25/11/2025 – Esobit | Cybersecurity Team

From NIS 2024 to the NIS Decree 2025: Italy’s operational cybersecurity turning point

Monday morning, 9 a.m. A technician turns on their PC and sees an unusual warning. It’s the start of a ransomware attack that, within minutes, blocks files, services, and communications. A scenario that has become increasingly common—and one that the NIS Decree 2025 aims to prevent in a concrete, structured way.

After years in which cybersecurity was treated as a “postponable” issue, the European Union and Italy have finally introduced a clear, prescriptive framework focused on real resilience. 2024 marked the legislative transition; 2025 is the year of true operational enforcement.

What the “old NIS” required in 2024

Until 2024, Italian cybersecurity relied on Legislative Decree 65/2018, derived from the first NIS Directive (2016). While partially effective, it showed significant limitations:

• a scope limited to a small number of operators;
• vague and non-prescriptive security measures;
• almost no executive accountability;
• unclear incident notification criteria;
• weak sanctions and limited oversight.

In short, a framework no longer aligned with modern threats such as ransomware, supply chain attacks, zero-days, and credential compromise.

From 2024 to 2025: what the new NIS 2 Decree really introduces

With Legislative Decree 138/2024 and the ACN Determination of April 14, 2025, NIS 2 enters its execution phase: concrete obligations, controls, and verifications.

A much broader scope

Thousands of organizations that were previously outside the regulation now fall under the category of important entities: healthcare, manufacturing, ICT, logistics, essential services, and public administrations.

Real governance at last: management is accountable

Security is no longer just an IT issue. It becomes a direct responsibility of boards and executive management.

• approval of cybersecurity policies;
• oversight of cyber risk management;
• mandatory executive training;
• liability in cases of negligence.

Those who lead the organization now also lead its security.

Security measures become prescriptive (ACN 2025)

The ACN annexes introduce mandatory, detailed controls—no more creative interpretation:

• MFA and secure access management;
• monitoring, logging, and log retention;
• structured vulnerability management and patching;
• isolated, regularly tested backups;
• network segmentation and hardening;
• updated business continuity plans;
• tested incident response procedures;
• security assessment of critical suppliers.

How an important entity should prepare in 2025

1. verify regulatory classification;
2. perform a gap analysis against ACN measures;
3. define governance, roles, and responsibilities;
4. prioritize MFA, backups, logging, and segmentation;
5. document incident response and business continuity;
6. train staff to reduce human risk;
7. introduce security requirements for suppliers;
8. prepare for ACN audits and inspections.

It’s not complicated—if approached with a clear, structured roadmap.

Conclusion: cybersecurity is no longer optional

The shift from NIS 2024 to NIS 2025 is not cosmetic—it’s a revolution. Security moves from a “technical topic” to a core business pillar, with clear rules, prescriptive controls, and explicit accountability.

Organizations that don’t invest in cybersecurity today risk becoming tomorrow’s victims.

With the support of trusted partners like Esobit, NIS 2 compliance can become a competitive advantage—improving resilience, operational continuity, and trust.

↑ Back to the top of the article