Article 23 of Legislative Decree 138/2024 sets governance-level obligations for NIS entities. In practice, organizations need a formal governance model where management and governing bodies approve cybersecurity direction, oversee implementation, and can demonstrate evidence of decisions, reviews, and accountability.
Sources: Legislative Decree 138/2024, ACN baseline reading guide, ACN baseline determination
Key takeaways
- Article 23 focuses on governance and directional accountability, not only technical execution.
- Governing bodies must ensure cybersecurity governance is formalized, reviewed, and documented.
- Approval workflows, role assignments, and periodic oversight should be traceable through auditable evidence.
- Governance obligations connect directly with the baseline measures defined by ACN for first-phase implementation.
Sources: Legislative Decree 138/2024, ACN baseline reading guide
Governance obligations under Article 23
At operational level, Article 23 should be implemented through a governance framework that links legal duties to decision rights, ownership, and evidence.
1. Formal governance ownership
The organization should identify which governing body and executives hold formal cybersecurity governance ownership and ensure responsibilities are explicitly assigned.
2. Policy and direction approval
Core cybersecurity policies, risk governance principles, and strategic security directions should be approved at the proper governance level and reviewed periodically.
3. Oversight of implementation status
Governing bodies should receive recurring reporting on implementation progress, material risks, and corrective actions, with decisions and follow-ups recorded.
4. Accountability and evidence readiness
Governance decisions should be supported by documentary evidence such as approval records, review outcomes, role matrices, and governance meeting outputs.
Sources: Legislative Decree 138/2024, ACN baseline determination, ACN baseline reading guide
Minimum operating model for compliance teams
| Governance element | Practical expectation | Typical evidence |
|---|---|---|
| Role and responsibility model | Defined and approved governance roles for cybersecurity | Role-responsibility matrix, formal appointment records |
| Policy governance | Approved policies and review cycle | Policy approval minutes, revision log |
| Management oversight | Periodic governance-level reporting and escalation | Governance dashboards, decision registers |
| Training governance | Governance involvement in awareness and training direction | Approved training plan, attendance and completion records |
Sources: ACN baseline reading guide, ACN baseline determination
Execution checklist for the next 90 days
- Confirm who, at governing-body and executive level, owns cybersecurity governance obligations.
- Approve or update the formal role-responsibility model for cyber governance.
- Validate that key policies include ownership, review cadence, and escalation criteria.
- Set recurring governance reporting with risk and remediation tracking.
- Prepare a compact evidence pack for potential supervisory checks.
FAQ
Does Article 23 apply only to technical security teams?
No. Article 23 is governance-centered and concerns governing bodies and executive accountability, with operational execution delegated but oversight retained at governance level. Source: Legislative Decree 138/2024
Are policy approvals and review records optional?
No. Practical implementation requires documentary evidence of approvals and periodic reviews. Details are defined in the official call documentation and ACN implementation material. Sources: ACN baseline determination, ACN baseline reading guide
Which documents should governance teams prioritize first?
Priority usually includes governance role matrix, cybersecurity policy set, periodic oversight records, and training governance evidence aligned to ACN baseline expectations. Sources: ACN baseline reading guide, ACN baseline determination
Need expert governance advisory? Aegister's Virtual CISO service provides dedicated support for NIS2 governance obligations.