Are your NIS 2 information sharing agreements ready for the July 31 deadline in Italy?

NIS 2 information sharing agreements are a central focus of Italy’s cybersecurity compliance landscape this July 2025.

As the deadline for the annual update under Article 17 of the Italian NIS2 Decree (Legislative Decree No. 138/2024) approaches on 31 July 2025, essential and important entities must urgently assess whether their existing contracts include obligations to disclose cybersecurity-related data exchanges.

The Italian National Cybersecurity Agency (ACN) has issued clarifications that broaden the scope of what qualifies as a NIS 2 information sharing agreement—and overlooking this obligation may result in regulatory scrutiny.

What Article 17 Says About NIS 2 Information Sharing Agreements

Article 17 of the NIS2 Decree enables voluntary sharing of cybersecurity information between essential and important entities and their service providers. The types of information that may be shared include:

• Cyber threats, near-incidents, and system vulnerabilities

• Adversarial tactics, techniques, and procedures (TTPs)

• Indicators of compromise (IOCs)

• Threat actor profiles and specific intelligence

• Alerts and technical recommendations for securing systems

The overarching purpose is to:

1. Strengthen cyber incident preparedness and response, including containment and recovery.

2. Promote a collaborative cybersecurity culture, supporting early threat detection, vulnerability disclosure, and public-private intelligence sharing.

Entities are required to inform the ACN of any NIS 2 information sharing agreements when completing the annual update on the ACN portal. This obligation applies to agreements in force and signed on or after 16 October 2024, the date the NIS2 Decree entered into effect.

ACN’s Clarifications: What Really Counts as Information Sharing?

The ACN’s FAQ ACI.4—published under the “Annual Update” section of its website—has introduced a broader interpretation of Article 17. According to the Agency:

Information sharing activities also include the exchange of information occurring within the context of procurements that concern, even partially, cybersecurity services.

This means that even procurement contracts with embedded cybersecurity features may fall within the scope of NIS 2 information sharing agreements if they include data-sharing obligations.

The ACN identifies several contract types that may be notifiable:

• SOC (Security Operation Centre)

• CSOC (Cyber Security Operation Centre)

• NOC (Network Operation Centre)

• MDR (Managed Detection and Response)

• CERT (Computer Emergency Response Teams)

• VA/PT (Vulnerability Assessment and Penetration Testing)

• Red Teaming

• Cyber Threat Intelligence services

If any such contract signed after 16 October 2024 includes provisions for sharing cybersecurity data, it must be reported by 31 July 2025.

What Does Not Qualify as a NIS 2 Information Sharing Agreement?

The ACN draws a distinction between formalized data exchanges and informal communications. Contracts not focused on cybersecurity, in which suppliers voluntarily inform the client about cyber events, do not fall under the scope of Article 17 and are not subject to the notification requirement.

This differentiation is essential to avoid over-reporting and misclassification.

How to Comply: Reporting Requirements and Practical Steps

For each agreement that qualifies as a NIS 2 information sharing agreement, entities must provide the ACN with an extract containing:

• Names of the parties involved

• Description of the services provided

• Specific clauses concerning the exchange of cybersecurity information and the mutual responsibilities of the parties

Importantly, full contracts do not need to be disclosed—only relevant extracts are necessary.

Why ACN’s Broad Interpretation Raises Concerns

The ACN’s approach is not without controversy. Key concerns include:

• Inconsistency with EU practice: Few other Member States have interpreted Article 17 so expansively.

• Deviation from the text: The literal wording refers to voluntary sharing, not services inherently designed to manage cyber risk.

• Contradiction with earlier guidance: ACN’s own FAQ ACI.2 had framed information sharing as a best practice, not a structural requirement.

Moreover, services like SOC, MDR, and VA/PT are professional security services—they aren’t usually perceived as voluntary intelligence exchanges. Their classification under NIS 2 information sharing agreements may therefore be problematic.

What Should You Do Before July 31?

With the deadline fast approaching, organizations should:

1. Identify all cybersecurity-related contracts signed since 16 October 2024.

2. Review contract clauses for references to data sharing, intelligence exchange, or cybersecurity alerting.

3. Classify qualifying contracts as reportable NIS 2 information sharing agreements.

4. Prepare the necessary extract for the ACN portal submission.

Failure to comply could lead to heightened regulatory oversight or missed compliance benchmarks under Italy’s NIS 2 implementation strategy.

Final Thoughts

The interpretation of NIS 2 information sharing agreements is evolving fast—and Italy is at the forefront of this regulatory shift. Whether this expansive reading of Article 17 becomes the EU standard remains uncertain. But one thing is clear: essential and important entities must act before the July 31 deadline to ensure they are fully aligned with ACN’s expectations.

Have you reviewed your contracts? Are you ready to report?

If in doubt, now is the time to assess and act. On the same topic, you can read the article “ENISA Guidelines on Compliance with NIS 2 Directive Published“.