Eleven highly critical (Annex I) and seven critical (Annex II) per D.Lgs. 138/2024, plus Annex III–IV for public administration and additional categories.
Compliance · NIS2
NIS2 assessment for essential and important entities.
Directive (EU) 2022/2555 and Italian D.Lgs. 138/2024. A perimeter crossing governance, incident management, supply chain, business continuity, access control, cryptography. Approximately 250 controls organized in 20 areas, anchored to pointed regulatory references and calibrated to the organization's profile.
Context
The directive redefines the European cybersecurity baseline.
NIS2 expands perimeter, obligations and governance responsibilities compared to NIS1. The essential or important classification combines sectoral, dimensional and special-category criteria under the Italian D.Lgs. 138/2024.
For essential entities, or 2% of turnover. For important entities €7M or 1.4%. Distinct regime for public administration, per criteria in art. 38.
Pre-notification within 24 hours of incident awareness. Notification within 72 hours. Final report within one month, subject to required interim updates.
ACN determination no. 379907/2025: baseline specifications applicable from 15 January 2026. Adoption terms staggered at 9 or 18 months from inclusion in the NIS list.
Why a NIS2 assessment is complex
Four factors that distinguish it from previous audits.
Wide perimeter
The assessment involves dozens of process areas: from governance to incident management, from supply chain to business continuity, from access control to cryptography. Hundreds of controls to be assessed coherently with one another.
Non-linear classification
Being essential or important does not depend on sector alone. It combines size criteria, special categories and ACN designation procedures under D.Lgs. 138/2024. Correct classification is the first step and conditions everything else.
Fragmented evidence
Policies, logs, contracts, operational procedures distributed across business units, systems and suppliers. Traditional collection via email and spreadsheets produces blind spots, inconsistent data, and no way to verify when a response was last updated.
Time pressure and oversight
ACN supervision, strict notification obligations, and obligations on tight deadlines. The margin for long, artisanal assessments has shrunk compared to what was possible under NIS1.
What the assessment covers
Twenty process areas, calibrated to the perimeter.
The areas correspond to security requirements set by the directive and by the Italian transposition. Sections activate based on the entity's profile: not everything applies to everyone, but the questionnaire recognizes when a section should be skipped and when it should be deepened.
Governance and accountability
Governing bodies, documented roles and responsibilities, management training on cyber risk.
Risk management
Risk identification and analysis, adopted mitigations, periodic review.
Incident management
Detection, classification, containment, notification to CSIRT within prescribed windows.
Business continuity
BCM, disaster recovery, crisis management, periodic testing.
Supply chain
Supplier security, contractual clauses, third-party risk assessment.
Access control
Identity, authentication, authorization, MFA, privileged access management.
Cryptography
Encryption of data at rest and in transit, key management.
Secure development
Secure development lifecycle, vulnerability management, patching.
Other areas
Physical security, asset management, training, monitoring, log management, documentary compliance. The full list is defined during scoping based on the perimeter.
Applied experience
Method already applied in an institutional engagement.
The method described on this page was applied in a NIS2 assessment conducted for an Italian national regulatory authority during 2025–2026. Client-specific details under confidentiality are not published. The methodology, the tool and the questionnaire structure are transferable to entities with analogous perimeters.
Same method
Platform, deliverables, maturity model: described once.
The methodology common to all certifications — how the open-source platform works, which documents we deliver, how to read the 0–5 maturity scale, what the phases are — is described once on the main Compliance page.
Have a NIS2 deadline to face?
We start with a scoping: classification of the entity, perimeter, responsible people, availability of existing evidence. From there the rest is sized.