NIS2 · Governance & ACN
NIS2: Cybersecurity Is a Top-Management Responsibility — The New ACN FAQs

NIS2 is not (just) an IT project. The new FAQs published by ACN on the obligations of administrative and management bodies put it in writing: approval of the strategic cybersecurity documents rests with top management — and cannot be delegated. This is where security stops being a matter for the technical office and becomes a board-level responsibility.
What the new ACN FAQs clarified
Italy's National Cybersecurity Agency (ACN) updated the FAQs on the obligations of the administrative and management bodies of NIS entities. The update integrates FAQs ODA.8 and ODA.9 and introduces the new ODA.10, ODA.11 and ODA.12, with operational guidance on who approves what and how to organise the documentation. Beneath the interpretive gloss lies a reaffirmation of principle: NIS2 puts the accountability on the top.
The approval that cannot be delegated
The sharpest point concerns Article 23 of Legislative Decree 138/2024 (Italy's NIS2 transposition). Approval of the documents it requires remains an exclusive competence of the collegial or, where applicable, single-member body, and cannot be delegated. What can be delegated is the operational activity needed to actually implement the obligations.
Approval of the Article 23 documents is not delegable; only operational implementation is.
ACN FAQs — obligations of administrative and management bodies
The distinction is subtle but decisive: the board does not have to write the technical procedures or configure the systems. But it must knowingly approve the strategic framework — and own the responsibility for it.
What the approved document must contain
FAQ ODA.10 specifies the level of detail required: documents submitted for approval to the administrative and management bodies must set out the security measures at least at the level of direction and strategic planning. In practice, top management approves the general framework by which the NIS entity intends to govern cyber risk: policies, objectives, responsibilities, directions and criteria. Not the implementation details, but the direction.
A flexible documentation model
FAQs ODA.11 and ODA.12 ease the formal burden. The NIS entity can organise its documentation as it prefers: a single strategic document or a set of coordinated documents, depending on complexity and organisational model. And, crucially: updating procedures, operating instructions or technical manuals referenced in the strategic documents does not require a new approval of the latter.
The boundary to draw well
This flexibility is an advantage, but it shifts the work onto a design question: where does the 'strategic' (board-approved) end and the 'operational' (delegable and updatable) begin?
- Strategic → the board. Direction, objectives, responsibilities, risk-governance criteria: these go in the document the board approves.
- Operational → delegable. Procedures, configurations, technical manuals: implementation and updates without going back to the board.
- The risk at both extremes. If the strategic document "absorbs" operational detail, every technical patch would need a fresh resolution; if it stays too vague, it fails Article 23. The boundary must be drawn carefully.
Why it matters: the responsibility is personal
These clarifications reinforce the core of NIS2 — and, upstream, of Article 20 of Directive (EU) 2022/2555: management bodies approve the risk-management measures, oversee their implementation and are required to receive training on cybersecurity. Security becomes a governance matter with the board's direct responsibility for setting priorities, direction, resources and digital-resilience capacity. It is not a technical delegation: it is a strategic choice the board answers for.
Operational: what to do now
- 01Prepare the Art. 23 strategic document. At the ODA.10 level: direction, objectives, responsibilities and risk-governance criteria, in a form the management body can approve.
- 02Map the operational delegation. Who implements what, with which responsibilities and limits — without moving the strategic approval.
- 03Draw the strategic/operational boundary. So that technical updates don't require a new board resolution, but stay within the delegated perimeter.
- 04Train and empower the board. Approval must be informed: training the management bodies is an obligation, not an optional.
- 05Keep the evidence. Approval minutes, document versions, delegation acts: the proof that, in an ACN inspection, shows knowing approval and a coherent model.
In conclusion
The new ACN FAQs simplify the form but raise the stakes on substance: cybersecurity is a boardroom matter. Documentation flexibility helps those who already set up governance well, and exposes those who treated NIS2 as a technical box-ticking exercise. The difference, once again, is not having the documents — it is having the right documents, approved by the right bodies, and being able to prove it.
Is your board ready to approve NIS2?
Tomato Blue supports management bodies in preparing the Art. 23 strategic document, drawing the strategic/operational boundary, and building the evidence ready for an ACN inspection.
Talk to us →Sources
Legislative Decree 138/2024 (transposition of the NIS2 Directive), Art. 23; Directive (EU) 2022/2555 (NIS2), Art. 20; National Cybersecurity Agency (ACN), "Updated ACN FAQs on the obligations of administrative and management bodies of NIS entities" and NIS FAQ — Roles and procedures (FAQs ODA.8-12), acn.gov.it.
This article is for informational purposes only and does not constitute legal advice nor replace professional counsel tailored to the specific case. The positions expressed reflect the analysis of Tomato Blue RegTech.