Article 24 of Legislative Decree 138/2024 requires NIS entities to adopt technical, operational, and organizational measures that are adequate and proportionate to cybersecurity risk. In practical terms, compliance programs need a documented risk cycle that connects governance decisions, control implementation, and evidence readiness.
Sources: Legislative Decree 138/2024, ACN baseline obligations specification, NIS baseline measures reference
Key takeaways
- Article 24 is risk-based: measures must be selected and maintained according to actual exposure.
- The ACN baseline specification operationalizes Article 24 through structured control families.
- Governance, identification, protection, detection, response, and recovery must be integrated as one control model.
- Compliance evidence must show not only control existence, but also review and continuous improvement.
Sources: Legislative Decree 138/2024, ACN baseline obligations specification
What Article 24 means for operating teams
A minimal implementation model should align governance decisions to measurable technical and operational controls.
1. Governance and policy foundation (GV)
Organizations should define risk strategy, governance roles, policy set, and supply-chain risk responsibilities with clear ownership and approval workflows.
2. Asset and risk identification (ID)
Inventories, risk assessments, vulnerability inputs, and risk-treatment choices should be documented and periodically reviewed based on organizational changes and incident lessons.
3. Protection controls (PR)
Access management, awareness and training, data protection, platform hardening, and infrastructure resilience controls should be implemented in line with risk outcomes.
4. Detection, response, and recovery (DE/RS/RC)
Continuous monitoring, incident response execution, stakeholder communication, and restoration plans should operate as a coordinated lifecycle.
Sources: NIS baseline measures extract, NIS baseline measures reference
Control families and evidence expectations
| Area | Practical objective | Typical evidence |
|---|---|---|
| Governance (GV) | Define and maintain cyber risk direction and accountability | Governance policy set, role matrix, review records |
| Identification (ID) | Maintain asset and risk visibility | Asset inventory, risk assessment reports, treatment plans |
| Protection (PR) | Reduce likelihood and impact of compromise | Access control records, training evidence, hardening standards |
| Detection (DE) | Detect anomalous events in relevant systems | Monitoring procedures, alert handling logs |
| Response (RS) | Contain and manage incidents consistently | Incident response procedures, investigation and escalation records |
| Recovery (RC) | Restore operations and improve resilience | Recovery procedures, restoration test outputs |
Sources: ACN baseline obligations specification, NIS baseline measures reference
90-day implementation priorities
- Validate policy coverage against Article 24 obligations and ACN baseline control areas.
- Confirm risk-assessment cadence and ensure outputs drive protection and detection controls.
- Formalize control owners with measurable review and escalation responsibilities.
- Build an evidence register for each control family (GV, ID, PR, DE, RS, RC).
- Run a management review to approve remediation priorities and deadlines.
FAQ
Does Article 24 require the same controls for every organization?
No. Measures are expected to be adequate and proportionate to the risk profile, with implementation calibrated to exposure and critical services. Source: Legislative Decree 138/2024
Is risk assessment enough to show compliance?
No. Organizations also need implemented controls, governance oversight, and documentary evidence that controls are maintained and reviewed. Sources: ACN baseline obligations specification, NIS baseline measures reference
Which control area should start first?
Governance and identification generally start first because they define ownership, scope, and risk priorities for all other control families. Source: ACN baseline obligations specification
Evaluate your risk management posture with Aegister's free cybersecurity assessment, designed to identify gaps against NIS2 requirements.