ISMS Copilot for the Italian public sector
AgID Misure Minime for PA suppliers, ACN registration, and D.Lgs. 138/2024 NIS 2 obligations in one workspace.
AgID Misure Minime for Italian PA suppliers
- Implement the AgID Misure Minime di Sicurezza ICT — the minimum ICT security measures binding on Italian public administration
- Apply the AgID measure levels (Minimo, Standard, Alto) to your systems
- Identify whether you fall under Allegato I or Allegato II of D.Lgs. 138/2024
- Meet the Art. 23 governance and training obligations placed on management bodies
- Map controls to the ten risk areas listed in Art. 24, comma 2
- Operate the 24-hour, 72-hour and one-month notification chain to ACN under Art. 25
Built for the PA body and the supplier bidding into Italian government
AgID Misure Minime di Sicurezza ICT implementation guidance for public administration and its ICT suppliers
ACN (Agenzia per la Cybersicurezza Nazionale) registration and reporting support
D.Lgs. 138/2024 entity classification (soggetti essenziali vs soggetti importanti) under Art. 6
Art. 38 penalty-threshold awareness for essential and important entities
Cross-mapping ISO/IEC 27001 to AgID controls so one ISMS serves both purposes
Italian-language support with native terminology (SGSI, ACN, Garante, Misure Minime)
AgID Misure Minime for Italian PA suppliers
Italian public-sector compliance has two binding layers and a supplier almost always inherits both. The AgID Misure Minime di Sicurezza ICT define the minimum ICT security measures every Italian public administration must apply, organised into ascending levels (Minimo, Standard, Alto); these requirements cascade contractually onto ICT suppliers serving the PA. Separately, D.Lgs. 138/2024 transposes the EU NIS 2 Directive into Italian law — in force since 16 October 2024 — with ACN (Agenzia per la Cybersicurezza Nazionale) as the sole competent authority. It distinguishes soggetti essenziali from soggetti importanti under Art. 6, imposes Art. 23 management-body governance and training duties, the Art. 24, comma 2 ten-risk-area measures, the Art. 25 24/72-hour and one-month notification chain, and Art. 38 penalties up to 10,000,000 EUR or 2% of global turnover for essential entities. ISMS Copilot maps ISO/IEC 27001 to the AgID controls and walks the D.Lgs. 138/2024 articles so one ISMS serves both. ISMS Copilot does not issue any certification or attestation.
D.Lgs. 138/2024 framework guidance →Frequently Asked Questions
What are the AgID Misure Minime and who do they bind?
The AgID Misure Minime di Sicurezza ICT are the minimum ICT security measures that every Italian public administration must apply, structured into ascending levels (Minimo, Standard, Alto). They cascade contractually onto ICT suppliers serving the PA, so if you bid into Italian government you typically have to demonstrate conformity at the level the contract requires. ISMS Copilot maps your ISO/IEC 27001 controls to the AgID measure set.
How does D.Lgs. 138/2024 differ from talking generically about NIS 2?
D.Lgs. 138/2024 is the specific Italian legislative decree that transposes Directive (EU) 2022/2555, in force since 16 October 2024, with ACN as the sole competent authority. It is the law you actually comply with: Art. 6 entity classification, Art. 23 governance duties, the Art. 24 ten-risk-area measures, the Art. 25 notification chain and Art. 38 penalties. The Copilot works the decree article by article rather than the abstract directive.
What are the penalties under D.Lgs. 138/2024?
Art. 38 sets maxima up to 10,000,000 EUR or 2% of global annual turnover for essential entities (soggetti essenziali) and up to 7,000,000 EUR or 1.4% for important entities (soggetti importanti). Classification under Art. 6 therefore directly drives your enforcement exposure, which is why the Copilot resolves it early.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.