Italy NIS2: ACN's June 2026 Categorization Deadline Is Now Open — What IT Consultants Must Do

On April 13, 2026, Italy's Agenzia per la Cybersicurezza Nazionale (ACN) adopted determination 155238/2026 — the operational framework that tells every NIS2-registered Italian organization exactly how to categorize its activities and services. As of May 1, the submission portal is open. The deadline is June 30, 2026.

If you advise Italian businesses or manage IT infrastructure for organizations operating in Italy, this is not a distant regulatory exercise. The category ACN assigns based on this filing directly drives which security measures apply — and when. Get it wrong, and your clients face stricter obligations than necessary. Miss the deadline, and they face supervisory action.

Here's what you need to know.

Italy Was Late to Transpose — But It's Moving Fast Now

Italy completed its NIS2 transposition on December 23, 2025, via Legislative Decree 138/2024. The law entered into force on January 1, 2026, with the October 1, 2026 deadline set for compliance with security measures obligations under Articles 23, 24, and 29.

That compressed timeline means Italian organizations have less runway than most EU counterparts. Germany's BSI had months of preparation before enforcement teeth appeared. Italy's ACN is moving from registration directly into categorization — and then straight into enforcement — within a single calendar year.

For IT consultants and MSPs with Italian clients, this is not a drill. The compliance clock is running.

What ACN's Categorization Framework Actually Does

ACN determination 155238/2026 introduces two structural elements: 10 macro-areas and 4 relevance categories.

The 10 macro-areas are predefined groupings of activities and services. Every NIS2-registered entity must identify which macro-areas describe what it actually does. These cover the full scope of NIS2 sectors: energy, transport, banking and financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.

The 4 relevance categories express impact level in the event of an incident: minimal, low, medium, or high. ACN assigns relevance based on what the entity files — size, sector, criticality, and the interdependencies the organization describes in its submission.

Why does this matter for your advisory work? Because the relevance category determines the depth and specificity of security obligations the organization must meet before October 1. A "minimal" category entity faces lighter technical requirements than a "high" category entity. The difference in compliance investment can be significant.

The Portal Window: May 1 to June 30, 2026

Filing is done exclusively through the ACN platform (portale ACN). The submission window opened May 1, 2026 and closes June 30, 2026. ACN must provide feedback within 90 days of submission — extendable by up to 60 additional days for complex cases.

Here is what the filing requires: each entity must identify its macro-area(s), describe its activities and services, and self-assess its impact relevance. ACN then reviews this on a sample basis and cross-checks against comparable entities in the same sector. Discrepancies will trigger follow-up.

Three practical points for consultants:

1. Accuracy matters more than conservatism. Entities that understate their scope to land in a lower relevance category are exposed. ACN explicitly reviews submissions against sector comparables. If an energy distributor files as "minimal" while every other comparable entity files as "medium," that flags for inspection.

2. The submission is the foundation for everything that follows. Security measures, ongoing obligations, and the eventual supervisory audit all trace back to what is filed in this window. Document the rationale carefully.

3. Missing the June 30 deadline has consequences. ACN's enforcement framework allows for administrative measures and supervisory action for entities that fail to file. This is not a soft deadline.

What Comes Next: October 1, 2026

Once categorization is complete and ACN has reviewed filings, the October 1, 2026 deadline kicks in. By that date, Italian NIS2 entities must comply with:

• Article 23 — cybersecurity governance, including board-level accountability and approved cybersecurity policies
• Article 24 — information security risk management measures (the Italian equivalent of NIS2 Article 21 obligations)
• Article 29 — domain name registration database security obligations (relevant for DNS operators and registrars)

ACN will also progressively introduce additional "long-term" cybersecurity obligations in the months after October, calibrated by relevance category. High-category entities should expect a more demanding second wave of requirements in Q1 2027.

For reference, Italy's penalty regime mirrors the NIS2 directive: up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% of turnover for important entities. ACN is empowered to conduct inspections, monitoring, and on-site checks.

What the Categorization Means for MSPs Providing Services to Italian Clients

If you are an MSP managing IT infrastructure for an Italian organization that falls within NIS2 scope, there are two angles to watch.

First, your client may need your help with the filing itself. The macro-area description requires accurate documentation of what IT services the organization relies on, including outsourced functions. If critical systems are managed by your MSP, that operational dependency is relevant to the relevance category assessment. Be ready to provide structured service documentation.

Second, your own organization may be in scope. ICT service management for essential or important entities is explicitly listed in Annex II of the NIS2 directive. If you manage IT for Italian organizations in regulated sectors, check whether you are registered as a NIS2 entity in Italy. If you are not registered and should be, the window to self-register via the ACN portal remains open.

For a broader look at how NIS2 affects MSPs directly, see our post on NIS2 for MSPs.

How to Approach the Categorization Filing: A Practical Checklist

Use this as a starting point for client conversations:

Step 1 — Confirm NIS2 registration status. The entity must be registered with ACN before it can file categorization. If registration is incomplete, that is the first problem to fix.

Step 2 — Map activities to macro-areas. Work through the 10 macro-areas and identify which apply. Most organizations will map to one or two. Document which macro-areas were considered and excluded, and why.

Step 3 — Self-assess relevance. Relevance is driven by factors including size, criticality to the sector, cross-border impact, and dependency of other entities on the organization's services. Be honest and document the reasoning.

Step 4 — Gather supporting documentation. ACN's sample-basis review means submissions may be audited. Have organizational charts, service catalogues, and incident impact assessments available.

Step 5 — Submit before June 15. Build in two weeks of buffer before the June 30 deadline. Last-minute technical issues with government portals are not uncommon.

Step 6 — Begin Article 23/24 gap analysis immediately. Don't wait for ACN's feedback. The October 1 deadline does not move. Start the gap analysis against the security measures obligations now, using the relevance category you expect to receive as the baseline.

If your clients haven't started this process yet, a structured NIS2 gap analysis is the fastest way to identify where they stand. Run a quick scan at nis2certify.org/quick-scan to get a baseline picture of their current posture before the June 30 filing.

The Broader Picture: Italy Is Not Alone

Belgium's NIS2 conformity assessment deadline passed on April 18, 2026 — the first hard enforcement deadline in the EU. Germany's BSI has been in active supervisory mode since late 2025. Portugal and Poland transposed NIS2 in 2025 and are building out their enforcement frameworks.

Italy is moving fast, but the pattern is consistent across the EU: registration, categorization, security measures, audit. The sequence is the same everywhere. What differs is the national authority's specific process and timeline.

If you manage compliance for organizations operating across multiple EU member states, the country-by-country variation in timelines and authority requirements is the core operational challenge. A single compliance posture that satisfies all jurisdictions requires mapping each country's specific requirements against a common controls framework — typically ISO 27001 or an equivalent.

For a comparison of how NIS2 aligns with ISO 27001, see our post on NIS2 vs ISO 27001.

Italy's June 30, 2026 deadline is the most immediately actionable item for consultants with Italian clients. After that, attention will shift to October. The organizations that categorize accurately, document thoroughly, and begin their gap analysis now will arrive at October 1 in a defensible position. The ones that treat the categorization filing as a checkbox exercise will be caught underprepared when ACN's supervisory activity scales up in Q4.