NIS2Sanzioni

NIS2: Italian deadlines and effective penalties

The dates that matter (registration, notification, controls) and the actual numbers of fines ACN can issue. What has already happened in 2025-2026.

1 min read

TL;DR

Three NIS2 dates to memorise: 18 October 2024 (entry into force of D.Lgs. 138/2024), 1 January 2025 (ACN registration opens), 2026 fully effective audits. Fines: up to €10M for essential, €7M for important, plus service suspension and personal management liability.

The dates that count

18 October 2024 — Entry into force

D.Lgs. 138/2024 transposing NIS2 is in force. Subject entities must start adapting.

1 January 2025 — ACN registration

The Italian National Cybersecurity Agency portal opens. Essential and important entities must identify:

  • cyber lead (with operational authority);
  • list of critical systems;
  • incident notification procedures.

April-July 2026 — Full audits

First ACN audits on sample subject entities. Fines start being issued.

The fines

Essential entities

Up to €10 million or 2% of annual global revenue, whichever is higher.

Important entities

Up to €7 million or 1.4% of annual global revenue, whichever is higher.

Additional sanctions

Beyond the fine:

  • temporary service suspension;
  • temporary authorisation revocation;
  • personal management liability (CEO, CISO).

The last is the most painful: no manager wants to be personally sanctioned.

What happened in 2025-2026

In the first 12 months:

  • late registration: first wave of light administrative fines (€10-50k);
  • unnotified incidents: heavier fines (€100k-1M);
  • missing baseline measures: contested at audit, generally with remediation plans.

How to reduce risk

Three things:

  1. Register first, even if applicability is uncertain ("in dubio pro registratio").
  2. Document measures even when partial — documentation of a remediation plan is worth more than undocumented compliance.
  3. Notify incidents within 24h, even with incomplete data.

FAQ

Can I appeal an ACN fine?

Yes, in administrative court. But fines are usually well-built and appeals fail 60-70% of cases.

Is the fine cumulative with data-protection authority fines?

Yes, if the incident involves personal data. Dual track.

Can SMBs count on discounts?

Yes, ACN can mitigate fines based on cooperation. Cooperate.

For applicability, Who is subject to NIS2. For audits, NIS2 audit checklist.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo