NIS 2: Deadline Extension for Companies Until July 31

May 27, 2025

The Italian National Cybersecurity Agency (ACN) has officially extended the deadline for companies subject to the NIS 2 Directive compliance. Organizations now have until July 31, 2025—a two-month extension from the original May 31 deadline—to finalize the annual update of their registration data on the ACN digital platform.

According to ACN, this extension supports the many companies that have requested assistance in completing their obligations, including the delivery of information and internal awareness sessions.

How NIS 2 Applies to Companies

Following Legislative Decree 138/2024, all companies operating in critical sectors are required to register with ACN. This registration triggers monitoring and compliance responsibilities as outlined by Aegister’s guide to NIS 2 obligations.

Key deadlines include:

• February 28, 2025: Initial registration deadline
• July 31, 2025: New deadline for annual monitoring update
• January 2026: Start of mandatory incident notification
• October 2026: Deadline for adoption of security measures

Critical Sectors and Compliance Roles

The NIS 2 directive identifies 18 sectors, 11 of which are labeled highly critical. Companies are classified as either:

• Essential entities: Subject to stricter checks
• Important entities: Same obligations, lighter supervision

Small businesses are involved only if they operate in digital infrastructure and services. Medium enterprises fall under the 'important' category, while large companies are typically 'essential entities'.

Ongoing Support and Strategic Guidance

To support affected organizations, Aegister offers Virtual CISO services and dedicated compliance solutions that align with the NIS 2 regulatory framework. These services help businesses meet both short- and long-term cybersecurity goals.

Read the official announcement from ACN: NIS: Deadline extended to July 31