Back to Blog

NIS2 in Italy: What SMEs and Suppliers Must Do by October 31, 2026

·5 min read
NIS2 Italy - 2026 Deadlines Calendar

The 2026 calendar is set. Three dates really matter: May 31, June 30, October 31. The first is only weeks away.

Article 4 of ACN Determination No. 379907/2025 sets October 31, 2026 as the ultimate deadline by which first-wave entities must have all baseline security measures operational, with documentary evidence. This is not a declarative deadline: ACN requires verifiable proof of compliance.

For Italian SMEs that were registered in 2025 — or that will register during May-June 2026 — the countdown starts now. Five net months to close the 37 (important) or 43 (essential) minimum controls.

What changed with Determination 379907/2025

Italian Legislative Decree No. 138 of September 4, 2024 transposed European NIS2 (Official Gazette No. 230 of October 1, 2024, in force since October 16, 2024). The decree delegated the technical regulation of concrete security measures to ACN. That regulation has arrived: Determination 379907/2025 from the ACN Director General, applicable from January 15, 2026.

The Determination articulates two levels of obligations:

  • Important entities: 37 security measures, articulated in 87 operational requirements (Annex 1)
  • Essential entities: 43 measures, 116 requirements (Annex 2)

The difference is not cosmetic. The 6 additional measures for essential entities cover areas like advanced business continuity, vulnerability management with tight timelines, and active supply chain supervision. Knowing which category your organization falls into is the first step: criteria are set by D.Lgs. 138/2024 (sectors, size, role as essential or important service for the national system).

The 2026 operational calendar

Three closely-spaced deadlines, each with a distinct obligation:

May 1 – June 30, 2026 · Annual window for communicating activities and services to ACN

This is the period established by Article 30 paragraph 1 of D.Lgs. 138/2024 to update the list of activities and services on the ACN platform. It is not an audit: it is a self-declaration, but with substantial effects on categorization and therefore on applicable obligations.

May 31, 2026 · Communication of relevant NIS suppliers

By this date, subject organizations must transmit to ACN the list of suppliers relevant for NIS2 purposes. This is the first step to activate supply chain risk management obligations — the area on which, as written in a previous blog article, "those not ready exit the market".

October 31, 2026 · Full compliance with baseline security measures

The decisive deadline. For the first wave of entities — those already registered from 2025 — all 37/87 or 43/116 measures must be operational with demonstrable documentary evidence. This is not about policies written and unimplemented: ACN can verify actual application.

What to do now

For those who haven't yet set up an operational plan, five months are few but sufficient if you start from the few points that generate the greatest impact.

  1. Map your regulatory position. Essential or important entity? Which services apply? Which suppliers are "relevant" for NIS2 purposes? This mapping must be completed before the ACN window of May 1, to avoid communicating categorizations that don't hold up under verification.
  2. Compare current posture with Annex 1 or 2 of the Determination. A serious gap assessment — not a questionnaire — is the fastest way to understand where interventions are needed before October 31. Measures not met must be mapped to concrete initiatives with internal deadlines well before September 30, to have a month of margin.
  3. Start due diligence on critical suppliers. The supply chain risk management obligation enters into force in the 2026 calendar with the May 31 communication. Starting contractual and technical assessments of the most strategic IT/cloud suppliers is the priority for June.
  4. Document demonstrably. ACN doesn't just ask "done" — it asks for evidence. Procedures, registers, execution logs, incident simulation reports: everything must be versioned and archived so that an external verifier can reconstruct compliance. For those who already have an ISO/IEC 27001 ISMS in place, much of the work is mapping NIS2 controls to already-implemented ISO controls.
  5. Plan for post-October 31. Compliance is not an event, it's a regime. The first realignment on the ACN platform will need to be redone in the May 1 – June 30, 2027 window. Building an annual operational cycle from the start avoids chasing every deadline.

The sanctions that remind us what's at stake

D.Lgs. 138/2024 sets sanctions for essential entities up to €10 million or 2% of annual worldwide turnover, and for important entities up to €7 million or 1.4% of turnover. Minor violations — communication delays, documentary omissions — stand at 0.1% (essential) and 0.07% (important). Numbers that aren't reached for a single missing control, but that exist because substantive compliance is mandatory.

For an SME with €5-20M turnover, even 0.07% translates into €3,500-14,000 per violation, a figure that adds to the reputational and contractual cost of public exposure. For essential entities, the same proportion of 0.1% raises the threshold to €5,000-20,000 per episode.

Sources