NIS2 Deadlines 2026: The Compliance Calendar from January to October
8 min read · AstraLoop Studio
If your company falls under NIS2, 2026 isn't just another year. It's the year the obligations stop being "things to get to eventually" and become deadlines with hard dates and penalties attached. Italy's transposition decree (D.lgs. 138/2024) and the subsequent determinations from ACN (the National Cybersecurity Agency) have spread the requirements across a staggered timeline. If you registered on the ACN platform within the 2025 windows, you now have to meet the operational deadlines that come due this very year.
Here's the calendar in chronological order, explained without the jargon: what kicks in in January, what kicks in in October, who's affected, and what actually happens if you're late. No need to panic, but no room for delay either. Some of these deadlines require weeks of upstream work, so the date that really matters isn't when the obligation becomes enforceable — it's when you start preparing.

How NIS2's staggered rollout works
NIS2 didn't come into force all at once with a single switch. Lawmakers chose a phased approach to give companies time to adjust. The mechanism is linear: first you register and get counted, then the substantive obligations kick in progressively. The 2026 dates are the first ones that really bite, because they concern concrete behaviors — reporting an attack, having minimum measures in place — rather than just formal paperwork.
One point many business owners underestimate: NIS2 accountability sits with the governing bodies, not the IT department. The CEO and the board must approve the measures and can be held personally liable. It's no longer a technical delegation you can offload to your IT consultant. If you're still not sure whether you're in scope, read our guide on whether NIS2 applies to your company before you look at the calendar. The calendar only matters if you're actually an obligated entity.
The deadlines described here apply to essential and important entities already identified and registered with ACN. If your registration happened late or is still in progress, the terms may run slightly differently, since ACN counts from the date you were added to the register. Always check your specific position on the ACN platform — a serious remediation effort starts with a full cybersecurity audit that maps your actual state against the obligations.
January 1, 2026: incident notification becomes mandatory
This is the first deadline that matters in 2026, and it's also the trickiest, because it forces you to react on a very tight clock exactly when something goes wrong. Once the obligation kicks in, if you suffer a significant incident you must report it to ACN via CSIRT Italia, following a precise, multi-stage timeline.
The three notification windows
| Stage | Deadline | What you must report |
|---|---|---|
| Early warning | Within 24 hours of becoming aware of the incident | Initial alert: a significant incident is underway, with whatever information is available so far |
| Notification | Within 72 hours | A fuller assessment: severity, impact, any indicators of compromise |
| Final report | Within 1 month of the notification | Detailed description, root cause, measures taken, and cross-border impact if any |
The critical issue isn't the paperwork itself, it's that 24 hours goes by fast when you're in the middle of an attack. If you discover ransomware at 6pm on a Friday, the early warning is due by Saturday afternoon. You need an internal procedure already written down, with clear roles for who decides, who fills in the forms, and who contacts CSIRT. Many companies get caught out right here: they have the technical measures but not the chain of command to handle the first few hours. To understand the mechanics of these response windows, we've covered what to do in the 72 hours after a data breach, which overlaps with the notification obligations to the Italian Data Protection Authority when the incident also involves personal data.
One detail that causes a lot of confusion: the NIS2 notification to ACN and the data breach notification to the Data Protection Authority (art. 33 GDPR) are two separate obligations that can both apply to the same event. An attack that locks up your systems and exposes customer data triggers both notifications, with different recipients and different forms. It isn't formal duplication — these are two authorities with separate remits.

October 2026: baseline security measures become enforceable
The year's second major deadline concerns the actual security measures. Under the ACN determination that sets the baseline implementation deadline, by October 2026 NIS2 entities must have in place the minimum package of technical and organizational measures required by art. 21 of the directive and by the Italian decree. It's no longer "recommended" — it's mandatory and verifiable.
What the baseline package covers
- Risk analysis and information security policies: a documented risk assessment and policies approved by the governing bodies.
- Incident handling: the detection and response procedure that also feeds the notification obligation covered above.
- Business continuity: backup, disaster recovery, and crisis management. A backup you've never tested by actually restoring it doesn't count.
- Supply chain security: assessing the risks tied to direct suppliers and their services. This is a new and heavy obligation for many companies.
- Security in acquiring and maintaining networks and systems, including vulnerability patch management.
- Encryption policy and, where appropriate, use of cryptography.
- Human resources security, access control, and asset management.
- Multi-factor authentication, secure communications (voice, video, text), and emergency communication systems.
Two items deserve extra attention, because Italian companies are, on average, behind on both. The first is supply chain security: NIS2 requires you to assess your suppliers, and market data shows that roughly 30% of breaches originate from third parties, with supply-chain compromises up fourfold in five years. It's not enough to be secure yourself — you have to map who touches your systems and your data. The second is patch management: in 2025, exploitation of known vulnerabilities grew by more than 65% year over year, and most attacks exploit flaws for which a fix already existed.
To find out whether your package is compliant or full of holes, the way forward is to measure rather than hope. The difference between a vulnerability assessment and a penetration test matters here: the first maps where you're exposed, the second checks whether an attacker could actually get in. Many NIS2 measures can only be proven with evidence of this kind.
The full 2026 deadline picture
Let's put the timeline together in one view, keeping in mind that some dates stem from ACN determinations that may see practical adjustments. Always check your specific window on the official platform.
| Period | Obligation | Who's affected |
|---|---|---|
| January 1, 2026 | Significant incident notification obligation begins (24h / 72h / 1 month) | Registered essential and important entities |
| Early 2026 | Updating and confirming data on the ACN platform | All registered entities |
| October 2026 | Baseline security measures fully implemented and documented | Essential and important entities |
| Running in parallel (from August 2, 2026) | AI Act operational phase for high-risk systems, with ACN oversight from August 3 | Companies using or providing high-risk AI systems |
That last row isn't NIS2 strictly speaking, but it's worth mentioning because for many SMEs the two regulations land at the same time, and it makes sense to handle them as a single project. If you use or build AI systems, the operational phase of the AI Act (EU Regulation 2024/1689) brings cybersecurity obligations that overlap with NIS2's. We've mapped the details in our piece on AI Act 2026 obligations for SMEs. Treating NIS2, the AI Act, and GDPR as three separate projects is a waste of time and budget.
Not sure whether you're on track for the October measures, or whether your notification procedure would hold up under a real attack? Request an assessment of your NIS2 position: we'll tell you where you're exposed and what to prioritize.
What you're actually risking if you miss the deadlines
Now we get to the part that matters to whoever signs off. NIS2 doesn't go easy on penalties, and the Italian decree has transposed them with hefty amounts, differentiated between essential and important entities.
- Essential entities: fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher.
- Important entities: fines of up to €7 million or 1.4% of total worldwide annual turnover.
But the financial penalty is only one side of the coin. What should really give administrators pause is the personal liability of management bodies. In the most serious cases, and for essential entities, ACN can temporarily suspend executives from their managerial duties until they achieve compliance. This is no longer just a balance-sheet issue — it directly affects whoever runs the company. For the full picture on amounts and criteria, we've dedicated an article to NIS2 penalties for businesses.
There's also a less visible but equally concrete risk: insurability. Cyber insurance policies are becoming increasingly demanding, and a company that isn't NIS2-compliant risks being denied coverage — or discovering, at claim time, that non-compliance is a grounds for exclusion. A documented audit proving the measures are in place doesn't just serve ACN — it also helps you get insured on reasonable terms.
Context makes it all more urgent
These aren't abstract deadlines dreamed up for bureaucracy's sake. The 2026 Clusit Report places Italy at around 10% of global incidents, with a 23% rise in serious attacks in the first quarter and SMEs as the target in 72% of cases. Ransomware in Italy is evolving toward data corruption and double or triple extortion, with average costs for an SME ranging between €35,000 and €250,000 per event. In this landscape, NIS2 measures aren't compliance for its own sake — they're roughly the bare minimum needed to avoid ending up in that 72%. To frame the overall economic risk, our piece on ransomware in Italian SMEs and how to protect yourself lays out the numbers and countermeasures.
How to organize the work around these deadlines
The practical rule is simple: work backward from the dates. The slowest measure to implement credibly is the October package, because it requires risk analysis, board-approved policies, and technical verification. A realistic path looks like this.
- Snapshot of your current state (gap analysis): where you stand against each measure under art. 21. Without this, any plan is just a guess.
- Incident notification procedure: have it ready right away, since the obligation has already been active since January. It's the first thing you'll need in the event of an attack.
- Remediation plan for technical gaps: MFA, patch management, tested backups, access control. Prioritize exploitable vulnerabilities.
- Supplier assessment: map who touches your data and systems and request security evidence from them. This part takes time, since it depends on third parties.
- Documentation and board approval: NIS2 requires governing bodies to formally sign off. Put the meeting on the calendar.
The step that often gets skipped is the first one. Many companies buy technical solutions before knowing where the real gaps are, and end up spending on problems they don't have while leaving others exposed. An audit carried out by people, not just an automated scan, is what gives you an accurate map. If you're weighing the cost, our deep dive on the cost of a cybersecurity audit gives you realistic ranges before you request quotes.
One last methodological note that applies to any SME: don't treat NIS2 as a one-off project. The measures need to be maintained over time, suppliers change, new vulnerabilities appear every week (WordPress alone logged 11,334 new flaws in 2025). Compliance is a state you maintain, not a finish line you cross once and forget. For the bigger picture on threats and priorities for the year, start with our 2026 cybersecurity guide for SMEs.
To sum up the two dates you need to write down: the notification obligation active from January 1, 2026 (procedure needed today) and baseline measures by October 2026 (work to start now). Of the two, the first is the one that can catch you unprepared tomorrow morning; the second is the one that needs the most months of preparation. Either way, the right time to start was yesterday. The second-best time is now.
Frequently asked questions
When does the NIS2 incident notification obligation begin?
The notification obligation takes effect on January 1, 2026, for essential and important entities registered with ACN. If a significant incident occurs, you must send an early warning within 24 hours, a notification within 72 hours, and a final report within one month, via CSIRT Italia.
By when do I need to have NIS2 security measures in place?
The baseline security measures under art. 21 (risk analysis, incident handling, business continuity, supply chain security, MFA, patch management, and more) must be fully implemented and documented by October 2026, per the ACN determination. Always check the specific window for your position.
What do I risk if I miss the NIS2 deadlines?
Fines reach up to €10 million or 2% of worldwide turnover for essential entities, and up to €7 million or 1.4% for important entities. In serious cases, ACN can temporarily suspend executives from their duties. There's also the risk of losing cyber insurance coverage.
Does the NIS2 notification replace the one to the Data Protection Authority?
No, they're two separate obligations. The NIS2 notification goes to ACN via CSIRT Italia, while a data breach involving personal data must be reported to the Data Protection Authority within 72 hours under art. 33 GDPR. An attack that locks up systems and exposes customer data triggers both notifications.
Who is responsible for NIS2 compliance within a company?
Responsibility sits with the governing bodies — the CEO and the board — who must formally approve the measures. It isn't a duty that can be offloaded to the IT department: in serious cases, administrators are personally liable and can be suspended from their managerial duties.
Where should you start to meet the deadlines?
With a gap analysis — a snapshot of your current state against each required measure. Right after that, put together the incident notification procedure (already mandatory since January) and the technical remediation plan. Supplier assessment takes longer since it depends on third parties, so start it early.
The 2026 NIS2 deadlines call for months of preparation, not days. Talk to us and let's build a realistic compliance plan together, with the audit and documentation ready for ACN.