The National Cybersecurity Agency (ACN) has published Determination No. 333017/2025, which came into effect on 30 September 2025. This new measure supplements, updates and replaces ACN Determination No. 283727 of 22 July 2025. It introduces additional obligations for entities within the scope of Legislative Decree No. 138 of 4 September 2024 (“the NIS Decree”).
The determination introduces several significant changes, including: - updates to the provisions governing the designation of the Substitute Point of Contact;
- new requirements concerning the appointment of the CSIRT Representative and their Substitutes;
- updates to the process for registering authorised users on the ACN Portal;
- a new exception concerning the annual update of information.
As set out in the NIS2 Directive and the NIS Decree, entities subject to the regulations must notify the ACN of the name of their designated Point of Contact via the dedicated portal. This individual is responsible for the registration process under Article 7 of the NIS Decree and acts as the official intermediary between the Agency and the NIS entity.
To ensure operational continuity, the Point of Contact is supported by a Substitute Point of Contact who guarantees that communications between the NIS entity and the ACN continue to function properly. The new determination confirms that the deadline is 31 May in the year that the NIS entity receives notification of its inclusion on the official list, in line with the previous regulatory framework.
A key innovation is the introduction of a exception from the obligation to appoint a Substitute Point of Contact in cases where the Point of Contact coincides with the only individual operating within the NIS entity and the entity is objectively unable to appoint an alternative. This exception is set out in the final paragraph of Article 5.
This provision, which was absent from the previous determination, represents a significant adjustment to the regulatory framework. It enables small or barely structured entities to overcome practical limitations that previously forced them to appoint a Substitute, even when there were no available personnel.
Another significant change introduced by the new determination is the addition of Article 7, which formally establishes the role of the CSIRT Representative. The Point of Contact must designate this individual through the dedicated online procedure available on the ACN Portal between 20 November and 31 December 2025.
The CSIRT Representative plays a central role in the national cybersecurity framework, acting as the operational interface with CSIRT Italia. They are responsible for fulfilling the mandatory and voluntary incident notification set out in Articles 25 and 26 of the NIS Decree. Specifically, they are responsible for reporting incidents that significantly impact the provision of essential services, as well as for voluntarily submitting any relevant information concerning the security of networks and information systems.
The determination also permits the appointment of one or more Substitute CSIRT Representatives through the same procedure. These Substitutes will support the Representative and ensure operational continuity. For the purposes of appointment, the Representative and any Substitutes must possess proven expertise in cybersecurity and incident management, along with a thorough understanding of the information systems and networks operated by the entity they represent.
This role has been introduced to strengthen the technical and communication links between NIS entities and the national cybersecurity infrastructure, ensuring that security incidents and communications are managed more quickly, systematically and effectively. However, companies must pay close attention to the formal requirements for delegation, as errors in the process may invalidate the appointment.
Regarding user registration, the determination extends the authentication methods used to access the ACN Portal, allowing both SPID and Electronic Identity Card (CIE) credentials to be used. Where these authentication tools are unavailable, the existing procedure for requesting personal credentials remains applicable. The provisions concerning the association of user accounts for the Point of Contact and Substitute remain unchanged.
The determination also rectifies a clerical error in Article 12, thereby confirming that it is possible to request the application of the safeguard clause set out in Article 3, paragraph 12 of the NIS Decree. This applies in cases where the calculation of turnover and balance sheet figures does not align with the criteria established by the Prime Ministerial Decree referenced in Article 40, paragraph 1(a) of the NIS Decree.
Finally, with regard to the annual information update process, a new provision exempts entities falling within the scope of both the NIS Decree and the DORA Regulation from the obligation to list management and administrative bodies under Articles 16(3)(b) and 17 of the NIS Decree. However, this exclusion raises interpretative challenges as it removes an obligation specifically designed for the legislation's primary subjects, which could create systemic inconsistencies.
In conclusion, the new determination issued by the National Cybersecurity Agency is another step towards consolidating the operational framework established under the NIS Decree. It introduces mechanisms aimed at improving the efficiency and coherence of interactions between NIS entities and the ACN. While the changes simplify certain compliance obligations for smaller organisations, they also expand the criteria for designation and competence to ensure a more professional and timely response to cybersecurity incidents. |
