NIS2 categorization:
the ACN window from 1 May to 30 June

What happened on 24 April

On 24 April 2026, ACN (Italy’s National Cybersecurity Agency) published determination 155238 of 20 April 2026 together with the reading guide of the model for categorizing activities and services under the NIS2 Directive. It is a decisive operational step: after the entity-listing phase, in-scope organizations now have to describe in a structured way what they do and how heavy the impact of what they do really is.

Filing happens exclusively on the ACN platform, in the window opening on 1 May 2026 and closing on 30 June 2026. The technical procedure is governed by determination 127437/2026 (articles 20-21), which defines roles, profiles and access modalities for the portal.

The 10 macro-areas and the 4 relevance categories

The model introduced by ACN does not ask organizations to describe isolated assets but to aggregate their activities and services into 10 predefined macro-areas. For each macro-area used, the organization must then assign one of 4 relevance categories:

• 1Minimal impact — disruption or compromise of the activity would not produce significant effects on the organization or on external parties.
• 2Low impact — effects would be limited to a narrow perimeter and easily recoverable in the short term.
• 3Medium impact — the incident would have appreciable consequences on customers, suppliers or end users, with significant economic or operational impacts.
• 4High impact — the incident would compromise the continuity of essential services, with broad effects and significant recovery times.

The assigned category is not a formal label: it is the parameter that will determine, in the next phases of the NIS2 path, the intensity of the technical and organizational security measures the organization will need to adopt. Over-classification means more burdensome measures than necessary; under-classification exposes the organization to findings during inspections and — more importantly — leaves unprotected services that should be protected.

Why «just filling in the portal» is not enough

The ACN platform is a tool, not a destination. The hard part is the preparatory work that leads to a correct submission. For a manufacturing or services SME, the typical difficulties are:

• Realistic mapping of activities — understanding which activities really are «critical» is less obvious than it sounds. The actual perimeter is often broader than the officially documented one.
• Consistent reading of the 10 macro-areas — the definitions are broad and applicable to multiple contexts. Without guidance, different departments can easily map the same activity to different macro-areas, generating inconsistencies.
• Simplified impact analysis, but not trivial — choosing the relevance category requires estimating the effects of an incident on operational continuity, customers and third parties: a business impact analysis exercise that many SMEs face for the first time.
• Dependency on IT suppliers — many critical activities are delivered or supported by external suppliers: the categorization must take into account the ICT supply-chain dependencies, in line with NIS2 supply-chain security requirements.

How to prepare in practice by 30 June

To approach the filing window with a clear picture, we suggest a five-step path, optionally with the support of a specialist partner:

• 1Realign the contact point — verify that the contact previously registered on the ACN portal is still active, trained and able to operate. This is the person who will actually file and sign off the model.
• 2Map real activities and services — involve management, IT, production and critical functions to define the actual list of activities the company delivers, beyond the formalised processes. This is the real «register» the categorization starts from.
• 3Aggregate into the 10 macro-areas — use the ACN guide to map every activity and service to the macro-areas defined by the model, keeping consistency across departments and over time.
• 4Run a simplified impact analysis — for each macro-area in use, estimate the effects of an incident in terms of continuity, data security, services to third parties and economic impact, to assign one of the 4 relevance categories with documented reasoning. Cybersecurity services.
• 5File on the portal and archive evidence — complete the filing on the ACN platform by 30 June 2026 and archive internally the decisions made (criteria, sources, names) as evidence for audits, annual renewals and dialogue with ACN in the next phases of the NIS2 programme.

How AtWorkStudio supports the categorization

AtWorkStudio works alongside SMEs on the NIS2 path with a hands-on approach: we start with a security posture assessment based on NIST CSF 2.0, define together the map of activities and services, run the impact analysis and accompany the filing on the ACN platform. For organizations without a structured internal team, we also offer the CSIRT outsourcing service, required to manage incident notifications within the timelines set by NIS2.

We have been operating from Piacenza (Italy) since 2000. We are certified ISO/IEC 27001, 27017, 27018 and ISO 9001, ACN-qualified for SaaS cloud services, members of Clusit (Italian Association for Information Security) and associated with Confindustria Piacenza in the RICT cluster.