NIS2 and 2026 deadlines: why Offensive Security has become a strategic requirement
2026 represents a turning point for the NIS2 Directive, transposed in Italy by Legislative Decree 138/2024. Following the identification phase of the entities involved, 2026 marks the full entry into force of operational obligations, Authority inspections, and the first structured audits of organizations’ actual security levels.
In this scenario, Offensive Security is no longer just a best practice, but a key tool for demonstrating compliance and resilience.
What will happen in 2026 for NIS2
Starting from January 1, 2026, organizations subject to NIS2 are required to promptly notify CSIRT Italy of significant security incidents, demonstrate the adoption of adequate technical and organizational measures, and keep information regarding their security posture constantly updated. This marks a true paradigm shift: it is no longer enough to declare compliance with the regulations; it has become necessary to concretely prove that the implemented measures actually work.
NIS2 requires a risk-based approach, including:
- protection of critical infrastructure;
- ability to prevent, detect, and respond to incidents;
- business continuity;
- supply chain security.
All these areas cannot be validated through policies or checklists alone. They must be tested in the field.
Offensive Security in the NIS2 Scenario
Services such as Penetration Testing and Vulnerability Assessments… become fundamental to verify the actual effectiveness of the security measures adopted, identify exploitable vulnerabilities before they can be used by an attacker, concretely test the Incident Response processes required by NIS2, and demonstrate—in the event of audits or inspections—a truly proactive approach to security. In the NIS2 context, Offensive Security is necessary to measure the organization’s overall resilience.
2026 Deadlines and Controls: Why Act Now
2026 marks the beginning of full operational oversight by the ACN. Since January 1st, 2026, obligations for incident notification and demonstration of adopted measures have become effective. Between January and February, the first structured requests for updates and confirmation of information on the ACN platform are expected, while by October, organizations must provide concrete evidence on the implementation of the required security measures. This makes it essential to move early, avoiding reactive approaches and emergency interventions under pressure.
Offensive Security as an Investment, Not a Cost
In a regulated context such as the one introduced by NIS2, Offensive Security establishes itself as an effective operational risk reduction tool and a distinguishing factor for customers, partners, and stakeholders. Testing today means avoiding incidents tomorrow and transforming a regulatory obligation into a competitive advantage.
To sum up
| Date | What happens | |
| 1 January 2026 | Obligation to report incidents | Pre-notification within 24 hours, details within 72 hours, final report within 1 month |
| 28 February 2026 | Annual ANAC update | Confirmation of data, roles and assets on the ACN portal |
| April–May 2026 | Asset categorisation and update | Guidelines, IT/OT selection, domain and IP reconfirmation |
| October 2026 | Implementation of technical measures | Application of ACN specifications: 37 measures for important subjects, 43 for essential subjects |
How we can help your organisation
The Betrusted team is ready to assist you and your organisation in implementing the required security measures. Find out more about NIS2 and our plan to comply with the directive on the dedicated page.
Discover how we can help you
Together, we’ll find the best solutions to tackle the challenges your business faces every day.