D.Lgs. 138/2024 is the Italian legislative decree that transposes the EU NIS2 directive into national law. It defines which organizations fall under Italy’s cyber rules and sets expectations for governance, risk management, incident reporting, and supply-chain security.
In cyber security, this matters because attackers often exploit the weakest connected supplier, not the main target itself. The decree pushes organizations to map dependencies, assign responsibility, and verify the security posture of vendors, cloud providers, and managed service partners. In practice, defenders use it to strengthen inventories, contracts, escalation paths, and control over third-party access. For attackers, it raises the value of foreign suppliers and other external dependencies as entry points into critical services. The key idea is that accountability follows operational control, not just corporate borders.