NIS2, CSIRT contact person established

The National Cybersecurity Agency (ACN) has institutionalized the role of CSIRT contact person, simultaneously updating the list of NIS entities in the new Determination no. 333017/2025 .

CSIRT Representative, a new operational headquarters

According to the regulations, the CSIRT contact person is a natural person designated by the Contact Point, whose task is to interface directly with CSIRT Italy.

The contact person, who possesses technical expertise as well as his deputies, will be responsible for timely reporting of incidents.
Pursuant to Article 7 of the Determination (CSIRT Representative and substitutes):

• The CSIRT contact person is a natural person designated by the Contact Point, starting from November 20 and by December 31, 2025 , through the dedicated electronic procedure made available on the ACN Portal.
• The CSIRT representative is responsible for liaising with CSIRT Italia , pursuant to Article 2, paragraph 1, letter i) of the NIS decree, and for issuing the notifications referred to in Articles 25 and 26 of the same decree on behalf of the NIS entity.

In order to ensure the timely performance of the CSIRT contact person's duties, with particular reference to the notification of significant incidents pursuant to Article 25 of the NIS Decree and related follow-up, one or more substitute CSIRT contact persons may be designated in accordance with the same procedures set out in paragraph 1.

The CSIRT representative deputies, where designated, support the CSIRT representative in carrying out the functions referred to in paragraph 2 and may perform them on his behalf.

The CSIRT contact and his deputies, where designated, possess at least basic skills in IT security and IT incident management, as well as in-depth knowledge of the information and network systems of the entity on whose behalf they operate.

It should be noted that there are no specifications regarding the fact that the CSIRT Representative and his possible substitutes must necessarily be employees of the NIS entity.

NIS subjects list updated

During the round table, the second update of the list of NIS entities was adopted.
In this sense, the results of numerous revisions have been integrated, to which will be added the hundreds of late registrations made by the end of June.

Further late registrations received in the following months are currently being evaluated, with the related results being integrated into the next update of the NIS list of subjects.

This update will be implemented later this year.

This activity ensures a constantly updated overview of NIS entities, to the extent that it effectively monitors the country's productive fabric.

Cybersecurity and NIS, greater European coordination

Finally, there was the announcement of the launch of a pilot peer review project between the NIS Competent Authorities of several European Union Member States , in which ACN also joined.

This initiative represents an important opportunity to foster ongoing dialogue and systemic collaboration.
The aim is to harmonize security requirements and strengthen European coordination in this area, for the benefit of the common protection of digital infrastructures.

The Determination makes the flow of communication between NIS and CSIRT Italia subjects clearer and more coherent .
Indeed, it was very difficult to imagine that the Contact Point alone could be responsible for this compliance. (Source: Lorenzo Proietti, https://www.cybersecitalia.it /)