security of their suppliers: if you serve a NIS2 company, your security profile becomes part of their compliance.

We already have GDPR in order. Is that enough for NIS2?

No. GDPR and NIS2 have different scopes. GDPR protects personal data, NIS2 protects networks and information systems. Some measures overlap (risk assessment, incident management), but NIS2 requires specific technical measures - patch management, MFA, network segmentation, SIEM - and mandatory notification to CSIRT Italia within 24 hours.

What are the penalties for non-compliance?

For essential entities: up to 10 million euros or 2% of annual global turnover. For important entities: up to 7 million or 1.4% of turnover. Failure to register with ACN can cost from 50,000 euros upwards. But the concrete short-term risk is reputational: large clients require NIS2 compliance from suppliers, and may exclude you from the supply chain.

What is the CSIRT liaison and who designates them?

The CSIRT liaison is the natural person responsible for incident notification to CSIRT Italia. They are designated by the Point of Contact through the ACN portal. They must have basic skills in cybersecurity and incident management. They can be internal or external - for example, the SOC manager. Alternates can also be designated to ensure 24/7 coverage.

How long does full compliance take?

For a company starting from scratch, 3–6 months. If you already have NOC10 active, timelines are halved because technical measures are already in place. The initial gap analysis is completed in 2–3 weeks. The critical deadline is October 2026 for security measures; from that point ACN can begin inspections.

Can we outsource the CSIRT liaison?

Yes. The regulation does not prohibit outsourcing. The CSIRT liaison can be external personnel, such as a SOC/CERT manager. For NOC10 clients, we can take on the CSIRT liaison role, handling incident notification and the communication channel with ACN.

Start with the gap analysis.

In 2–3 weeks we tell you exactly where you stand with NIS2 and what you need to do. Fixed prices, no surprises.

Request the gap analysis →

NIS2 Compliance

Gap analysis, compliance plan and CSIRT support. Fill in the form, we'll get back to you within 24h.

Phone: 02 87176855

Email: sales@10punto10.eu

NIS2 Compliancefor your SME.