ACN Issues New Determinations No. 379907/2025 “basic obligations” and no. 379887/2025 “ACN Portal and NIS Services.”
On December 24, 2025, the National Cybersecurity Agency (ACN) published the new Determinations No. 379907/2025 and No. 379887/ 2025 on 24 December 2025, respectively on basic obligations and on the ACN Portal and NIS Services, finalizing and consolidating the national regulatory framework in view of the entry into force of the obligations for NIS entities.
The provisions aim at: - define the technical and operational elements of security obligations in greater detail;
- intervene on the terms, methods, and procedures for registering and managing relations with the Authority through the ACN Portal;
- replace the previous determinations, overcoming their transitional nature.
Determination No. 379907/2025, applicable from January 15, 2026, updates and replaces the previous ACN Determination No. 136118 of April 2025, clarifying timelines, security measures, and responsibilities for NIS entities.
The new elements concern the basic obligations, which have been refined as summarized in the FAQ DSB.1 on the ACN institutional website. However, these are not radical changes.
Articles 5 and 6 regulate the transitional regime relating to the obligation to report incidents for essential services operators and telco operators, providing that the relevant provisions remain in force until January 14, 2026, and are subsequently replaced by the general rules on the notification obligation applicable from January 15, 2026.
The determination also updates and refines the four technical annexes to the previous determination containing the rules on binding basic obligations, regulating in a differentiated manner, among other things, the basic security measures for essential and important entities, the criteria for identifying significant incidents, and the inclusion of the CSIRT contact person and any substitutes in the cybersecurity organization referred to in measure GV. RR-02.
With regard to the adjustment period, the determination confirms those set out in the previous one: eighteen months for the adoption of security measures and nine months for the fulfillment of obligations to report significant incidents, both as of the moment of notification of inclusion in the list of NIS entities.
Determination No. 379887/2025, instead, updates and replaces the previous Determination No. 333017/2025, introducing new provisions regarding the ACN Portal and NIS Services.
The measure is applicable from December 31, 2025, and is published in view of the next window for NIS entity registration for the year 2026, scheduled from January 1 to February 28.
From a systematic point of view, the new determination does not change the overall architecture of the census, user association, registration, and information update processes, which remain substantially unchanged. The first change concerns terminological rationalization. The ‘registration’ service is now called the ‘NIS/Declaration Service’, a choice that more accurately reflects the legal nature of the act performed by the contact point, expressly qualified as a declaration made pursuant to Presidential Decree No. 445/2000 (Article 1, paragraph 1, letter j)).
The most significant change is the introduction, in Article 11, paragraph 8, of a mechanism for stabilization of the declaration. Ten calendar days after the declaration is submitted on the ACN Portal, it is considered definitively acquired and can no longer be modified by the user. This provision was absent in the previous regulations and marks a significant step towards the crystallization of the information declared, strengthening the Authority's reliance on the database and, at the same time, the accountability of the NIS entity, thus resolving several interpretative doubts that emerged during the first year of the NIS regime.
Closely linked to this mechanism, paragraph 9 of the same article introduces an express regulation of late declarations, qualifying as such those submitted or modified after the annual registration window, except in the case of proven technical and operational criticalities not attributable to the user, which have actually occurred in practice.
Another new feature is the pre-compilation of the declaration, provided for in Article 11(10), for entities already included in the NIS list. At the time of registration in 2026, these entities will see a draft declaration prepared on the basis of the information submitted in the previous year, which must be verified and confirmed. This is a procedural simplification that does not affect the declarant's obligation to check and take responsibility but facilitates continuity of information and reduces the risk of inconsistencies.
With regard to annual updates (Article 16), the new provision explicitly expands the scope of information to be verified and confirmed, expressly including the details of the CSIRT contact person and any substitutes.
On the other hand, the structure relating to operational roles on the ACN Portal—contact point, substitute, secretariat, operators—remains essentially unchanged, as do the rules on user registration, user association, and the verification and control powers of the competent NIS national authority. Similarly, there are no significant changes to the provisions on consistency checks, the compilation of the list of NIS entities, and formal communications.
In short, the Determinations address some critical issues identified in the first phase of implementation and provide for refinements that consolidate the regulatory framework in line with the full implementation of the NIS Directive. |
