NIS2 Incident Management in Italy: ACN, CSIRT and Determination No. 379907/2025

Incident management under NIS2 in Italy is governed by Legislative Decree No. 138/2024 and by ACN determinations, in particular Determination No. 379907/2025, which define notification obligations, organizational roles, and interaction with CSIRT Italia.

With the national implementation of Directive (EU) 2022/2555 (NIS2), the European framework on the security of network and information systems definitively moves beyond the phase of formal transposition and enters a fully operational dimension. In Italy, this transition is made particularly evident by the implementing measures adopted by the National Cybersecurity Agency (ACN), including ACN Determination No. 379907/2025 and the related guidelines on incident management and notification.

The shift in paradigm is clear: NIS2 compliance is no longer assessed solely through policies and statements of principle, but through an organization’s ability to manage a cybersecurity incident in a structured, timely, and well-documented manner, demonstrating ex post the soundness of the decisions taken and of the communications made to the competent authorities.

From the regulatory framework to operational accountability

Italy implemented NIS2 through Legislative Decree No. 138 of 4 September 2024, which entered into force on 16 October 2024. The decree assigns ACN a central role not only in supervision, but also in defining the technical and procedural specifications necessary to make the obligations set out in the directive effectively applicable.

At the European level, Directive (EU) 2022/2555 introduces an advanced concept of incident management, based on two core principles: the timeliness of reporting and the traceability of the entire decision-making cycle. The notification obligation is not conceived as a purely formal requirement, but as an integral part of the incident response, within a dynamic balance between operational needs and regulatory obligations.

In this context, ACN determinations and guidelines act as a “bridge” between the abstract legal norm and its concrete application within organizations subject to NIS2.

Significant incidents and assessment of the relevance threshold

One of the most delicate aspects of the operational phase concerns the identification of significant incidents, namely events which, due to their actual or potential impact, trigger the obligation to notify the competent national authority and CSIRT Italia.

NIS2 does not require indiscriminate notification of every security event; instead, it requires organizations to develop an internal capability to assess significance based on objective and predefined criteria. This entails the need for rapid decision-making processes capable of operating even under conditions of incomplete information, which are typical of the first hours following the discovery of an incident.

The European logic of progressive reporting—early warning, notification within 72 hours, and a final report—explicitly acknowledges that the technical understanding of an incident evolves over time. What is required is not the perfection of the initial information, but the consistency of the information pathway and the ability to update the authority promptly with increasingly accurate data.

The five-phase management process as a control architecture

The ACN guidelines on incident management outline a structured five-phase process, which represents the methodological backbone of a NIS2-compliant response. This model should not be interpreted as a rigid sequence, but rather as an organizational framework that makes incident response repeatable, verifiable, and auditable.

From initial intake and triage, through analysis and qualification of the event, to containment, recovery, and closure activities, each phase contributes to building a logical thread that links the technical event to organizational responsibility. From this perspective, incident management is no longer exclusively a function of the SOC or the incident response team, but a cross-functional process involving governance, legal functions, compliance, and top management.

The added value of a phased approach lies above all in the ability to associate decisions, actions, and communications with clearly defined points in time, reducing the ambiguity that often emerges in ex post reconstructions.

Key roles: NIS point of contact and CSIRT liaison

The operational phase makes the correct definition of roles essential. ACN guidance clearly distinguishes between the NIS point of contact, a role responsible for coordination and institutional representation, and the CSIRT liaison, who is responsible for operational interaction with CSIRT Italia during incident handling.

This distinction responds to the need for functional separation between governance and operations. On the one hand, the NIS point of contact ensures coherence, continuity, and oversight of regulatory obligations; on the other, the CSIRT liaison ensures timeliness and technical quality in communications, preventing information flows from being slowed by unnecessary decision-making layers.

In terms of organizational resilience, the presence of distinct and formally defined roles reduces the risk of information bottlenecks and strengthens the organization’s ability to operate effectively even under pressure.

Documentation and traceability as accountability tools

One of the most innovative—and often underestimated—elements of NIS2 concerns the centrality of documentation. Incident management must be fully traceable: from the initial technical evidence to escalation decisions, from notifications sent to authorities to remediation activities and improvements to controls.

Documentation is not required solely for inspection purposes, but constitutes the primary means through which an organization demonstrates that it has acted diligently, proportionately, and consistently with the regulatory framework. In this sense, the “incident file” becomes the operational equivalent of the accountability principle already well known in other regulatory domains, such as data protection.

Notifications to CSIRT Italia and the European timeline

NIS2 imposes a strict timeline for notifications, which represents a minimum and non-negotiable requirement. The early warning within 24 hours of becoming aware of a significant incident, the notification within 72 hours, and the final report within one month establish a rhythm that obliges organizations to adopt predefined and tested playbooks.

It is important to note that European legislation clarifies that notification activities must not compromise containment and mitigation actions. However, this does not exempt organizations from the duty to communicate: the ability to produce a defensible initial assessment within 24 hours effectively becomes an indicator of organizational maturity.