In early July, the Italian National Cybersecurity Agency, ACN, updated several FAQs published on its website and introduced new ones. More specifically, FAQs ODA.8 and ODA.9 were revised, while ODA.10, ODA.11, ODA.12 and ODA.13 were added. The update has an interpretative purpose, since the obligations continue to derive from Article 23 of Legislative Decree No. 138/2024 and from the baseline specifications established by ACN Determination No. 379907/2025. However, the FAQs provide a clearer understanding of how the Authority interprets these provisions and offer relevant guidance for structuring the compliance process.
The update addresses one of the most debated aspects of NIS2 implementation: the relationship between the responsibilities assigned to administrative and management bodies and the work performed by the functions that manage cyber risk at an operational level.
The revised versions of ODA.8 and ODA.9 distinguish more clearly between the possibility of delegating certain activities, the formal responsibilities assigned to administrative and management bodies, and the activities required to implement the obligations.
In particular, ODA.8 specifies that delegation cannot cover the approval of the documents referred to in Article 23, paragraph 1, letter a), and paragraph 2 of the NIS Decree, which are listed in table format in Appendix C of the guide to the baseline specifications. This obligation remains exclusively with the administrative and management bodies of the NIS entity. It cannot be transferred to individual members, separate corporate bodies or other functions within the organisation, regardless of the corporate governance model adopted.
ODA.9, on the other hand, provides a list of the obligations and related responsibilities assigned to administrative and management bodies, which therefore cannot be delegated.
The FAQ also specifies that delegation is permitted for activities aimed at implementing the obligations set out in Article 23, paragraphs 1 and 2 of the NIS Decree. Where such delegation is granted, Articles 2381 and 2392 of the Italian Civil Code continue to apply for the purposes of determining liability.
The same FAQ further clarifies that delegation does not allow compliance with the obligations under Article 23, paragraphs 1 and 2 of the NIS Decree to be transferred to individual members of the administrative and management bodies or to other bodies and functions within the NIS entity.
The new FAQ ODA.10 lists the eleven documents that must be approved by the administrative and management bodies pursuant to Article 23, paragraph 1, letter a), of the NIS Decree.
The FAQ also specifies that these documents must address the security-measure requirements at least at the level of strategic direction and planning, so that the administrative and management bodies can exercise their responsibilities with sufficient awareness. Consequently, the technical and operational details may be governed through additional documentary and organisational controls, including technical procedures, operating instructions, manuals, internal documents and reports prepared by the competent functions of the NIS entity. The technical and operational detail may therefore be developed through procedures or other controls prepared by the relevant functions. The FAQ thus distinguishes between the documentation submitted to senior management and the documentation used by specialist teams to implement the measures in practice.
FAQ ODA.11 clarifies that the additional documentary and organisational controls referenced in the documents identified by ODA.10 do not have to be submitted for approval to the administrative and management bodies.
In practical terms, the clarification confirms that the Board of Directors is not required to approve every technical document associated with NIS2 compliance. The FAQ also confirms that the required content may be consolidated into a single document or distributed across several documents. In the case of the cybersecurity incident management plan, for example, the document does not need to include the full details of the applicable procedures. It is sufficient to list those procedures and provide references to the relevant documents.
In line with ODA.11, FAQ ODA.12 clarifies that, when the documentary and organisational controls referred to in ODA.11 are updated, the administrative and management bodies are not required to approve again the documents that reference those controls.
FAQ ODA.13 addresses a more limited administrative matter, clarifying that providing the personal certified email address, or PEC, of each member of the administrative and management bodies is advisable but not mandatory. The organisation may provide a functional certified email address, such as its official digital domicile, or, where this is unavailable, an ordinary corporate email address. The clarification simplifies the management of contact details, provided that an official, up-to-date and properly monitored communication channel is maintained.
Taken as a whole, the new FAQs make the application of NIS2 more consistent with the principles of proportionality, accountability and risk management already established in international information security standards. The clarifications allow organisations to distinguish more clearly between the responsibilities of the board and the activities managed at an operational level, reducing unnecessary documentary approval steps while keeping the focus on the quality of decision-making.
The result is a more sustainable approach to compliance, increasingly focused on the effective governance of cybersecurity.
ai.esra SpA – strada del Lionetto 6 Torino, Italy, 10146
Tel +39 011 234 4611
CAP. SOC. € 50.000,00 i.v. – REA TO1339590 CF e PI 13107650015
“This website is committed to ensuring digital accessibility in accordance with European regulations (EAA). To report accessibility issues, please write to: ai.esra@ai-esra.com”
ai.esra SpA – strada del Lionetto 6 Torino, Italy, 10146
Tel +39 011 234 4611
CAP. SOC. € 50.000,00 i.v. – REA TO1339590
CF e PI 13107650015
© 2024 Esra – All Rights Reserved