NIS2Compliance

Who is subject to NIS2 in Italy (and who is not as exempt as they think)

Essential and important sectors, size thresholds and the borderline cases (supply chain, IT providers) that often think they are out of scope.

1 min read

TL;DR

NIS2 in Italy (Legislative Decree 138/2024) applies to about 20,000-40,000 directly subject entities across 18 sectors, split into essential and important. Most Italian MSPs are pulled in via the supply chain.

The applicability test

Three conditions to verify:

  1. Sector: in one of the 18 sectors of Annex I (essential) or II (important).
  2. Size: medium-large (50+ employees or revenue > €10M) — some exceptions for micro-enterprises in specific sectors.
  3. Territory: having an establishment in Italy or providing services in Italy.

Three yeses = NIS2 subject.

The 18 sectors

Essential (Annex I)

Energy, transport, banking, financial infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space.

Important (Annex II)

Postal and courier services, waste management, chemicals, food, specific manufacturing, digital providers, research.

Borderline cases

MSPs serving essential entities

Technically the MSP is not listed, but if they manage DR, security or cloud for a NIS2 customer, they fall under the supply chain: the customer will demand cyber attestations and SLAs. In practice = subject.

Manufacturers

Depends on NACE. "Critical product" manufacturing (e.g. chemicals, medical devices, some foods) is in. Generic manufacturing is out.

Cloud providers

Cloud providers are in "digital infrastructure" — essential above a certain threshold.

Professional firms

Generally out, except when providing services to essential entities with critical data.

How to verify

  1. Identify your NACE code.
  2. Compare with Annexes I and II.
  3. Check the size threshold.
  4. Check whether you are a critical supplier to essential entities.

If in doubt: precautionary ACN portal registration. Zero cost, reduces risk.

FAQ

Are SMBs under 50 employees out?

Generally yes, except in sectors where "all entities" are subject (e.g. TLD registries, specific digital infrastructure).

Extra-EU companies operating in Italy?

Yes if they offer services in Italian territory. They must appoint a representative.

Italian subsidiaries of multinationals?

Yes if the subsidiary is fiscally autonomous and exceeds thresholds.

For fines and deadlines, NIS2 deadlines and fines. For relation with GDPR, NIS2 vs GDPR.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo