Critical Infrastructure in Italy: ACN, Perimetro Cibernetico, and Real Mandates

Italy did not build its critical infrastructure regime as a translation of foreign frameworks. It built a layered, deliberately national architecture in which the Agenzia per la Cybersicurezza Nazionale sits at the centre, the Perimetro di Sicurezza Nazionale Cibernetica defines the inner ring, and sector regulators add their own mandates on top. Operators that read the regime as a single law miss the point.

The result is a compliance landscape that rewards operators who understand the hierarchy and punishes those who treat it as a checklist. A construction firm that runs a major logistics corridor for ENI faces obligations that look nothing like those of a municipal water utility, even though both may sit inside the Perimetro. A data centre serving a designated essential service operator inherits requirements it never signed up for. The practical question is not whether Italy regulates critical infrastructure, but whether the operator has mapped its own exposure inside the regime before the regulator does it instead.

The architecture above the law

Italian cybersecurity governance for critical infrastructure rests on three load-bearing structures that were assembled in sequence, not designed as a single block. The first is the Perimetro di Sicurezza Nazionale Cibernetica, established by Decree-Law 105/2019 and progressively populated through implementing decrees. The Perimetro identifies public and private entities that operate functions and services essential to the State, and binds them to a regime of inventory obligations, incident notification, and procurement controls for ICT goods, systems and services. The second is the NIS framework, originally Directive 2016/1148 transposed into Italian law in 2018, now superseded by NIS2 and transposed via Legislative Decree 138/2024, which sets sectoral baselines for essential and important entities across energy, transport, banking, health, water, digital infrastructure and several other categories. The third is the Agenzia per la Cybersicurezza Nazionale itself, established in 2021 by Decree-Law 82/2021, which absorbed competences previously scattered across the Department of Information for Security, the Ministry of Economic Development and other bodies, and now functions as the single national authority for cybersecurity.

These three structures do not occupy disjoint territory. An operator can be designated under the Perimetro, qualify as an essential entity under NIS2, and simultaneously fall under sector-specific obligations from the Bank of Italy, IVASS, ARERA or AGCOM. Each layer brings its own notification timelines, its own inventory templates, its own supervisory regime. ACN coordinates, but it does not absorb. The operator remains responsible for satisfying each layer on its own terms, and the layers are not always consistent. A telecommunications operator inside the Perimetro must notify ACN through the channel and within the window set by the Perimetro decrees, while the same operator under NIS2 has parallel obligations that overlap but do not coincide. The practical consequence is that compliance functions which assume a single notification flow miss deadlines they did not know they had.

Reading the regime requires reading it in the order it was built. Operators that start with NIS2 because it is the most recent text often miss the Perimetro obligations that were drafted earlier and remain in force. Operators that start with the Perimetro miss the broader NIS2 scope. The order is Perimetro first, NIS2 second, sector overlays third, ACN orientations across all of them.

What ACN actually does

The Agenzia per la Cybersicurezza Nazionale is not a regulator of the kind that issues fines and walks away. It is closer in function to a hybrid of CISA in the United States, ANSSI in France and BSI in Germany, with operational capabilities that include the national CSIRT, the national vulnerability coordination function, the scrutiny of ICT procurement for Perimetro entities through the Centro di Valutazione e Certificazione Nazionale, and the certification of cybersecurity products and services. ACN also leads the implementation of the National Cybersecurity Strategy 2022 to 2026, which sets out objectives that range from protecting national assets to developing domestic industrial capability.

For operators, three ACN functions matter most in day-to-day terms. The first is incident notification. Perimetro entities must notify incidents affecting networks, information systems or IT services included in their declared scope, within timelines that for the most serious categories collapse to a few hours. NIS2 entities have their own notification cascade, with an early warning within twenty-four hours, an incident notification within seventy-two hours, and a final report within one month. ACN receives, triages, and where appropriate coordinates response. The second is procurement scrutiny. Acquisitions of certain categories of ICT goods, systems and services for use in the Perimetro must be notified to the CVCN, which may impose conditions, require testing, or in extreme cases prohibit the procurement. This is not a theoretical control. The CVCN has issued conditions on telecommunications procurements that materially changed deployment plans. The third is supervision. ACN conducts inspections, requests documentation, and may impose administrative sanctions for non-compliance. Under NIS2 the sanction ceilings are substantial, reaching ten million euro or two percent of global annual turnover for essential entities, whichever is higher.

The agency does not operate in isolation. It coordinates with the Department of Information for Security, with the Ministry of Defence on military cyber matters, with the financial sector authorities under DORA, and with the European Union Agency for Cybersecurity. For operators this matrix means that a single incident may trigger reporting to ACN, to a sector supervisor, to the data protection authority under GDPR if personal data is involved, and to law enforcement. Each channel has its own format, its own deadline, and its own consequences for delay. ACN provides templates and orientation, but the operator carries the obligation.

The Perimetro and what it actually demands

The Perimetro di Sicurezza Nazionale Cibernetica is the regime that operators most often misread. It is not a list. It is a process. The Decree of the President of the Council of Ministers 131/2020 set the criteria for identifying entities and the methodology for those entities to identify and report the networks, information systems and IT services that support essential functions and services of the State. The list of Perimetro entities is itself classified. An operator learns it is included when it receives formal notification. From that point, the obligations begin.

The first obligation is the inventory. The entity must compile and submit a detailed description of its in-scope networks, information systems and IT services, with technical and organisational characteristics, dependencies, and the essential functions they support. This is not a corporate IT map. It is a forensic inventory at the level required to support incident analysis and procurement scrutiny. Entities that submit superficial inventories are returned to do the work again. The second obligation is the security measures regime set by DPR 81/2021, which requires the implementation of specific technical and organisational measures aligned with international standards. The framework draws on ISO 27001, on the NIST Cybersecurity Framework, on IEC 62443 for industrial environments, and on relevant European standards. The measures cover governance, risk management, asset management, access control, incident handling, business continuity, supply chain security, and several other domains. The third obligation is incident notification under the timelines and through the channels set by DPCM 81/2021 and subsequent guidance. The fourth is the procurement notification regime under DPR 54/2021, which routes specified ICT acquisitions through the CVCN.

The Perimetro is demanding by design. It was built to protect functions the State considers non-substitutable. The operators inside it carry obligations that go beyond what the market would generate on its own. The book BOSWAU + KNAUER. From Building to Security Technology argues that security infrastructure for high-value environments must be built for runtime, not for demonstration, and the Perimetro embodies the same logic at the regulatory level. The measures are not optimised for elegance. They are optimised for the case in which something fails and the State needs to know what happened.

NIS2 in Italy and the widening of scope

The transposition of NIS2 through Legislative Decree 138/2024, which entered into force in October 2024, expanded the scope of regulated entities far beyond the original NIS perimeter. Essential entities now include sectors such as wastewater, public administration, space, and managed service providers. Important entities cover postal and courier services, waste management, food production, manufacturing of medical devices and other categories that were previously outside the cybersecurity regulatory perimeter. The Italian transposition retains the European baseline and adds national specifications on registration, supervision and sanctions. ACN serves as the competent authority for most sectors, with sector-specific competent authorities for finance, health and a small number of other domains.

Registration is the first practical test. Essential and important entities must register with ACN through the dedicated platform, providing identification data, sector classification, contact points for incident handling, and information on the services provided across the European Union. The registration deadline for the first wave of entities ran into early 2025, with rolling deadlines for newly identified entities. Operators that delayed registration faced administrative consequences and, more importantly, started the clock on substantive obligations without the procedural baseline in place.

The substantive obligations under NIS2 cover risk management measures across ten domains specified in Article 21 of the Directive and the corresponding national provisions. These include policies on risk analysis and information system security, incident handling, business continuity, supply chain security, security in network and information systems acquisition, policies and procedures to assess the effectiveness of cybersecurity risk-management measures, basic cyber hygiene practices and cybersecurity training, policies on cryptography and encryption, human resources security, access control and asset management, and the use of multi-factor authentication. The list reads as a baseline. In practice, the depth required for essential entities approaches the depth required under the Perimetro for in-scope systems. The difference is that NIS2 applies to the entity as a whole, not only to specifically declared systems.

Management bodies of essential and important entities carry personal accountability. They must approve the cybersecurity risk-management measures, supervise their implementation, and undergo training. Liability for non-compliance can reach the individuals. This is not a footnote. It changes the conversation in the boardroom from whether to invest in cybersecurity to how to document that the investment was approved and implemented.

Sector-specific overlays that change the calculation

The Italian regime does not stop at ACN and NIS2. Sector regulators impose their own obligations, often more detailed than the horizontal regime and sometimes with shorter timelines. The financial sector, now governed at European level by DORA which entered into application in January 2025, carries obligations on ICT risk management, incident reporting to financial authorities, digital operational resilience testing, and third-party risk management that go beyond NIS2. The Bank of Italy and CONSOB act as competent authorities, coordinating with ACN where Perimetro entities overlap with the financial perimeter. The energy sector operates under ARERA resolutions that impose specific cybersecurity requirements on transmission system operators and distribution system operators, with reporting obligations that feed into both the sector regulator and ACN. Telecommunications operators face additional obligations under the Electronic Communications Code and AGCOM oversight. Healthcare operators face requirements that intersect with GDPR, with the data protection authority retaining jurisdiction over personal data breaches even when the same incident is reported to ACN under NIS2 or the Perimetro.

The practical consequence is that a single security incident at a regulated operator can trigger reporting to four or five authorities, each with its own template, deadline and follow-up regime. The Garante per la protezione dei dati personali expects notification within seventy-two hours under GDPR. ACN expects early warning within twenty-four hours under NIS2 for incidents meeting the threshold. The Perimetro regime imposes its own timeline for entities inside the perimeter. The sector regulator may add a parallel channel. Operators that maintain a single incident handling playbook calibrated to one regime miss obligations under the others. The serious operators maintain a notification matrix that maps incident characteristics to the channels that activate, with templates pre-drafted and approvals pre-positioned.

This complexity is the reason that audits in Italian critical infrastructure environments are rarely about technology alone. The technology is necessary but not sufficient. The compliance architecture, the documentation regime, the notification protocols and the supply chain controls determine whether the operator can demonstrate compliance when an authority asks. The reference frameworks behind the Italian regime, from ISO 27001 through NIST CSF 2.0 and 800-53 to IEC 62443 for operational technology environments, are well understood. The challenge is integrating them into a single management system that satisfies ACN, the sector regulator and the data protection authority simultaneously.

What holds

The Italian critical infrastructure regime rewards operators that read it as a hierarchy and treats it as a process. The Perimetro defines the inner ring with the most detailed obligations and the shortest timelines. NIS2 sets the horizontal baseline with substantial sanctions and personal liability for management. Sector overlays add specificity in finance, energy, telecommunications and healthcare. ACN coordinates across all of them and operates the national CSIRT, the procurement scrutiny function, and the supervisory regime. The architecture is national in design, European in baseline, and unforgiving in execution.

Operators that approach the regime as a compliance exercise produce documents that satisfy nothing when tested. Operators that approach it as an operational discipline build security infrastructure that holds when an incident arrives. The distinction is visible in how quickly the operator can produce its Perimetro inventory, its NIS2 risk register, its incident notification playbook, and its supply chain assessment when a regulator asks. The same distinction is visible in whether the operator's physical and digital security functions speak the same language, because critical infrastructure incidents rarely respect the boundary between cyber and physical.

For operators that want to test their position before the regulator does, three paths are available. A confidential conversation of sixty minutes with the manufacturer's leadership produces an external read on where the operator stands in the regime and where the gaps are most likely to surface. A three to five day audit on site produces a written report with a documented gap analysis against the Perimetro, NIS2 and applicable sector obligations, an economic scenario analysis, and an implementation plan that can be executed internally or externally. A ninety-day pilot at a single site produces operational data on detection, response and notification performance under realistic conditions. Each path stands on its own. The audit path is the most common starting point for operators that already know they are inside the regime and need to convert that knowledge into a defensible position.

Frequently asked questions

What is ACN?

ACN, the Agenzia per la Cybersicurezza Nazionale, is the Italian national cybersecurity authority established in 2021 under Decree-Law 82/2021. It operates as the single point of national coordination for cybersecurity, hosting the national CSIRT, the Centro di Valutazione e Certificazione Nazionale for procurement scrutiny, and the supervisory functions under the Perimetro regime and NIS2. ACN coordinates with sector regulators, the intelligence community and European bodies. For operators, ACN is the primary notification recipient for incidents, the supervisor for compliance inspections, and the body that can impose administrative sanctions under both the Perimetro and NIS2 regimes.

What is the Perimetro?

The Perimetro di Sicurezza Nazionale Cibernetica is the regime established by Decree-Law 105/2019 that identifies public and private entities operating functions and services essential to the State, and binds them to obligations on system inventory, security measures, incident notification and procurement scrutiny. The implementing decrees, principally DPCM 131/2020, DPR 54/2021 and DPR 81/2021, set the substantive framework. The list of Perimetro entities is classified. The obligations are more detailed than the horizontal NIS2 baseline and apply to specifically declared networks, information systems and IT services rather than to the entity as a whole.

Who must register?

Under NIS2 transposed through Legislative Decree 138/2024, essential entities and important entities across the sectors listed in Annex I and Annex II must register with ACN through the dedicated platform. Essential entities include operators in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration and several other categories. Important entities cover postal services, waste management, manufacturing of certain products, digital providers and others. Registration requires identification data, sector classification, incident contact points and information on cross-border services. Operators that meet the size and sector criteria must register even without explicit notification.

How are audits run?

ACN conducts supervisory activities through documentary review, on-site inspections and targeted assessments. For essential entities under NIS2, the supervision is ex ante and includes regular audits. For important entities, the supervision is generally ex post, triggered by indications of non-compliance or incidents. Perimetro entities undergo additional scrutiny through procurement notifications to the CVCN and inventory verification. Independent audits commissioned by operators typically follow a three to five day on-site protocol covering governance, technical controls against ISO 27001 and IEC 62443 baselines, incident handling procedures, supply chain documentation and notification playbooks, producing a written report with a prioritised remediation plan.