NIS2 for Italian software houses: what changes in 2026

The NIS2 directive, transposed in Italy through Legislative Decree 138/2024, came into force in October 2024. Since then, anyone developing software for critical sectors (healthcare, energy, finance, public administration, transport, and others) is required to demonstrate a concrete, documented and auditable level of cybersecurity. For many Italian software houses the question is not “are we NIS2-compliant” but “have we understood that this concerns us?”. Let’s try to clarify, without paranoia but without minimising.

TL;DR

• NIS2 applies to essential entities and important entities operating in 18 critical sectors. It does not apply only to “large infrastructures”: it involves IT suppliers, software houses, MSPs serving clients in those sectors.
• Legislative Decree 138/2024 requires mandatory registration on the ACN portal for entities in scope, typically within 90 days of qualification.
• The main technical obligations are: risk management, incident reporting within 24-72 hours, business continuity, supply chain security, documented governance.
• Penalties for essential entities reach 10 million euros or 2% of global turnover. For important entities, 7 million or 1.4%. These are not theoretical figures: Italy already started the first inspections in 2025.
• For an average Italian software house the realistic cost of compliance is 30,000-150,000 euros in initial setup plus recurring annual costs of 5-15% of the previous setup.

Why NIS2 matters in 2026

NIS1 from 2016 was niche: a few thousand entities involved across Europe, with a focus on operators of essential services (large banks, telcos, energy). NIS2 expands the scope by an order of magnitude: industry estimates speak of over one hundred thousand entities involved in Europe, of which several thousand in Italy. The reasons for the expansion are known: three years of ransomware attacks on the supply chain (Kaseya, SolarWinds, Log4Shell) made it clear that the security of the IT supplier determines the security of the regulated client.

The European legislator drew the operational conclusion: if a regulated company depends on your software, you too are responsible for certain security levels. You can no longer pull out with contractual clauses like “the supplier is not liable for”.

In 2025 ENISA published detailed technical guidelines for NIS2. In 2026 we enter the operational phase: first ACN inspections for essential entities, first penalties for those who have not registered. Waiting another year to “see how it goes” is the strategy that, statistically, leads to penalties rather than clarity.

What NIS2 is in 3 minutes

NIS2 (Network and Information Security Directive 2, EU Directive 2022/2555) is a European directive that requires entities in scope in 18 critical sectors to adopt cybersecurity measures and report significant incidents. It was transposed in Italy by Legislative Decree 138/2024 of 4 September 2024.

The 18 sectors are divided into two tiers:

High criticality sectors (Annex I): energy, transport, banking, financial markets, healthcare, drinking water, wastewater, digital infrastructure, B2B ICT service management, public administrations, space.

Other critical sectors (Annex II): postal and courier services, waste management, chemical products, food, manufacturing (medical, electronics, machinery, vehicles), digital providers, scientific research.

Within these sectors, entities are further classified as essential or important based on size (number of employees, turnover) and type of service. The distinction matters because it binds the obligations:

• Essential entities: preventive supervision (random checks, scheduled inspections), penalties up to 10 million euros or 2% of turnover.
• Important entities: ex-post supervision (checks only in the event of an incident or report), penalties up to 7 million euros or 1.4% of turnover.

The competent authority in Italy is ACN (National Cybersecurity Agency). AgID remains responsible for ICT security of the public administration, but the operational NIS2 reference is ACN.

Is your software house a NIS2 entity?

Three cascading questions to figure it out.

1. Do you operate directly in one of the 18 critical sectors? If your company offers direct services in healthcare, energy, banking, telco, etc. inclusion is automatic. Verify sector classification with ATECO code.

2. Are you a “managed service provider” (MSP/MSSP) that manages ICT for third parties? NIS2 explicitly considers managed service providers as essential entities (Annex I, “B2B ICT service management” sector). A software house that does hosting, managed Kubernetes, managed security, or application management for third parties is included even if small.

3. Are you a critical supplier of NIS2 entities? Here lies the subtle point. NIS2 requires regulated entities to manage the security of their own supply chain. Concretely: your regulated clients will contractually ask you for security levels, audits, certifications. Even if your software house is not directly a NIS2 entity, you will in practice be bound to satisfy your clients’ obligations, which they will pass on as contractual clauses, security questionnaires, periodic audits.

Size thresholds: Legislative Decree 138/2024 provides exemptions for micro and small enterprises (under 50 employees and 10 million in turnover), BUT with important exceptions: if you are a digital trust service provider, DNS registrar, telecommunications operator, or critical MSP, you are included regardless of size.

Bottom line for Italian software houses: if you serve one or more regulated clients (PA, healthcare, banks, energy), NIS2 affects you directly or indirectly in over 90% of cases. The question is not if, but how.

What are the concrete technical obligations?

Article 24 of Legislative Decree 138/2024 lists the minimum mandatory technical measures. Translated into operational practice:

1. Risk management (formalised risk assessment)

IT risk assessment document mapping your assets (systems, data, processes), threats, vulnerabilities, impacts, countermeasures. It must be updated at least annually or with every significant change. It is not an Excel file: it is a formal document with methodology (ISO 27005, NIST, OCTAVE) and signatures of responsibility.

2. Incident reporting within 24-72 hours

In the event of a significant incident (compromise of services, data exfiltration, ransomware even attempted):

• Initial alert: within 24 hours of detection, preliminary report to ACN via dedicated portal.
• Intermediate notification: within 72 hours, impact assessment and technical description.
• Final report: within 1 month, complete root cause analysis and corrective measures adopted.

Having a documented incident response plan with these timings prepared before it is needed is the difference between meeting the deadline and receiving a penalty.

3. Business continuity and disaster recovery

Documented business continuity plan: what happens if the main datacenter goes down, if the backup gets encrypted, if a key person disappears. RTO (Recovery Time Objective) and RPO (Recovery Point Objective) defined for each critical service, tested at least annually with real exercises (not just “documentary verification”).

4. Supply chain security

Your third-party suppliers (cloud, SaaS, critical open-source libraries) must be evaluated for security. Concretely: security questionnaires to critical suppliers, CVE monitoring of dependencies, supplier selection process that includes security criteria, contracts that include minimum security clauses.

5. Access control and strong authentication

Mandatory MFA for administrative access. Documented password policy compliant with ENISA guidelines (minimum length, rotation, blacklist). Privileged Access Management for those with root/admin access. Logs of all accesses retained for a minimum of 12 months.

6. Encryption and data protection

Encryption in transit (TLS 1.3) and at rest for all sensitive data. Documented key management (HSM or cloud KMS with audit). For personal data under GDPR, Article 32 GDPR also applies, which NIS2 does not replace but complements.

7. Governance and training

Formal designation of a security officer (CISO or equivalent role, even external if small). Mandatory annual cybersecurity training for personnel. Documented, signed and revised security policies.

How do you register with ACN?

Procedure currently provided by Legislative Decree 138/2024 (check for updates on the ACN portal):

1. Self-assessment of inclusion in NIS2 scope (sector, size, type of services).
2. Access to the ACN portal with SPID or CIE of the legal representative.
3. Filling in the registration form with: company registry data, business sector, qualification as essential or important, services offered, designation of the security contact person, designation of the point of contact for incidents.
4. Confirmation and receipt: the portal issues a registration code. From that moment you are formally a NIS2 entity.

The deadline for registration is 90 days from the entry into force of the decree (October 2024) for those already in scope, and 90 days from qualification for those who fall in scope later due to growth or change of services.

Those who do not register within the deadlines risk a specific administrative penalty, even before any incident: failure to register is an autonomous violation.

What are the real penalties?

The penalties of Legislative Decree 138/2024 are structured across multiple dimensions.

Administrative pecuniary penalties:

• Essential entities: up to 10 million euros or 2% of annual global turnover of the group (the higher figure).
• Important entities: up to 7 million euros or 1.4% of annual global turnover (the higher figure).

Ancillary penalties:

• Temporary suspension of authorisation to operate in certain sectors
• Temporary disqualification of company executives from management roles

Personal liability of executives: NIS2 introduced a new principle: members of the administrative body (board of directors, sole director) are personally responsible for compliance with security obligations. They cannot delegate responsibility to the CISO or IT. They must approve security measures, supervise their implementation, receive adequate training.

In 2025 ENISA published a first report on the initial penalties applied in Europe: most under 500k euros for SMEs, with increasing figures for larger groups. For 2026 ACN announced that it will start systematic random checks, and that failure to register will be the first source of automatic penalties.

What to do now: realistic 6-month roadmap

For an average Italian software house (20-80 people, a few regulated clients), the roadmap we see working:

Month 1: assessment

Documented NIS2 self-assessment: are we in scope? Which category? Which regulated clients do we have? Output: 5-10 page document with the company’s formal position.

Month 2: registration and governance

Registration on the ACN portal. Formal designation of the security officer (internal or external consultant). Board approval of basic security policies.

Month 3: formal risk assessment

IT asset inventory, threat mapping, vulnerability assessment, definition of countermeasures. Output: ISO 27005-compliant risk assessment document.

Month 4: priority technical measures

MFA on all administrative access. Log centralization with 12-month retention. Update of patch management process. Backup policy verified with real restore tests.

Month 5: incident response and business continuity

Drafting of the incident response plan with NIS2 reporting times. Drafting of the business continuity plan with RTO/RPO for critical services. Practical exercise (tabletop exercise) of a simulated incident.

Month 6: supply chain and training

Security questionnaires to critical suppliers. Update of contract templates with NIS2 supply chain clauses. Cybersecurity training for all personnel.

Above this baseline, the obligations continue (annual review, continuous training, CVE monitoring), but the initial posture is covered.

Common mistakes of Italian software houses

1. “We are small, it doesn’t concern us”. Size exempts in some cases but not in others. If you serve even just one regulated client, NIS2 will reach you through the supply chain. Better to understand it in time than to be surprised by a client’s security questionnaire.

2. Buying a certification and stopping there. ISO 27001 is a good starting point but does not automatically equate to NIS2 compliance. NIS2 has specific obligations (incident reporting, supply chain, executive governance) that ISO 27001 covers partially. Both must be done.

3. Treating NIS2 as an IT project. It is a corporate governance project. Without board commitment and recognised budget, NIS2 becomes an Excel file of good intentions. The personal liability of executives is the point: they have every interest in taking it seriously.

4. Relying only on generic consultants. There are consultancies that sell a pre-packaged “NIS2 package” for 5-15k euros. Most produce generic documents that are not very useful in case of inspection. You need consultancy that understands your specific technical context.

5. Procrastinating on registration. Registration on the ACN portal is the quickest and riskiest thing to postpone. Completion time: 2-4 hours. Penalty for failure to register: significant and relatively automatic. It is best to close the registration immediately, then work calmly on substantive compliance.

FAQ

Is a 15-person software house making SaaS for medical practices a NIS2 entity?

Yes, almost certainly as an important or essential entity depending on the scale of clients. Operating in the healthcare sector (Annex I) even as a technology supplier brings you in scope. Size thresholds offer partial exemptions but rarely total ones for those operating in healthcare.

How much does it cost to comply with NIS2 for an average software house?

Realistic range: 30,000-150,000 euros in initial setup (consultancy, training, tools, possible ISO 27001 certification), plus recurring annual costs of 5-15% of the setup. Costs grow if the software house had no pre-existing security baseline. For those starting from an already decent posture (well-configured AWS/Azure use, some written policy, MFA at least for admins), you stay on the low end.

What should I do if I notice a security incident on Friday evening?

NIS2 does not stop on Friday. The 24-hour timer starts from the moment of actual detection, not from the moment it is “convenient” to handle. Three things: (1) activate the documented incident response plan (if there isn’t one, do it this Monday), (2) send the preliminary report to ACN within 24h even if incomplete (better to report early and supplement later), (3) document the timeline and actions taken minute by minute: they will be needed for the final report.

How do you demonstrate to the ACN auditor that you are compliant?

You need documentation: signed and dated risk assessment, security policies approved by the board with minutes, employee training logs, technical evidence of measures (MFA configurations, log retention, backup tests), tested incident response plan. Documentation that “exists on paper” is not enough: the auditor verifies that it is actually applied. The difference between the two becomes apparent immediately.

Can NIS2 be combined with other regulations (GDPR, ISO 27001, AI Act)?

Yes, and it is advisable. GDPR + NIS2 + ISO 27001 + (prospectively) AI Act have overlapping requirements. An integrated management system (ISMS) makes it possible to satisfy all obligations with a single coherent documentation, avoiding duplication. For those already ISO 27001-certified, NIS2 adds 30-40% of work, not 100%.

Conclusion

NIS2 is not a Y2K. It does not disappear if you ignore it, and the practical effects materialise slowly but steadily: regulated clients begin to insert clauses, ACN begins random checks, cyber insurance begins to require compliance as a prerequisite for coverage. Software houses that move in 2026 find themselves in 2027 with a concrete competitive advantage with regulated clients. Those who wait for 2028 will find themselves excluded from tenders due to delay or forced into a race against time.

If you are evaluating your NIS2 positioning and want a concrete assessment of your case (are we in scope? which category? what’s missing for compliance?), let’s talk. The first conversation is free.

To explore other regulatory aspects: the pillar page security-aware custom software, and the related article on the AI Act in force from August 2026.