Italy’s Cyber Incident Reporting Revolution: How Three Codes Changed the Game

For months, Italian public sector CISOs and IT teams have lived in a state of limbo. Law 90, passed in June 2024, demanded swift cyber incident notifications - but offered precious little guidance on what, exactly, needed to be reported. Was a phishing attempt enough? What about a brief service outage? As the clock ticked, organizations were left to interpret “notifiable incident” with guesswork or, worse, late-night panic. That changed on February 17, 2026, when the National Cybersecurity Agency (ACN) published the long-awaited taxonomy that closes the loop - and raises the bar.

Fast Facts

• ACN’s taxonomy enforces Law 90’s notification obligations for cyber incidents in Italy as of February 2026.
• Three clear incident categories (IS-1, IS-2, IS-3) now define what must be reported.
• The taxonomy aligns with the EU’s NIS2 directive, allowing unified notifications and reducing duplication.
• Failure to report within 24/72 hours can trigger economic and compliance consequences.
• “Evidence” is now the key threshold - no evidence, no notification, but also no excuses for poor detection.

The Anatomy of a New Regime

Before the ACN taxonomy, Law 90’s reporting requirements were a compliance minefield. Each organization risked defining “incident” on the fly, with interpretations ranging from hyper-vigilant to dangerously lax. The new taxonomy slams the door on such ambiguity. Annex A introduces just three codes:

• IS-1: Loss of Confidentiality – Report when there’s evidence of digital data leaking outside organizational control.
• IS-2: Loss of Integrity – Triggered by evidence of digital data being tampered with, with external impact.
• IS-3: Service Level Violation – Applies when expected service levels are breached, as measured by the organization’s own standards.

This isn’t minimalism for its own sake. Fewer categories mean faster decisions, less debate, and a playbook that can actually be followed at 3 a.m. But there’s a sting in the tail: “evidence” is required. Without proper logging, detection, and triage, organizations won’t just miss incidents - they’ll miss compliance, too.

The ACN also streamlined compliance with the EU’s NIS2 directive. If you report an incident via the NIS channel (article 25), you’ve satisfied Law 90 - provided your process is unified and robust. This “one incident, one report” approach is designed for a future where incidents multiply, but resources don’t.

The message is clear: define your service levels, map your technical events to IS-1/2/3, and clarify who can declare “evidence.” If your answer is “it depends,” you’re already behind. Italian organizations must now treat cybersecurity as an organizational discipline, not just a technical hurdle.

Conclusion: From Guesswork to Governance

Italy’s cyber incident reporting just grew up. The ACN taxonomy gives the public sector a common language and a set of rules that are hard to dodge. It’s less about creating more paperwork and more about forcing real, measureable security maturity. As the first real incidents hit, organizations will discover: fewer codes don’t mean less work - they mean less room to hide.

WIKICROOK

• Taxonomy: A taxonomy is a structured system for classifying cybersecurity threats, vulnerabilities, and controls, supporting better communication and risk management in the field.
• NIS2 Directive: The NIS2 Directive is an EU law requiring critical sectors and their suppliers to strengthen cybersecurity and report serious cyber incidents.
• Confidentiality: Confidentiality is the practice of keeping sensitive information private and ensuring only authorized individuals can access it.
• Integrity: Integrity means ensuring data is accurate, consistent, and unaltered by unauthorized parties, maintaining trust and reliability in cybersecurity systems.
• SOC (Security Operations Center): A SOC (Security Operations Center) is a team or facility that monitors and defends an organization’s digital systems against cyber threats, often 24/7.