Italy's ACN set a hard operational deadline: organizations in the NIS2 scope must have security measures in place by October 2026, per Determination 127437 of April 13, 2026. For security teams, that calendar matters less than the audit question behind it. If an inspector asked you to demonstrate verifiable control over every document that left your organization in the past six months, what would your answer be?
Most enterprise file sharing setups cannot answer that question cleanly.
Italy's NIS2 transposition, D.Lgs. 138/2024 (in force since October 16, 2024), extends cybersecurity obligations to essential and important entities across critical sectors: banking, healthcare, manufacturing, energy, transport, and digital services, among others. Organizations above 50 employees or €10M in revenue in these sectors are generally in scope, as are supply chain partners to critical-sector entities.
The regulation does not mandate specific technologies. It mandates proportionate risk management with three concrete implications for file operations: every access must be authorized and traceable, every sharing decision must be defensible, and protection must persist even after a document leaves your infrastructure.
ACN Determination 127437 (April 13, 2026) moved the compliance framework from declaratory to operational: scoped organizations must now demonstrate their security posture through the ACN platform with verifiable documentation. That shift has direct consequences for how file operations are governed and evidenced. For a deeper look at how NIS2 places data security accountability at the strategic level, see our article on NIS2 & GDPR strategic governance.
Access policies based on role, device, and context are the baseline. What separates a compliant setup from a checkbox exercise is whether those policies travel with the file after it leaves your systems.
FileGrant applies role-based access control (RBAC) across Admin, Contributor, and Reader roles, with permission granularity down to individual documents and folders. Classification tags override user actions: a document tagged as confidential cannot be downloaded, printed, or shared externally regardless of what the recipient attempts. The policy is not a perimeter rule. It is attached to the file.
NIS2 compliance is not only about what happened. It is about proving what happened, to an inspector reconstructing events after the fact. Your audit trail needs to capture successful access, failed attempts, modifications, prints, shares, and revocations, with timestamps and device identifiers, in a format that cannot be edited retroactively.
FileGrant logs every file and folder activity in real time. When an incident occurs or an ACN compliance review arrives, the forensic record is already complete. For a detailed breakdown of how persistent audit trails address file sharing risks, see Secure file sharing: how to keep control over your data at every stage.
Most enterprise file sharing encrypts in transit. That protects the connection, not the document. Once a file arrives at its destination and the TLS session closes, the protection ends with it. The file is readable by anyone with access to the receiving device, regardless of what your policies say.
FileGrant uses CRYSTALS-Kyber encryption (NIST FIPS 203, finalized August 2024), which stays active after download. A document sent to a vendor, a board member, or a regulator is still under your policy control on their device. If access is revoked, the file becomes unreadable at that moment, wherever it sits.
There is a forward-looking dimension here that security teams should factor into their evaluation. Adversaries are currently collecting encrypted data with the intent to decrypt it once quantum computing reaches operational capacity, a strategy known as harvest now, decrypt later. Files protected with current symmetric encryption standards will not withstand that window. CRYSTALS-Kyber is the NIST-standardized response to that specific threat. For a technical overview of the post-quantum timeline and what it means for enterprise data, see The quantum threat: how to prepare for the post-quantum security era.
This is the criterion that reveals the compliance exposure in most setups. Once a file is sent with a standard sharing tool, the sender loses control. Vendor relationships end. Personnel change. Documents reach unintended recipients. There is no practical remediation after the fact.
FileGrant reverses that logic. Access revocation is a single action and takes effect immediately, even on files already downloaded. The Lock&Go format renders the document inaccessible from that moment forward, regardless of its location.
The right starting point is not the tool selection: it is the document flow. Which files carry sensitive content? Who receives them, through which channels, under what authorization logic? That map identifies where the four criteria are currently unmet and how large the exposure is.
FileGrant's AI classification layer handles this automatically for new documents. Content is analyzed, tagged, and protected at creation without requiring manual decisions from the originating team. When the protection layer is invisible to users, adoption is not a separate problem to manage: it follows from the design. For a broader look at how AI classification and post-quantum encryption are reshaping the CISO agenda in 2026, see Cybersecurity 2026: three trends redefining CISO priorities.
The first is treating encryption as sufficient. Encryption is necessary. A file you cannot track or revoke after delivery does not satisfy NIS2 requirements regardless of the algorithm used in transit.
The second is underweighting revocation. Every file sharing tool used without a revocation mechanism has left documents fully accessible to every recipient, indefinitely. That is not a theoretical risk for past sharing: it is a current exposure.
The third is separating technology from adoption. A tool that slows workflows will be bypassed. When users shift to personal email, consumer cloud storage, or messaging apps as workarounds, they create document flows your audit trail will never see. The compliance gap is real whether or not it is visible in your logs.
The evaluation question to put to any candidate solution is not whether it encrypts files. It is whether you can demonstrate, at any point and for any document, who currently has access, on what terms, and how to revoke it within seconds if needed.
FileGrant is built to answer that question operationally, not just on a feature sheet. Persistent encryption, structured audit logging, and instant revocation are the architecture, not optional add-ons. The compliance documentation is generated automatically because the controls produce it in real time.
October 2026 is close enough that organizations starting an evaluation now are working against a compressed timeline. The four criteria above narrow that process: applied consistently, they distinguish solutions that meet the standard from solutions that approximate it.
D.Lgs. 138/2024 applies to essential and important entities in critical sectors: banking, financial infrastructure, healthcare, energy, transport, manufacturing, digital infrastructure, and others. Organizations above 50 employees or €10M in revenue in these sectors are generally in scope. Supply chain involvement with critical-sector entities may extend the obligation regardless of the supplier's own size.
Sanctions reach up to €10 million or 2% of global annual turnover for essential entities. ACN can impose immediate corrective measures and, in serious cases, temporary restrictions on management responsibility for the officers accountable. The accountability dimension changed in October 2024: NIS2 placed board-level responsibility on cybersecurity posture in a way prior Italian law did not.
Apply the four criteria: granular access control, immutable audit trails, persistent post-delivery encryption, and instant revocation. If any of the four is absent or only partially implemented, the gap represents a compliance exposure, not a configuration issue to address after the audit cycle. FileGrant's features page maps each function to the relevant NIS2 control.
Encryption in transit protects files during transfer, inside the TLS session. Once delivery is complete and the session ends, in-transit encryption provides no further protection. Persistent encryption, the model FileGrant applies with CRYSTALS-Kyber (NIST FIPS 203), keeps the document under policy control after download. The protection is a property of the file, not of the channel.
Tenant activation takes under 60 seconds. Full enterprise integration, including SSO configuration, on-premises deployment, and RBAC setup aligned to your org structure, typically takes days. A phased rollout by department or document type is possible without disrupting existing workflows. Request a demo to see it in your specific context.