NIS2: ACN clarifications
from the Clusit event of 29 April 2026

What happened on 29 April 2026

The event «NIS2, from baseline measures to categorisation: a guide to the next steps of the adequacy path», organised by Clusit (Italian Association for Information Security) on 29 April 2026 with the participation of ACN (Italian National Cybersecurity Agency), provided long-awaited clarifications on several open points of the adequacy path to the NIS2 Directive: categorisation of activities and services, identification of relevant suppliers, qualification and start of incident notification windows, scope of measures and the role of management bodies.

The intervention of Dr Milena Antonella Rizzi for ACN confirmed a clear direction: Italian NIS2 is entering a more mature phase. After the registration of entities and the first communications of inclusion in the perimeter, the focus shifts to the ability to actually govern activities, services, information systems, suppliers and responsibilities.

Proportionality: beyond the essential/important distinction

In recent months many organisations have read proportionality mainly as the distinction between essential and important entities. ACN clarified that this reading is no longer sufficient. Proportionality must also be applied based on the actual NIS activities and services delivered, the information and network systems that support them and the relevance category assigned.

The question is no longer just «am I an essential or important entity?». It becomes: «which activities and services do I deliver, how relevant are they, which systems support them and which measures must be applied to those systems?». Adequacy and proportionality stop being a generic formula and become an operational criterion.

Categorisation: the foundation of future measures

Baseline specifications are the first level of the adequacy path, but they should not be considered an isolated block. They will cover a significant part of the future long-term measures framework, which will be progressively calibrated based on the relevance categories assigned to activities and services.

Categorisation is therefore not just about populating a section of the ACN portal. It will become one of the tools through which the authority will calibrate future obligations in a targeted and proportionate way. Treating it as a simple data entry exercise would be a mistake: the risk is producing a formally correct outcome that is poorly useful for actual risk management.

In practice the process develops in three steps:

• 1Identify the activities and services delivered with respect to the NIS perimeter, distinguishing what is instrumental from what is actually delivered to users, customers or supply chains.
• 2Map them to the macro-areas defined by ACN, assessing whether the proposed classification correctly reflects the reality of the organisation.
• 3Assign the relevant relevance category, motivating the choice with objective elements: business impacts, technological dependencies, operational continuity, effects on customers, users or production chains.

The entity can modify the classification proposed or previously assigned without having to send observations to ACN for every change, but must internally retain the elements that led to the choice. Decision traceability, not additional bureaucracy.

Scope: the information and network system, not the individual asset

The reference for NIS2 measures is not the individual asset that directly delivers a service, but the information and network system as a whole: applications, infrastructures, networks, digital identities, data, suppliers, processes, monitoring, recovery capability and operational dependencies.

This significantly changes the approach to inventories. Many corporate inventories are still built starting from assets (servers, applications, equipment, licences, databases). The logic required by NIS2 is the inverse: first identify activities and services, then the information and network systems that support them, finally arrive at assets and dependencies. An inventory that does not connect activities, services, systems and suppliers remains an ordered list of technological objects, but not a useful tool for risk management.

Relevant suppliers: fungibility is the key

The most relevant clarification for SME manufacturers and logistics operators concerns relevant suppliers: it is not enough to look at ICT suppliers in the strict sense. The assessment must also include those non-fungible suppliers that can affect the continuity of NIS activities or services, even when they do not provide technology.

The ACN template for entering suppliers in the portal defines three distinct criteria:

• 1ICT supply — software, infrastructures, cloud services, maintenance and technological support in the classic sense.
• 2Non-fungible supply — non-ICT suppliers that are hard to replace: raw materials, specific industrial components, critical logistics services, exclusive processing.
• 3Non-fungible ICT supply — hard-to-replace technology suppliers: vertical management software, system integrators, proprietary OT vendors.

Not all ICT suppliers are automatically non-fungible. Not all non-ICT suppliers are irrelevant. Some suppliers can be both ICT and non-fungible at the same time. The operational risk is twofold: loading too many suppliers, turning the list into an administrative directory, or loading too few, forgetting fundamental dependencies just because they do not fall into the «IT» category.

A useful clarification concerns ICT resellers: if the relationship is purely about reselling, with no ongoing maintenance or support, the reseller may not be the truly relevant entity. The focus shifts to the underlying product or service. An official ACN FAQ is expected on this point.

Incidents: 24 hours start from evidence

Another operational clarification: the 24-hour deadline for pre-notification to CSIRT Italia does not start from the moment the incident physically occurred, but from the moment the entity has evidence of it. If an incident happens on Saturday evening but the organisation gathers objective evidence on Monday morning, the deadline starts from Monday morning.

This does not legitimise lack of monitoring: it means the notification must be based on actual evidence, not on speculation. Incident management plans will need to clearly distinguish five different moments: event occurrence, detection, evidence of the incident, materiality assessment and pre-notification activation.

IS-3: expected service levels ≠ SLA, RTO and RPO

ACN clarified that, for the IS-3 type (breach of expected service levels), the assessment does not automatically coincide with SLA, RTO or RPO. These elements may be useful and in some cases overlap, but they do not exhaust the required assessment.

The point is whether the incident has compromised, for a given period of time, the entity’s ability to deliver an activity or service in line with its business needs. It is a substantive assessment, not just a contractual or technical one. When an organisation has not defined which services are expected and when their unavailability becomes significant, during an incident it risks having to improvise. Improvising rarely produces good results.

Management bodies and third-party audits

On the involvement of management and administrative bodies, the ACN message is clear: supervision of implementation can be delegated, but responsibility remains collective. This prevents NIS2 from being reduced to a purely technical topic or a task to be entirely handed over to IT, the consultant or the internal contact. Management bodies do not need to turn into cyber security technicians, but must be put in a position to understand the model, approve choices, supervise the path and make decisions consistent with risk.

On third-party audits, finally, ACN clarified an important point: in Italy there are currently no private entities certified as NIS2 compliance auditors with an ACN mandate. Organisations can be supported by qualified consultants or auditors to verify their level of adequacy, but no third party can officially «certify» NIS2 compliance on behalf of the authority. Beware of quick and reassuring labels.

What changes for companies

The Clusit event with ACN confirmed a clear direction: NIS2 cannot be managed as a documentary checklist. Categorisation impacts inventories and risk analysis. The list of relevant suppliers requires reading actual dependencies, also beyond ICT. Incident management requires procedures consistent with the concept of evidence and with the assessment of expected service levels. Management bodies remain responsible for the overall governance of the path.

The real work is not filling in portal sections or updating a few documents. It is building a coherent model in which activities, services, information systems, suppliers, risks, measures and responsibilities are connected to each other. This is where NIS2 starts to draw the line between formal compliance and real risk governance.

A certified partner for adequacy

AtWorkStudio operates from Piacenza, Italy, since 2000. We are certified ISO/IEC 27001, 27017, 27018 and ISO 9001, with ACN QC1 qualification for cloud services (Email Security Gateway and Microsoft 365 Backup). We are members of Clusit (Italian Association for Information Security) and associated with Confindustria Piacenza in the RICT cluster.

We can support your organisation in NIS2 adequacy with a structured path: mapping of activities and services, categorisation and relevance assignment, listing of ICT and non-fungible suppliers, definition of incident management plans and expected service levels, involvement of management bodies.