25/11/2025

From NIS 2024 to the NIS Decree 2025: the operational turning point for cybersecurity in Italy

Monday morning, 9 a.m.: a technician turns on their PC and sees an unusual warning. It’s the beginning of a ransomware attack that, within minutes, locks files, services, and communications. A scenario that has become all too common — and one that the new NIS Decree 2025 aims to prevent in a concrete and structured way.

After years in which cybersecurity was treated as something to “deal with later”, the European Union and Italy have finally introduced a clear, prescriptive, and operationally effective regulatory framework. While 2024 marked the legislative transition, 2025 is the year of true implementation, thanks to the ACN Determination that defines what every essential entity and important entity must actively do.

What the “old NIS” looked like in 2024

Until 2024, Italy was still operating under Legislative Decree 65/2018, the transposition of the first NIS Directive from 2016. It worked… partially. But it had clear limitations:

• a very narrow perimeter (only OSEs and some DSPs);
• security measures that were vague and non-prescriptive;
• management responsibilities barely mentioned;
• incident notification criteria without real clarity;
• weak sanctions and limited oversight.

In other words: a framework with too much ambiguity and not nearly enough alignment with modern threats like ransomware, supply-chain attacks, 0-days, and credential compromise.

From 2024 to 2025: what the new NIS 2 Decree really introduces

With Legislative Decree 138/2024, Italy officially adopted the NIS 2 Directive. But it wasn’t until 2025 — when the ACN Determination of April 14 was published — that the rules became concrete, verifiable, and mandatory.

1. A dramatically expanded scope

Thousands of organizations that were completely outside the regulatory perimeter in 2024 now fall under NIS 2 as important entities. New sectors include:

• extended healthcare and research;
• critical manufacturing and industrial sectors;
• advanced digital services and ICT providers;
• waste management, food production, water services;
• logistics, transport, and postal services;
• medium and large public administrations.

2. OSE/DSP are gone: welcome essential and important entities

The old categories are replaced by:

• Essential entities → high criticality sectors;
• Important entities → a large portion of the economic and industrial fabric.

What’s the difference? Obligations are similar, but essential entities require even deeper and more robust controls.

3. Real governance at last: management is accountable

One of the most revolutionary changes is this: security is no longer an “IT thing”. It becomes a direct responsibility of the Board and top management.

• they must approve security policies and processes;
• they must oversee risk management;
• they must undergo cybersecurity training;
• they can be held accountable in cases of negligence.

Leadership now means leading cybersecurity too.

4. Security measures become prescriptive (ACN 2025)

The ACN technical annexes introduce mandatory, detailed controls — leaving no room for creative interpretation. Among them:

• MFA and secure access management;
• centralized logging and continuous monitoring;
• structured vulnerability and patch management;
• isolated, periodically verified backups;
• network segmentation and system hardening;
• updated business continuity plans;
• tested incident response procedures;
• security evaluations for critical suppliers.

How important entities should prepare in 2025

Here is the most effective sequence of steps:

1. Verification: confirm classification as an important entity.
2. Gap analysis: compare current maturity with ACN measures.
3. Governance: define roles, responsibilities, and processes.
4. Priorities: MFA, logging, segmentation, backups.
5. Documentation: incident response & continuity plans.
6. Training: reduce human risk across the organization.
7. Suppliers: enforce contractual security requirements.
8. Audit readiness: prepare evidence for ACN inspections.

It’s not difficult — if approached with a clear roadmap.

Conclusion: cybersecurity is no longer optional

The shift from NIS 2024 to NIS 2025 is not cosmetic — it’s a true transformation. It marks the moment when cybersecurity evolves from a “technical concern” to a strategic organizational pillar. The rules are clear, obligations are prescriptive, and responsibilities undeniable.

Cybersecurity in Italy is still often treated as a taboo topic. Yet the numbers are clear: those who don’t invest today become tomorrow’s victims.

With the support of a reliable partner like Esobit, any organization can transform NIS 2 compliance into a competitive advantage — improving resilience, operational continuity, and service quality.