NIS 2: Deadline Extension for Companies Until July 31

Article Thumbnail
cybersecurity | NIS 2 | compliance | ACN | NIS2 deadline | italy | monitoring | critical infrastructure

NIS 2: Deadline Extension for Companies Until July 31

May 27, 2025

The Italian National Cybersecurity Agency (ACN) has extended the deadline to July 31, 2025, for NIS entities that have requested support in finalizing their annual data update. This extension also allows organizations to plan information sessions for their administrative and executive bodies.

Additionally, the electronic acknowledgment required by Article 16 of Determination No. 136117 (April 10) can be completed even after the July 31 deadline.

Annual Information Update Requirements

The annual information update, as required by Article 7 (paragraphs 4 and 5) of the NIS decree and regulated by Article 15 of ACN Determination 136117/2025, involves the following steps:

  • Invite the alternate point of contact
  • Verify and update the NIS entity's registration data, including:
    • Tax code
    • Company name
    • Registered office
    • Legal representative
    • List of general proxies
    • Phone contacts
    • Digital domicile
    • Functional email address
  • List the members of administrative and executive bodies (individuals responsible under Article 38, paragraph 5 of the NIS decree)
  • Invite the secretariat, if appropriate
  • List services falling within Directive 2022/2555, specifying in which EU member states they are offered
  • Indicate static (public) IP addresses and domain names in use or available to the NIS entity
  • List information sharing agreements

The point of contact and alternate must verify the accuracy and currency of their personal and contact information. If required, the delegation granted by the entity's legal representative must be verified to ensure it is correct, up-to-date, and compliant with Article 4 of the cited determination.

Additional Requirements for Specific Organizations

Organizations specified in Article 7 (paragraph 5) and Article 5 (paragraph 1, letter b) must share additional information regarding their locations within the European Union and their NIS representative in Italy.

How NIS 2 Applies to Companies

Following Legislative Decree 138/2024, all companies operating in critical sectors are required to register with ACN. This registration triggers monitoring and compliance responsibilities as outlined by Aegister's guide to NIS 2 obligations.

Key deadlines include:

  • February 28, 2025: Initial registration deadline
  • July 31, 2025: New deadline for annual monitoring update
  • January 2026: Start of mandatory incident notification
  • October 2026: Deadline for adoption of security measures

Critical Sectors and Compliance Roles

The NIS 2 directive identifies 18 sectors, 11 of which are labeled highly critical. Companies are classified as either:

  • Essential entities: Subject to stricter checks
  • Important entities: Same obligations, lighter supervision

Small businesses are involved only if they operate in digital infrastructure and services. Medium enterprises fall under the 'important' category, while large companies are typically 'essential entities'.

Ongoing Support and Strategic Guidance

To support affected organizations, Aegister offers Virtual CISO services and dedicated compliance solutions that align with the NIS 2 regulatory framework. These services help businesses meet both short- and long-term cybersecurity goals.

Read the official announcement from ACN: NIS: Deadline extended to July 31

Share this post