Back to Blog
CYBERSECURITYNIS2COMPLIANCE

NIS2 and Supply Chain: If You're Not Ready, You're Out

The 2026 operational deadlines no company can afford to ignore

·7 min read
NIS2 and Supply Chain

With the entry into force of Legislative Decree 138/2024, the ability to manage and notify cyber incidents has become a concrete operational requirement for entities within the NIS2 perimeter. Article 25 of the decree sets out a precise sequence: pre-notification within 24 hours, full notification within 72 hours, and a final report within one month. The operational specifics of these obligations also depend on ACN's implementing rules and the applicable timelines for each category of entities, but the regulatory framework is defined and the compliance journey cannot be postponed.

Public estimates released in recent months on the number of Italian organizations affected by NIS2 vary significantly depending on the scope considered and the sources used. Available assessments — including those from Italy's National Cybersecurity Agency (ACN) and industry analysts — point to tens of thousands of potentially affected organizations. For many of them, the cyber maturity level required represents a significant leap from their current state.

The sanctions regime under the decree distinguishes between essential entities and important entities, with different caps. For essential entities, fines can reach €10 million or 2% of annual global turnover; for important entities, the caps are €7 million or 1.4% of turnover. Management and governing bodies are directly involved in overseeing compliance: security governance is an integral part of NIS2 compliance and cannot be entirely delegated to IT.

2,755

Cyber incidents recorded by ACN, H1 2025

+36%

Increase vs prev. semester (source: ACN)

10%

Global attacks targeting Italy (source: Clusit)

Why NIS2 Is Different

NIS2 marks a paradigm shift from every previous directive. The focus moves from protecting IT systems to the organization's overall operational resilience. Cyber risk becomes a full-fledged business risk: it can halt production, compromise service continuity, and irreparably damage reputation.

According to ACN data, the first half of 2025 set a historic record with 2,755 cyber incidents in Italy, a 36% increase over the previous semester. According to the Clusit Report, Italy is the target of approximately 10% of global attacks, with sectors such as Public Administration and Healthcare on the front lines.

There's an often-overlooked element: the convergence of physical and cyber security. Every camera, access control system, and intrusion alarm today relies on digital infrastructure and communication networks. There is no longer a clear separation between "physical" and "cyber": every connected device is both an essential operational tool and a potential attack vector.

The Most Common Mistake: Managing Security in Silos

Too often, organizations manage physical and cyber security through separate teams, with equally distinct budgets and approaches. NIS2 demands overcoming this fragmentation.

A compromised video surveillance system isn't just a privacy issue. It can become an entry point for an attack on the corporate network, with consequences for production, sensitive data, and operational continuity.

Similarly, a cyber attack that blocks access control systems can compromise the physical security of a critical site. This interdependence requires an integrated security approach: joint requirements design, end-to-end risk assessment, and shared responsibility across the entire supply chain.

It's no longer sufficient to delegate cybersecurity to IT: management and governing bodies are directly involved in overseeing compliance, and security governance is an integral part of NIS2 requirements.

The Milestones to Meet

The NIS2 compliance path, as transposed by Legislative Decree 138/2024, is structured around progressive deadlines. Below is the updated status.

DeadlineObligationStatus
Apr 15 – May 31, 2026Annual update of information on the ACN portal (Art. 7).UPCOMING
May 1 – Jun 30, 2026Communication / update of activities and services for categorization purposes (Art. 30).UPCOMING
By Oct 2026Adoption of baseline security measures as defined by ACN implementing rules.UPCOMING

Regulatory references in the table:

  • Art. 7 of Legislative Decree 138/2024 — entity registration and information updates on the ACN portal.
  • Art. 30 — communication of activities and services for categorization purposes.
  • Art. 25 — incident notification (pre-notification within 24h, notification within 72h, final report within 1 month).

To meet the 2026 operational deadlines, companies must already have clear internal procedures, streamlined decision flows, and an operational CSIRT point of contact.

Non-compliance does not only carry the risk of administrative sanctions. It can translate into a concrete competitive disadvantage: greater difficulty entering or remaining in structured supply chains, and growing relevance of cyber maturity levels in relationships with clients, principals, and partners. NIS2 compliance is becoming a qualification criterion for tenders, contracts, and strategic partnerships.

Where to Start

For companies that still need to begin their compliance journey, three actions are a priority:

1

Self-assess your readiness level. Identify the most critical systems and services, map connected devices — including physical security ones — and verify incident management procedures are in place.

2

Clearly define roles and responsibilities. Formalize the involvement of management and governing bodies and designate points of contact for incident management and ACN communication.

3

Oversee the supply chain. Introduce minimum security requirements in contracts with critical suppliers and verify their security posture.

Estimated average investment:according to market analyses, approximately €283,000 for a medium-large company (range: <€100,000 – over €5 million). Industry studies predict a positive return as early as the second year: fewer incidents, lower downtime costs, and greater perceived reliability in the market.

NIS2 as an Integrated System

NIS2 isn't just another regulation to comply with. It's the formal recognition that security today is an integrated system.

There can be no physical security without cybersecurity.

There can be no operational continuity without cyber risk governance.

There can be no competitiveness without resilience.

That's why the issue isn't "avoiding the fine." The issue is remaining credible within the market.

Need Support for NIS2 Compliance?

The Tomato Blue team supports companies through their compliance journey, from gap analysis to setting up operational procedures.

Contact Us