NIS2: new ACN determinations on deadlines, relevant suppliers, and categorization

On April 13, 2026, the National Cybersecurity Agency (“ACN”) adopted two new determinations – No. 127434/2026 and No. 127437/2026 – which address deadlines and operational procedures under the NIS2 framework. However, their impact goes beyond merely updating compliance requirements: they affect how NIS entities must interpret and manage operational risk, particularly along the supply chain.

New Deadlines for NIS Entities Included in the 2026 List

Determination No. 127434/2026 (“Determination 127434”), applicable from April 30, sets out the deadlines for entities included for the first time in the list of NIS entities in 2026 with regard to the obligations related to the so-called baseline requirements (“specifiche di base”) Articles 24 and 25 of the NIS2 Decree and Determination No. 379907/2025[1]).

For these entities, the obligation to notify incidents will apply starting from January 1^st, 2027, with the consequent requirement to appoint a CSIRT Point of Contact by December 31, 2026[2]. Security measures, on the other hand, must be implemented by July 31 ^st, 2027.

The deadlines originally established by Determination No. 379907/2025 remain unchanged for entities included in the list during 2025, which will be required to notify incidents starting from January 2026 and to implement security measures by October 2026.

Listing of Relevant NIS Suppliers

Determination No. 127437/2026 (the “Determination 127437”) introduces the obligation to indicate relevant NIS suppliers as part of the annual update of information, to be carried out between April 15 and May 31.

In particular, these are suppliers that provide services or products to the NIS entity and that present a qualified relevance profile. Such relevance applies when at least one of the following criteria is met:

1. ICT supply: this category includes supplies related to the activities or services referred to in Annex I, points 8 and 9, of the NIS2 Decree (Legislative Decree 138/2024). In practical terms, this covers digital infrastructures and ICT service management (B2B), such as—by way of example—Internet exchange points, DNS services, cloud computing, data centers, as well as managed or managed security services;
2. Non-substitutable supply: these are supplies whose interruption or compromise is likely to significantly affect the NIS entity’s ability to deliver its services. Non-substitutability must be assessed on a case-by-case basis and may also depend on the unavailability of alternative suppliers. In its FAQs, the ACN refers to typical cases such as connectivity (fixed or mobile) when not adequately redundant, as well as electricity supply.

It follows that NIS entities are required to identify those suppliers whose potential unavailability would be capable of producing a concrete impact on operations, affecting the ability to deliver relevant services.

In particular, as part of the annual update, it will be necessary to report the supplier’s name, tax identification number, and registered office, as well as the CPV (Common Procurement Vocabulary[3]) codes relating to the supplies and the relevance criterion deemed to be satisfied.

Listing and Categorization of NIS

One of the main operational developments concerns the obligation for NIS entities to report the list of their activities and services, assigning to each the relevant category of significance. This requirement, set out in Article 30 of the NIS2 Decree and applicable from 2026, must be fulfilled annually between May 1^st and June 30^th through the ACN platform, following notification of inclusion in the list of NIS entities.

This activity is entrusted to the Point of Contact (“Punto di Contatto”), through the “NIS Service/Categorization,” which will be responsible for preparing the list and assigning categories in accordance with the model to be adopted by the ACN, together with supporting materials for the related impact analysis (BIA)[4].

After the June 30^th deadline, the categorized list will be deemed definitively submitted and no longer subject to modification, except where the delay is due to documented technical or operational issues not attributable to the NIS entity.

A verification mechanism is also provided for: the ACN may carry out sample compliance checks, including through comparison with comparable entities, and must provide feedback within 90 days, subject to extension[5]. In the event of requests for additions, clarifications, or amendments, the NIS entity must respond within 30 days; failure to respond, or late response, may result in rejection of the list. In the absence of a negative outcome communicated within the prescribed timeframe, the categorization shall be deemed validated.

Finally, Determination 127437 clarifies that financial entities subject to DORA (Regulation (EU) 2022/2554), where they also fall within the scope of the NIS2 Decree, are exempt from this requirement, without prejudice to the possibility of complying on a voluntary basis.

Additional Updates under Determinationa No. 127437

Compared to the previous framework (Determination No. 37887/2025), Determination No. 127437 introduces several additional provisions of operational relevance.

First, it provides for the possibility for the Point of Contact to proceed, on an exceptional basis, with incident notification in the event of unavailability of the CSIRT Point of Contact and its designated alternates.

Determination No. 127437 also introduces specific exemptions for financial entities already subject to DORA and also falling within the scope of the NIS2 Decree. In such cases, certain organizational and reporting obligations no longer apply, including the appointment of the CSIRT Point of Contact and its alternates, as well as the submission of the list of members of the administrative and management bodies as part of the annual update.

A further aspect concerns the handling of late registration scenarios. Without prejudice to the possible application of pecuniary sanctions[6], a 30-day period from the notification of inclusion in the list of NIS entities is granted to complete the annual update of information.

Finally, for entities already included in the 2025 NIS list, the launch of the 2026 update will be based on pre-filled information, generated from the data previously submitted.

Conclusions

Starting from mid-April 2026, with the launch of the activity and service categorization phase, the NIS2 framework enters a more mature implementation stage, characterized by the deployment of long-term obligations.

Among the introduced changes, the most impactful aspect concerns the obligation to identify relevant suppliers. Entities classified as “essential” or “important” are required to systematically map their supply chains, identifying suppliers capable of materially affecting the continuity of NIS services and assessing, for each of them, the actual availability of operational alternatives or, conversely, the non-substitutable nature of the supply.

As also highlighted in the ACN FAQs, this activity is aligned with the underlying rationale of the NIS2 Decree. The Decree [Article 3(9)(f)] provides that the framework applies, regardless of size, also to entities that are critical as systemic elements of the supply chain (including the digital supply chain) of one or more “essential” or “important” entities. In this perspective, the collection and structuring of information on relevant suppliers goes beyond a mere compliance requirement. Such information enables, also in coordination with sectoral authorities, the identification within the supply chain of suppliers with systemic relevance, who may, precisely for this reason, themselves be designated as “essential” or “important” entities.

From an operational standpoint, for NIS entities this translates into a set of activities that can hardly be deferred:

• mapping (or updating) their supplier base, overcoming partial or legacy-driven reconstructions;
• assessing supplier criticality in relation to NIS services and verifying, in practice, the substitutability of supplies;
• integrating supply chain management into NIS2 compliance processes, ensuring it does not remain separate from security measures and incident management.

[1] For Further details, we refer to our previous article, “NIS2: from formal compliance to operational accountability. What changes after the latest ACN Determinations and Guidelines”, available in Italian.