CRA Compliance in Italy

ACN serves as Italy's national competent authority for the CRA, with market surveillance functions coordinated with MIMIT (Ministero delle Imprese e del Made in Italy) for consumer and industrial products. Italy's complex regulatory landscape — including the Perimetro di Sicurezza Nazionale Cibernetica and NIS2 transposition through the D.Lgs. 138/2024 — creates overlapping obligations that manufacturers must carefully map. ACN has moved quickly to build domestic capacity, publishing cybersecurity guidelines and establishing Italy's national cybersecurity certification scheme. ACN participates actively in ENISA working groups and coordinates with EU peer authorities on CRA technical requirements.

Italian manufacturers must submit Article 14 notifications to CSIRT Italia through the secure reporting portal at csirt.gov.it. CSIRT Italia operates 24/7 incident response capability and accepts reports in Italian and English. The Article 14 obligation requires an early warning within 24 hours of detecting active exploitation and a full notification within 72 hours. Italy's Perimetro framework already requires incident notification for critical infrastructure supply chains through ACN, and manufacturers subject to both frameworks should coordinate their notification procedures to satisfy both obligations efficiently. CSIRT Italia participates in the EU CSIRTs network and relays reports to ENISA.

Market surveillance for CRA products in Italy is coordinated between ACN and MIMIT, with USMAF (port health authorities) and the Guardia di Finanza involved in border-level surveillance of imported products. Italy will implement the full CRA penalty regime: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. Italy's enforcement tradition in product safety has historically been variable, but ACN's creation signals a more centralised and capable enforcement approach for cybersecurity. Manufacturers should expect documentation-based surveillance first, with technical testing reserved for higher-risk product categories.

ACN publishes Italian-language cybersecurity guidelines and implementation guidance for manufacturers, including sector-specific frameworks for industrial and critical infrastructure supply chains. The agency operates a free Sportello Unico (single contact point) for cybersecurity regulatory enquiries from businesses. Confindustria and its sector federations (including Federmeccanica and Confindustria Digitale) provide CRA implementation guidance for Italian industrial manufacturers. ENEA and CNR research institutes provide technical expertise for conformity assessment activities. Italy's national cybersecurity certification body operates under ACN for products requiring third-party evaluation.