28 Nov Determination of the Italian National Cybersecurity Agency concerning the digital platform for the registration of NIS entities
Authors: Lara Maugeri, Antonietta Riccardi
The Italian National Cybersecurity Agency, in the exercise of the prerogatives conferred by Legislative Decree No. 138 of September 4, 2024, implementing Directive (EU) 2022/2555, has issued a Determination that comprehensively governs the terms, methods, and procedures for the use of the digital platform dedicated to the registration and management of NIS entities. This regulation constitutes an essential element in strengthening the resilience and security of networks and information systems, both at the national and Union levels, and involves specific entities such as operators of essential services and digital service providers, who are required to comply with specific legal provisions.
The digital platform, accessible through the ACN Portal, plays a pivotal role in the regulatory framework, serving as an indispensable operational tool for the fulfillment of obligations by the entities concerned. It is established as the exclusive means for registration, census, and formal interaction with the National Competent Authority in accordance with statutory requirements.
The measure, structured into fifteen provisions, not only regulates procedural aspects related to registration but also addresses significant issues such as the designation of NIS representatives, the identification of contact points, and the methods for verifying and updating information provided by the obligated entities. This structured approach ensures a coherent and functional regulatory framework aimed at achieving the cybersecurity objectives established by Legislative Decree No. 138 of 2024.
The Determination
Specifically, Article 1 introduces a list of technical and legal definitions designed to ensure a uniform and consistent interpretation of the regulatory provisions, addressing the need to avoid interpretative ambiguities and ensure the proper application of the regulatory framework, in line with the principles of legal certainty and procedural transparency. Among the defined terms are those relating to the digital platform, NIS services, obligated entities, and the institutional actors involved.
The subsequent articles establish the terms and conditions for accessing the ACN Portal, also regulating the information that NIS entities must provide to the National Competent Authority. Responsibility for overseeing the registration, communication, and updating of the information required by the legislation is assigned to administrative and executive bodies, pursuant to Article 23, paragraph 1, letter b), of Legislative Decree No. 138 of 2024. Non-compliance with these obligations is punishable under Article 38 of the same decree, underscoring the importance of adhering to the procedural requirements, which are considered an indispensable condition for the legitimacy of the registration process.
Article 2 further stipulates that the Determination shall be subject to review and updating by March 31, 2025, to ensure continuous alignment with any new regulatory or operational needs.
The designation of the contact point represents another fundamental aspect of the Determination. This role is responsible for interfacing with the National Competent Authority, accessing the ACN Portal, and managing the registration of NIS entities. The contact point may coincide with the legal representative, one of the general attorneys, or an employee delegated by the legal representative. In the case of corporate groups or public administrations, this role may be assigned to an employee of another entity within the same group or administration, provided it falls within the scope of the NIS Decree.
The contact point is further required to report directly to the hierarchical leadership of the NIS entity, as well as to its administrative and executive bodies, in the context of the activities outlined in the legislative decree. The principle of strict liability of the administrative and executive bodies of the NIS entity, as provided for in Article 23 of Legislative Decree No. 138 of 2024, remains unaffected. Simultaneously, personal liability of individuals is established for violations identified under Article 38 of the same decree.
The Determination rigorously governs the registration and census procedures. From December 1, 2024, to February 28, 2025, contact points are required to authenticate themselves using SPID credentials and to provide detailed information, including personal data, contact details, and references to the entity they represent. The submission of the declaration on behalf of the designating entity must be completed within specified deadlines and entails listing any affiliated enterprises, where applicable, as well as specifying ATECO codes and relevant sectoral regulations. The informational obligations extend to the transmission of economic and organizational data to determine the entity’s classification as a medium or large enterprise, except in the case of public administrations.
Particular emphasis is placed on the principle of personal and administrative responsibility. False or incomplete declarations are punishable under Article 76 of Presidential Decree No. 445 of 2000, with explicit reference to the significance of the statements made during the registration process. Any discrepancies must be promptly rectified, with the Authority retaining the right to request additional information and suspend the evaluation deadlines until the required data is provided.
The Determination also introduces a safeguard mechanism for entities identifying discrepancies between automated calculations and regulatory criteria. Such entities may request the application of the safeguard clause, providing relevant elements to be assessed by the Competent Authority in collaboration with Sectoral Authorities. The process of verifying declarations and compiling the official list of NIS entities completes a structured and functional regulatory framework.
The measure concludes with provisions concerning financial aspects, the public dissemination of the Determination, and its entry into force, scheduled for December 1, 2024. The resources necessary for its implementation are covered by the funds identified in Legislative Decree No. 138 of 2024, while the official publication occurs through the website of the NIS Competent Authority and the Gazzetta Ufficiale della Repubblica Italiana.
Conclusion
Overall, the Determination constitutes a complex and strategic regulatory instrument that precisely defines the roles, responsibilities, and operational procedures of NIS entities. The digital platform emerges as a central element in ensuring transparency, traceability, and information protection, in compliance with the core principles of European law and the operational needs of the national cybersecurity ecosystem.