NIS2 Enforcement Begins: First Italian Sanctions and What They Mean

The transition from NIS to NIS2 expanded the scope of entities subject to cybersecurity obligations, introduced more prescriptive technical requirements, and significantly increased the penalty ceiling. Italy's transposition through Decreto Legislativo 138/2024^[2] gave ACN^[3] broad supervisory and enforcement powers. The first sanctions provide concrete evidence of how those powers are being exercised — and the compliance areas receiving priority attention.

The First Enforcement Actions: What Was Sanctioned

The initial ACN enforcement actions have targeted entities that failed to meet fundamental obligations under the transposed directive. The sanctions focus on three principal areas: failure to complete the mandatory registration with ACN within prescribed deadlines, absence of documented risk management measures as required under Article 21 of the directive, and non-compliance with incident reporting obligations following security events that met notification thresholds.

Notably, the earliest sanctions have not targeted sophisticated technical failings. ACN has focused on basic compliance omissions — entities that have not engaged with the framework at all, rather than those making good-faith efforts to implement complex technical measures. This approach is consistent with enforcement strategies observed across European regulatory authorities: establish the baseline expectation of engagement before pursuing nuanced technical non-compliance.

The penalty amounts in these initial actions, while below the theoretical maximums, are sufficient to demonstrate regulatory seriousness. For essential entities, theNIS2 framework permits administrative fines of up to ten million euros or two percent of total worldwide annual turnover. For important entities, the ceiling is seven million euros or 1.4 percent of turnover. The initial sanctions suggest ACN is calibrating penalties to be proportionate but meaningful — a foundation for escalation in cases of persistent non-compliance.

ACN's Supervisory Approach

The Agenzia per la Cybersicurezza Nazionale has adopted a supervisory model that combines proactive inspections with reactive enforcement following reported incidents. ACN's inspection programme prioritises essential entities in critical sectors — energy, transport, banking, health, and digital infrastructure — with important entities subject to risk-based supervisory attention.

A distinctive element of ACN's approach is the integration of supervisory activities with its broader national cybersecurity mission. Unlike purely punitive regulators, ACN positions its enforcement within a framework of national resilience, offering technical guidance and sector-specific implementation support alongside its supervisory activities. This dual mandate — regulator and national competence centre — creates a compliance environment where constructive engagement is both expected and rewarded.

For entities subject to supervision, the practical implication is clear: documented evidence of active implementation efforts, even if incomplete, is treated materially differently from inaction. Boards and management bodies should ensure that their compliance trajectory is documented and demonstrable, with clear timelines, allocated resources, and measurable milestones.

Lessons for Entities Still Implementing

Many entities — particularly those newly in scope under NIS2's expanded coverage — remain in the process of implementing the required measures. The first enforcement actions provide actionable guidance on prioritisation. Registration and classification represent the non-negotiable first step: entities must have completed their self-assessment and registration with ACN. Failure to register is the most visible form of non-compliance and the easiest enforcement target.

Risk management documentation is the second priority. ACN expects entities to have conducted a formal risk assessment covering the areas specified in Article 21: incident handling, business continuity, supply chain security, network and information system acquisition and development, policies and procedures for assessing the effectiveness of measures, basic cyber hygiene practices, and cryptography policies. The assessment need not be perfect, but it must exist, be documented, and be approved at the appropriate management level.

Incident reporting capabilities must be operational. The directive's reporting timelines — early warning within 24 hours, incident notification within 72 hours, and a final report within one month — require established procedures, trained personnel, and tested communication channels with ACN. Entities that experience a qualifying incident without functional reporting capability face compounded enforcement risk: the underlying incident plus the reporting failure.

Penalty Analysis and Escalation Expectations

The NIS2 penalty framework provides ACN with considerable discretion. Beyond administrative fines, the directive enables supervisory measures including binding instructions, implementation orders with defined deadlines, orders to inform affected parties of significant threats, and — for essential entities — temporary suspension of certifications or authorisations. The personal liability dimension is particularly significant: management bodies can be held individually responsible for non-compliance with risk management and reporting obligations.

Enforcement trajectories in other European regulatory domains — GDPR^[4]being the most relevant precedent — suggest that initial restraint gives way to increasing severity as regulatory capacity matures and case law develops. The current window of calibrated, proportionate sanctions is unlikely to persist indefinitely. Entities that interpret early moderation as a signal that enforcement lacks teeth are making a strategic miscalculation.

For PE-backed portfolio companies, the enforcement implications extend beyond individual entity risk. NIS2 non-compliance in a portfolio company creates reputational risk for the fund, potential valuation impact at exit, and — depending on the group structure — possible supervisory attention to the broader corporate group. Investment committees should ensure NIS2 compliance status is a standing item in portfolio monitoring.

Cross-Border Enforcement Coordination

NIS2 establishes mechanisms for cross-border supervisory cooperation through the Cooperation Group and the CSIRTs Network. While enforcement remains a national competence, the framework enables information sharing between authorities and coordinated supervisory actions for entities operating across member states. ACN's early enforcement actions will be observed by peer authorities across Europe as they calibrate their own approaches.

For multinational entities, this creates both risk and opportunity. The risk: enforcement in one jurisdiction may trigger supervisory attention in others. The opportunity: a robust compliance programme implemented to satisfy the most demanding national transposition provides a strong foundation across all EU jurisdictions. Italy's early enforcement activity positions ACN as a reference point — entities that align their programmes with ACN's demonstrated expectations are well-positioned for compliance across the single market.