E-time | the software company
NIS2: The New ACN Portal for Business Security
On October 18, 2024, Legislative Decree No. 138 of 2024, also known as the NIS Decree, came into effect in Italy. This decree implements Directive (EU) 2022/2555, introducing updated regulations to strengthen cybersecurity and digital protection across the European Union.
One of the key obligations introduced by the Directive is the mandatory registration of businesses on a dedicated digital platform. All organizations that meet the requirements of the NIS2 Directive must register on a specific digital portal managed by the National Cybersecurity Agency (ACN).
The platform aims to enhance the national cybersecurity system by facilitating efficient collaboration between NIS entities and the National Cybersecurity Agency. It seeks to provide greater clarity in administrative processes by implementing accurate monitoring of transmitted information.
Which companies are required to register
The businesses required to register include those operating in critical and important sectors, as defined by the Directive, that provide essential services or critical infrastructures, as well as companies meeting specific size requirements: at least 50 employees and an annual turnover or total balance sheet exceeding €10 million.
In essence, the obligation applies to both essential and important entities, which are required to provide all information related to their activities within the established deadlines.
These entities are obligated to ensure compliance with cybersecurity regulations and register on the ACN Portal, enabling the monitoring and management of cybersecurity at a national level.
Registration Phases and Deadlines
Organizations subject to the NIS2 Directive must complete their registration on the ACN Portal by February 28, 2025.
The registration must be carried out by a designated Point of Contact, who can be the legal representative, or a delegated employee. This individual is responsible for implementing the provisions of the NIS Directive and reporting directly to administrative and management bodies.
The registration process is divided into several key phases:
- Authentication on the ACN Portal
The first step to accessing the platform is registering the Point of Contact with their personal credentials (SPID or an equivalent system), providing identification information. These details are reviewed to verify the Point of Contact’s eligibility to represent the entity. Errors or incomplete data may invalidate the registration, causing delays or penalties.
This preliminary phase formalizes the relationship between the user and the NIS Entity. - Linking the Point of Contact to the NIS Entity
Once authentication is complete, the system verifies the Point of Contact’s authority through validation of official documents and delegations, ensuring their legitimacy to represent the NIS Entity.
During this phase, the following information is also verified on the Portal:- Name of the NIS Entity
- Registered office address
- Digital domicile
- Approval by the NIS Entity
The process concludes with approval by the NIS Entity, communicated via notification to the digital domicile. Once confirmed, the ACN sends an official notification indicating the successful completion of the procedure.
This phase ensures a clear and verified association between the Point of Contact and the NIS Entity, guaranteeing compliance and system protection.
Official List of NIS Entities
The registration process culminates in the creation of the official list of NIS Entities by the National Competent Authority. This list serves as an essential tool for monitoring and managing the entities involved in national cybersecurity.
Each entity included in the list receives a unique identification code, which acts as an official reference for both the organization and the Point of Contact. This code ensures the structured and secure management of information.
Through the registration of NIS Entities, the competent authorities can systematically monitor critical infrastructures, contributing to the protection and resilience of the national cybersecurity system.
