New NIS Guidelines: Definition of the Cybersecurity Incident Management Process

On 31 December 2025, the Italian Cybersecurity Agency (Agenzia per la Cybersicurezza Nazionale - ACN) published new guidelines providing operational guidance on the cybersecurity incident management process. The ability of an organisation to manage incidents effectively is a key factor in ensuring resilience and continuity of operations and services.
The ACN guidelines set out a structured incident management model comprising four main phases: preparation, detection, response and recovery.
These phases are underpinned by a cross-cutting approach aimed at consistently improving the incident management process.
The details of each phase must be formalised and documented in an incident management plan, which should at least include:
 

1. a description of the incident management and notification phases and procedures, including the identification of the relevant roles and responsibilities;
2. procedures for preparing and submitting incident reports (interim, monthly and final) as referred to in Articles 25(5)(c), (d) and (e) of the NIS Decree;
3. contact information for incident reporting;
4. internal communication arrangements, including communications to management and governing bodies, as well as external communications; and
5. reporting templates for documenting incidents.

 
Preparation Phase
 
The preparation phase consists of a set of preliminary activities that ensure a structured, consistent, and effective management of cybersecurity incidents.
The preparation phase is divided into three sub-phases:

• Governance: is all about defining the strategic and organisational framework for incident management, developing the incident management plan, assigning roles and responsibilities for the various activities within the incident management process.
• Identification: is geared towards acquiring an in-depth understanding of the operational context, which is necessary to plan an effective incident response. This includes, in particular, the inventory of information systems and networks, as well as the identification of key threats and vulnerabilities;
• Protection: is about defining and adopting security measures designed to reduce the likelihood of incidents occurring and to limit their impact. It is possible to divide these measures into two categories: technological measures and organisational measures.

 
Technological measures include, by way of example, the collection and analysis of logs for monitoring security events, the planning of data backups and configuration, the implementation of access control tools and the establishment of alternative communication channels in the event that primary channels are unavailable.
Organisational measures include developing operational procedures to support the incident management process, as well as training and awareness-raising activities for personnel on cybersecurity matters. These activities are accompanied by periodic exercises.
 
Detection Phase
 
The detection phase is about identifying and analysing events relevant to cybersecurity. The aim is to detect incidents promptly and limit their impact on the organisation's operations.
 
For example, events relevant to cybersecurity include:

• repeated authentication attempts across multiple domain user accounts originating from the same hostnames or IP addresses;
• unauthorised changes to domain administrator groups;
• authentication attempts originating from hostnames or IP addresses identified as indicators of compromise (IOCs);
• requests to web applications that originate from user agents that are classified as IOCs;
• execution of scripts containing suspicious commands;
• domain administrator access or VPN connections occurring outside normal working hours or from unusual locations;
• anomalous network communications to URLs or IP addresses identified as IOCs.
• traffic spikes originating from multiple IP addresses;
• instances of abnormal saturation of inbound bandwidth.

 
In order to identify such events, appropriate monitoring activities must be put in place. These activities may be implemented through two complementary approaches:

• proactive, through the systematic search for indicators of malicious activity within information systems, as well as through the analysis of security information shared by CSIRT Italy concerning new risk scenarios, anomalous behaviours, or ongoing attack campaigns;
• reactive, through the analysis of alerts generated by security tools and reports received from internal stakeholders (e.g. users experiencing malfunctions or service disruptions) and from external entities, such as CSIRT Italy.

 
Activities involving the search for potential indicators of compromise and the configuration of security tool alert rules are based on specific detection logics, which can be defined using the following methodologies:

• IOC-based, which relies on identifying known indicators of compromise (IOCs) in system logs, such as file hashes, file names, or libraries. This approach is effective against already known threats but struggles in detecting new threats or those that can rapidly change their indicators.;
• Anomaly-based, which is based on identifying anomalies in the standard behaviour of information systems through statistical analysis, machine learning and the analysis of large volumes of data. Although this approach is potentially effective in detecting unknown threats, it requires accurate modelling of expected behaviours and can result in a high number of false positives. It also requires significant investment in data collection and processing.
• TTP-based, which is based on knowledge of the tactics, techniques, and procedures (TTPs) used by malicious actors to achieve their objectives. This methodology is particularly effective because TTPs tend to change less frequently than technical indicators, while also being common across multiple actors since they adhere to targeted technologies and operational environments.

 
Response Phase
 
Once a cybersecurity incident has been detected, the response phase must be triggered. The aim of this phase is to manage the event promptly and effectively, reduce its impact and prevent further consequences. It is divided into four sub-phases:
 

• Reporting, which involves notifying the relevant authorities and communicating with internal and external stakeholders in accordance with the procedures and timelines set out in the regulatory framework.
• Investigation, aimed at thoroughly analysing the incident in order to reconstruct the entire sequence of events (the so-called “cyber kill chain”), identify the root cause of the incident and assess the scope and depth of the compromise.
• Containment, intended to limit the perimeter of the attack to reduce its impact and prevent its spread to other information systems and networks. If additional evidence of compromise emerges at the end of this sub-phase, the investigation phase must be restarted.
• Eradication, which consists of the complete removal of the attacker’s control, movement, and persistence capabilities within the compromised infrastructure.

 
Eradication activities include, for example:

• the remediation of credentials used by the attacker;
• the removal of malicious artefacts from affected systems and networks;
• the cleansing of compromised systems;
• resolving or mitigating vulnerabilities exploited by the attacker;
• installing updates, particularly security updates;
• monitoring for any reactions from the attacker in response to eradication activities;
• updating the attack timeline with evidence collected during this phase;
• conducting additional scans to verify the presence of malware.

Recovery Phase
 
The recovery phase aims to restore affected information systems and services to normal operational conditions. This involves ensuring the full restoration of functionality and verifying that the entire environment is stable, secure and operational.
 
The guidelines are further supplemented by two supporting appendices. Appendix A provides an introduction to the basic specifications and illustrates their key elements, facilitating a comprehensive understanding of the document. Appendix B is dedicated to security measures for incident management and lists those required under the NIS framework for each relevant phase and sub-phase of the incident management process.
 
Based on the guidelines, organisations are now required to prepare, implement and maintain cyber threat response plans. These plans may be assessed for effectiveness by the Authority and organisations will be held accountable in the event of successful attacks.