Italy: National Cybersecurity Agency adopted determination on methods and procedures under Network and Information Security Directive

On 19 September 2025, the Italian National Cybersecurity Agency adopted the determination on compliance with the national competent authority under the Network and Information Security (NIS) Directive entered into force, except for the provision setting out the procedure and deadlines for continuous updating and confirmation of NIS entity and user information. The determination specifies the deadlines, methods, and procedures for the use and access to the Agency's digital platform, as well as additional information that entities must provide to the national NIS competent authority, and the deadlines, methods, and procedures for the designation of NIS representatives on national territory. The determination sets procedures for registration, annual and continuous updates, and user authentication through the Public Digital Identity System (SPID) or Italian Electronic Identity Card (CIE). It defines roles including contact points, substitutes, Computer Security Incident Response Team (CSIRT) representatives, and operators. Users must associate accounts with their Network and Information Systems (NIS) entity, confirm data accuracy, and report changes within 14 days. It was also highlighted that non-compliance may lead to penalties.