NIS 2: Basic Security Measures Defined by ACN for Essential and Important Entities

Article Thumbnail
NIS 2 | virtual CISO | ACN | cybersecurity compliance | Regolamento 2690/2024 | cybersecurity baseline | framework nazionale cyber

NIS 2: Basic Security Measures Defined by ACN for Essential and Important Entities

May 26, 2025

With Determination n. 164179 dated April 14, 2025, the Italian National Cybersecurity Agency (ACN) introduced baseline obligations for essential and important entities within the scope of the first implementation phase of NIS 2. For detailed information about upcoming obligations and deadlines, please refer to our comprehensive article on NIS2 obligations.

The measures are defined in four annexes and include:

  • Annex I: 37 measures for important entities
  • Annex II: 43 measures for essential entities
  • Annex III–IV: notification criteria for significant incidents

Deadlines

  • Within 9 months: obligation to report significant incidents
  • Within 18 months: complete adoption of baseline measures

A second phase is planned for April 2026 with sector-specific, long-term measures.

Technical Areas of Application

  • Risk management
  • Supply chain and asset inventory
  • Vulnerability management, backup, disaster recovery
  • Access control including MFA
  • Physical security and incident response

Essential entities must meet stricter requirements than important entities. Measures include specific codes, descriptions, and technical or administrative criteria.

Risk-Based Flexibility

The NIS 2 framework encourages a flexible, risk-based approach, with ACN defining four clauses for proportional application of controls, including applicability to only relevant network systems and exemptions for documented reasons.

Comparison with Regulation 2024/2690

Regulation (EU) 2024/2690 enforces stricter and more formalized requirements, but shares many goals with ACN's approach:

  • Common focus on access management, MFA, system configuration
  • Different formalization levels but complementary structures

Read more on our insights:

Continuity and Business Impact

Regulation 2690 requires a structured BIA. While ACN does not impose it, it mandates the definition and periodic review of a business continuity plan based on risk assessments.

Organizations should act now. Aegister supports businesses with tailored Virtual CISO services and NIS2 compliance consulting.

Share this post