Enterprises, Digital Service Providers, Main Establishment

Legislative Decree No. 138/2024

ACN Updated FAQs on the Definition of Main Establishment for Digital Service Providers and the Identification of the Notifying Party in Relationships between NIS Entities

The National Cybersecurity Agency (ACN) recently updated some FAQs regarding Legislative Decree No. 138/2024 (the “NIS Decree”), which transposed EU Directive 2022/2555 (the “NIS 2”) into Italian law. Specifically, the update concerns two aspects.

The first aspect concerns the definition of main establishment for specific digital service providers, which determines the jurisdiction of the Member State to which these entities must be subject.

Please note that Article 3 of the NIS Decree stipulates that entities must be subject to national jurisdiction to fall within its scope of application.

The general rule set forth in Article 5 is that entities established in the national territory, including entities from other Member States and non-EU countries[1], are considered to be subject to national jurisdiction.

However, for a number of specific digital service providers[2], given the specific nature of the activities and services they provide, the NIS Decree provides that they are subject to the jurisdiction of the Member State in which they have their principal establishment in the Union.

If these entities have their principal establishment in Italy, national jurisdiction will apply.

The ACN updates FAQs 2.8, 2.10, 3.1 and 3.15, specifying that, given that the NIS 2 Directive and the NIS Decree apply to a single legal person, the main establishment of such legal person is to be identified among the latter’s headquarters, without taking into account for this purpose the associated companies referred to in Article 1, paragraph 1, letter cc), of ACN Determination 333017/2025, and their related headquarters.

The second aspect concerns the identification of the entity subject to the notification obligation to CSIRT Italia, pursuant to Article 25 of the NIS Decree, in the event of a significant incident affecting information and network systems, when the incident involves a customer-supplier relationship between NIS entities.

The updated FAQs address three specific cases.

FAQ ISB.F.1 provides that in the event of a significant incident affecting the information and network systems of a “client” NIS entity for which a “supplier” NIS entity provides services, the notification obligation to CSIRT Italia falls to the client NIS entity, which may then involve the supplier in the incident management phase[3].

FAQ ISB.F.2 clarifies that in the event of a significant incident affecting the information and network systems of a “supplier” NIS entity that provides services to a “client” NIS entity, the notification obligation falls to the supplier. Furthermore, the obligation also falls on the NIS “client” entity if the significant incident is configured as a significant incident also in relation to the client’s services and activities[4].

Finally, FAQ ISB.F.3 provides that in the event of a significant incident affecting the information and network systems of a “customer” NIS entity for which a “supplier” NIS entity provides cloud services, the obligation to notify CSIRT Italia falls on both the “customer” NIS entity and the “supplier” NIS entity, except in the case where the cloud service provided is an IAAS (infrastructure as a service) type or hosting of the customer’s infrastructure.

In these specific cases, therefore, the obligation falls only on the “customer” NIS entity.

[1] See ACN FAQ 2.9.

[2] Domain Name System (DNS) service providers, top-level domain name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content distribution network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines or social networking service platforms.

[3] The FAQ provides, for example, that if the supplier provides managed security services (such as, for example, a Security Operation Center (SOC) service) or managed services (such as, for example, the maintenance and management of a heating, ventilation, and air conditioning (HVAC) system), an incident that occurs on the information and network systems of the NIS-compliant customer must be reported by the latter.

[4] The FAQ provides, for example, that if the supplier provides managed services (such as, for example, the administration of a facility management system (BMS) for the benefit of the NIS-compliant customer, a significant incident that occurs on the information and network systems of the NIS-compliant supplier but which has an impact on the customer’s services and activities such that it constitutes a significant incident for the customer must be reported by both the supplier and the customer.

23/12/2025

Source Assonime