Skip to content
Close
SEARCH
en
it
Request demo
en
it
Request demo

CyberGrant protects every aspect of your digital security

Discover the modular solutions designed to protect your company from external and internal threats, as well as new challenges like AI.

Solutions Overview
key-minimalistic-square-3-svgrepo-com

DATA LOSS PREVENTION

Digital asset protection

Automatic classification

Cloud encryption

Email protection

Anti-phishing

password-minimalistic-input-svgrepo-com

ACCESS MANAGEMENT

RDP protection

Access rules

Stolen Device

Internet access

laptop-svgrepo-com (1)

ENDPOINT PROTECTION

Malware blocking

Insider threat

Remote access

Application control

Zero trust

Zero-day defense

pulse-svgrepo-com

MONITORING

Device control

Shared files

share

FILE SHARING

Third-party users

RBAC

Anti-AI scraping

VDR

medal-ribbons-star-svgrepo-com

COMPLIANCE

Standards

Compliance risks

bot-svgrepo-com

ARTIFICIAL INTELLIGENCE

AI control

Automated classification

AI blocking 

magnifer-bug-svgrepo-com

ASSESSMENT

Surface scan

Vulnerability check

Pen Test

Ransomware simulation

Phishing test

DDoS simulation

 

Tailored cybersecurity for every business.
Scalable solutions compatible with legacy systems, designed for both SMEs and large enterprises requiring full control over data, access, and sharing.

FINANCIAL

Banks
Insurance
Fintech
Asset Management

SERVICES

IT

Consulting

Travel

Advertising

LEGAL

Law Firms
M&A Advisory

MULTIUTILITIES

Oil & Gas

Electricity

Telco

HEALTHCARE

Healthcare facilities
Pharma
Laboratories

RETAIL & LOGISTICS

E-commerce

Transportation

Shipping

Retail chains

MANUFACTURING

Fashion

Design

Automotive

Industrial

REAL ESTATE

Construction

Real Estate

Discover security features to protect your data, files, and endpoints

FileGrant Features
RemoteGrant Policies
FileGrant
FileGrant

Securely store, share, and manage your files with an advanced, easy-to-use, and highly customizable platform

 

Explore FileGrant
SG_pittogramma_blu
SecretGrant

Control every credential like a file. Share, track, and revoke access instantly.

 

Explore SecretGrant
RemoteGrant
RemoteGrant

RemoteGrant protects your business from attacks and data loss by enabling employees to securely access workstations and files from anywhere.

 

Explore RemoteGrant
EmailGrant
EmailGrant

Encrypt every email and keep control of attachments, even after sending.

 

Explore EmailGrant
AG_pittogramma_blu
AIGrant

AIGrant is your personal assistant - it understands your data, keeps it secure, and delivers exactly what you need.

 

Explore AIGrant
NIS2eACN-1
CyberGrant TeamApr 16, 2026 4:16:07 PM6 min read

ACN (Italy Cyber Agency) NIS2 Determination - April 2026

NIS2 in Italy: ACN Makes Cyber Resilience Measurable
9:54

ACN Accelerates NIS2: Now Cyber Resilience Is Measurable

It is no longer time for formal compliance.

With Determination 127437 issued on April 13, 2026, Italy’s National Cybersecurity Agency (ACN) has made the regulatory framework of the NIS Decree fully operational, turning it into a concrete mechanism for cyber risk governance.

Organizations subject to NIS2 can no longer limit themselves to protecting their perimeter. They must understand what they depend on, where they are exposed, and which relationships truly sustain their ability to operate.

 

Before and After Determination 127437

April 13, 2026 is a date that NIS entities - both essential and important - will not easily forget. It marks the moment ACN published Determination 127437, effectively ending passive compliance and transforming national cybersecurity from a theoretical construct into a verifiable operational capability.

For the first time, Italy moves away from isolated perimeter-based thinking and begins mapping the connective tissue that keeps the country running.

Critical dependencies, strategic suppliers, and essential services are now at the center. The key question is no longer just whether an organization is protected. The real question is what it depends on, which nodes support it, and what impact their disruption could generate.

 

Why Now: Supply Chain Vulnerability

Article 24, paragraph 2, letter d) of Legislative Decree 138/2024 (the NIS Decree) sets the objective of controlling supply chain security.

ACN’s Determination transforms that general objective into a concrete, measurable, and verifiable obligation.

This shift is necessary because recent attacks have exploited weaknesses linked to poorly monitored suppliers, misconfigured cloud services, and unmanaged technological dependencies.

Risk increasingly lies outside the organization’s direct perimeter, within the external relationships that sustain daily operations.

 

The New Regulatory Framework

The NIS2 Directive introduced a principle that fundamentally reshapes how organizations approach the protection of their information systems and networks. Security is no longer a purely technical matter confined to IT departments. It is an organizational responsibility tied to business continuity, essential services, and economic stability.

This principle is operationalized through Legislative Decree 138/2024, which translates the European framework into specific obligations.

Articles 24 and 30 require, respectively, cyber risk management and full visibility over activities and services.

Security now enters decision-making and operational processes. Determination 127437 sits exactly at this intersection and makes it actionable.

All NIS entities must submit precise data on suppliers, services, and activities through the ACN platform.

This data comes from concrete work: mapping the supply chain, classifying suppliers, identifying critical services, and categorizing activities.

Organizations must know who their suppliers are, understand which services are essential, and reconstruct the relationships between services, systems, and external parties.

Without this work, the required data simply cannot be produced, and compliance becomes impossible.

The outcome is clear: organizations with real processes will submit coherent data. Those without them will be forced to stop because they lack the necessary information.

At this point, security reveals its true value. Organizations govern risk when they can consistently connect what they decide, what they do, and what they can demonstrate.

When decision, action, and evidence align, security becomes a real capability that supports operations and ensures business continuity.

 

Supply Chain at the Core

Article 18 of Determination 127437 requires NIS entities to identify relevant suppliers based on two criteria: their importance to ICT services and their replaceability within an acceptable timeframe.

Organizations must understand how critical each supplier is and whether it can be replaced without disrupting services.

This fundamentally changes how the supply chain is viewed.

The supplier list becomes a concrete representation of risk, where each supplier has a different weight depending on its impact.

If a supplier supports an essential service and cannot be quickly replaced, it becomes a strategic node. Any issue at that point can directly affect operations.

The ACN platform makes this immediately visible and verifiable.

Organizations must provide detailed data on each supplier: who they are, what they provide, and why they matter.

This creates a clear map of dependencies, highlighting where risk is concentrated and where action is needed.

ACN uses this data to build a system-wide view, identifying critical nodes and making visible a network that was previously fragmented and difficult to manage.

 

From Compliance to Operational Capability

The most significant shift is not data collection itself, but how that data is produced.

To fully understand this, we must refer to the “Guidelines for Interpreting Baseline Specifications” published by ACN in September 2025.

This document explains that supply chain security must be built using specific subcategories of the National Cybersecurity and Data Protection Framework (FNCDP), particularly those related to supply chain management: GV.SC-01, GV.SC-02, GV.SC-04, GV.SC-05, and GV.SC-07.

These measures form the operational foundation for building processes, controls, and real risk governance capabilities.

This means that to report accurate supplier data, organizations must first build a functioning system. Specifically, they must:

  • define a risk management strategy
  • assign clear roles
  • classify suppliers
  • include security requirements in contracts
  • implement continuous monitoring

The data submitted to ACN is the output of a structured process. Without that process, the data is unreliable and compliance is not real.

 

Categorizing Activities and Services

The second pillar of Determination 127437 is Chapter V, which includes Articles 20 and 21.

Article 20 implements Article 30 of the NIS Decree, requiring all NIS entities to submit - and then update annually - a categorized list of their activities and services between May and June.

This must be based on a solid Business Impact Analysis (BIA).

ACN will soon release the final categorization model and supporting materials for a simplified BIA. However, the operational requirement is already clear, as defined in subcategory GV.OC-04 of the National Framework.

This measure requires identifying critical services and maintaining an updated inventory of systems, enabling the data needed for categorization.

Article 21 introduces a concrete verification mechanism. ACN will review submitted lists on a sample basis and compare them both with the reference model and with comparable NIS entities.

This peer comparison ensures consistency across sectors.

The process includes a 90-day review period with a silent approval mechanism. If ACN does not raise objections within that timeframe, the submission is considered validated.

 

The Real Impact on Organizations

Determination 127437 assigns direct responsibility to executive management.

Leadership is accountable for the accuracy and completeness of submitted data.

To manage this level of responsibility, they must understand what is being declared and ensure that real processes exist behind every data point.

IT and security teams must also evolve. Their role can no longer be limited to technical tasks. They must integrate with procurement, legal, and risk management functions.

Supply chain security becomes a shared, cross-functional responsibility.

 

The Strategic Shift

Looking at the bigger picture, the change is clear.

Organizations move from formal compliance to a system based on measurable capabilities.

In the past, it was enough to describe suppliers. Now they must be classified, monitored, linked to services, and mapped in terms of dependencies.

Determination 127437 creates an operational grammar of security where every obligation is tied to a process, every process produces data, and every data point is traceable and verifiable.

Security becomes observable - and therefore measurable.

 

Toward Real Resilience

In May and June, organizations will be required to analyze activities and services and complete their categorization. This will be a real test.

Those with established processes will produce solid data. Those without will struggle to even define what to declare.

Mapping interdependencies becomes the true indicator of maturity. It is not just a compliance requirement, but a reflection of an organization’s ability to govern its system.

 

Conclusions

Determination 127437 does not add complexity. It removes ambiguity by forcing organizations to make explicit what was often implicit.

Those who still view NIS2 as a set of formal requirements are making a strategic mistake. ACN is building a system that measures real resilience.

Organizations that fail to adapt risk falling behind by exposing operational weaknesses.

Those that embrace this shift can build true resilience, based on real processes, reliable data, and full awareness of their dependencies.
avatar
CyberGrant Team

ARTICOLI CORRELATI