On 13 April 2026, following the eighth meeting of the NIS Working Table, the National Cybersecurity Agency (“ACN”) published two new determinations of the Director General updating the implementation framework of the NIS regime set out in Legislative Decree No. 138 of 4 September 2024 (“NIS Decree”). Following the completion of the initial implementation phase set out in Article 42 of the NIS Decree, the new measures address two issues: firstly, Determination 127434/2026 sets out compliance deadlines for new NIS entities added to the list in 2026. Secondly, Determination 127437/2026 amends the rules for using and accessing the ACN digital platform, introducing significant changes relating to relevant suppliers and the classification of activities and services.
Determination No. 127434/2026
Determination No. 127434/2026 updates and supplements Determination No. 379907 of 19 December 2025, which establishes the baseline specifications for compliance with the obligations under Articles 23, 24, 25, 29, and 32 of the NIS Decree. In particular, the measure sets the following deadlines:
- Entities included in the NIS list in 2026 (new entities): the deadline for these entities to adopt baseline security measures is 31 July 2027. The obligation to report significant baseline incidents will apply from 1 January 2027 instead, requiring the CSIRT Contact Person to be designated by the end of 2026.
- Entities included in the NIS list in 2025 and remaining in the 2026 list: the deadlines provided for in the previous determination remain unchanged for these entities: 18 months from the notification of inclusion in the list to adopt baseline security measures and 9 months to comply with the obligation to notify significant baseline incidents.
- Top-level domain name registry operators and registration service providers: entities included in the NIS list in 2026 must comply with the obligations set out in Article 29(1) and (2) of the NIS Decree — namely collecting and maintaining accurate and complete registration data, and adopting and publishing verification policies and procedures under paragraph 3 of the same article — by 31 July 2027. For entities already included in the 2025 list and remaining in 2026, deadlines remain set at eighteen months from receipt of the inclusion notification.
Determination No. 127437/2026
Determination No. 127437/2026 updates and replaces Determination No. 379887/2025, introducing a number of significant operational changes for NIS entities, particularly with regard to supplier management and activity categorization.
First, the measure amends Article 1 by introducing four new definitions. The concept of “Relevant NIS Suppliers” is introduced, identifying entities that supply services or products to an NIS entity and that meet at least one of the following criteria:
- the supply relates to activities or services referred to in Annex I, points 8 and 9, of the NIS Decree, namely digital infrastructures or ICT service providers;
- interruption or compromise of the supply would significantly impact the NIS entity’s ability to deliver its activities or services, including due to the unavailability of alternative suppliers, thereby qualifying the supply as non-substitutable.
The determination also introduces the definitions of “Categorized List of Activities and Services”, meaning the list of activities and services performed by the NIS entity together with their relevance category; “Listing and Categorization of Activities and Services”, meaning the process for preparing such list; and “NIS Service/Categorization”, i.e., the service made available by ACN to NIS entities for preparing and submitting the categorized list.
The updated determination also addresses the notification regime, codifying in Article 4(9) an option already anticipated in ACN FAQs. Exceptionally, in the event of unavailability of the CSIRT Contact Person and their deputies, the Point of Contact may submit mandatory and voluntary notifications under Articles 25 and 26 of the NIS Decree on behalf of the NIS entity, thereby formalizing an operational solution previously adopted in practice.
Article 7 also amends deadlines for designating the CSIRT Contact Person, establishing that the designation must be made by the Point of Contact via the ACN Portal telematic procedure by 31 December of the year in which the entity is included in the NIS list. The determination also introduces an exemption clause for financial entities falling within the scope of Regulation (EU) 2022/2554 (DORA Regulation), without prejudice to the possibility of voluntary adherence.
Further amendments concern late registration. Article 16(11) now states that, regardless of the sanctions outlined in Article 38(10)(b) of the NIS Decree, if registration is submitted late, the deadline for completing the annual update is thirty days from the date on which the notification of inclusion among NIS entities is received.
Of particular note is the introduction of Article 18, which establishes ex novo the obligation to list Relevant Suppliers (defined as entities that provide services or products to a NIS entity and whose provision qualifies as ICT under the NIS Decree, or whose interruption or compromise would significantly affect the NIS entity’s ability to carry out its activities or provide its services, including due to the lack of alternatives) as part of the annual update of information. The exercise aims to identify, among the suppliers of NIS entities, those likely to be recognized as important or essential entities, in order to promote an adequate level of cybersecurity throughout the supply chain. Through the “NIS Service/Annual Information Update,” NIS entities must indicate, for each relevant supplier, the company name, tax identification number, country of registered office, CPV codes under Regulation (EC) No. 2195/2002 relating to the supplies received, and the relevance criterion adopted, distinguishing between ICT supply and non-substitutable supply. The listing must be carried out between 15 April and 31 May 2026.
Articles 20 and 21, also newly introduced, regulate the process of listing and categorizing NIS entities’ activities and services pursuant to Article 30 of the NIS Decree. Under Article 20, from 1 May to 30 June each year, NIS entities must communicate and update, through the “NIS Service/Categorization,” the categorized list of activities and services. The Point of Contact confirms the information pursuant to Presidential Decree No. 445 of 28 December 2000 and transmits it electronically to ACN, which also sends a copy to the entity’s digital domicile. After the deadline, the list is deemed final and no longer amendable; late submissions are permitted but cannot be modified, except where the delay is caused by documented technical-operational issues not attributable to the entity.
Article 21 introduces a compliance verification mechanism whereby ACN conducts sample-based analyses of categorised lists submitted by NIS entities. These analyses compare the lists with both the applicable determination and lists from comparable NIS entities. The outcome of the checks will be communicated within ninety days of submission, with the possibility of an extension at the discretion of ACN.
With regard to the categorization process, the determination also provides an exemption clause for financial entities subject to the DORA Regulation, which are exempt from implementing Article 20 requirements, without prejudice to voluntary participation.
Overall, Determination No. 127437/2026 significantly strengthens the informational and organizational obligations of NIS entities, introducing a more structured approach to supply chain management and the classification of activities and services, in line with the objectives of strengthening cyber resilience under the national and European regulatory framework.
