CRA for Italian Manufacturers: ACN, ACCREDIA, Legge 36/2026

Country brief for Italian manufacturers under the CRA: ACN authority, ACCREDIA accreditation, OCSI/EUCC, Italian-language duties, and Transizione 5.0 funding.

CRA Evidence Team Published January 6, 2026 Updated May 31, 2026
CRA country brief for Italian manufacturers showing the national institutional chain: CSIRT Italia for vulnerability reports, ACN as notifying and market-surveillance authority, ACCREDIA for accreditation
In this article

Italian manufacturers face the same CRA obligations as every other EU manufacturer. This page is a country brief for Italy: how vulnerability and incident reports route through CSIRT Italia, how ACN sits as both the notifying authority and the market-surveillance authority under Legge 36/2026, where ACCREDIA fits as the accreditation step, how OCSI feeds into the European EUCC scheme, the Italian-language obligations, and which of the Transizione 5.0, PNRR, and SECURE funding lines are realistic for compliance investment. For the full manufacturer obligation set, see the manufacturer cluster guide.

Summary

  • The CRA is an EU Regulation with direct effect. There are no Italian-specific exemptions for product manufacturers.
  • Legge 17 marzo 2026, n. 36 (Legge di delegazione europea 2025, GU n. 70 del 25 marzo 2026) gives the Italian Government six months to publish the implementing decree.
  • CSIRT Italia, operated by ACN, is the receiving Italian CSIRT for CRA vulnerability and incident reports when your main establishment is in Italy.
  • ACN (Agenzia per la Cybersicurezza Nazionale) is designated as both the Italian notifying authority for CRA conformity-assessment bodies and the market-surveillance authority for products with digital elements. This consolidates two roles that Spain and France split between separate institutions.
  • ACCREDIA (Ente Italiano di Accreditamento) accredits Italian conformity-assessment bodies under ISO/IEC 17065:2012. Accreditation is the preferred technical step before ACN notifies a body, although it is not strictly mandatory.
  • Italian is required for user-facing product information on the Italian market. Co-official minority languages (German in South Tyrol, French in Aosta Valley, Slovenian in Friuli Venezia Giulia) are not CRA-mandated.
  • Transizione 5.0 is a closing Ministero delle Imprese e del Made in Italy (MIMIT) tax-credit route tied to eligible digital and energy transformation of production processes, not a generic cybersecurity grant. PNRR is in its closing NextGenerationEU window (31 August 2026 deadline). The new EU SECURE project (€16.5 million in direct SME support, ACN as Italian partner) opened its first call 28 January to 29 March 2026.

When this guide applies to you

You are the target reader if your manufacturer "main establishment in the Union" is in Italy. That means the place where decisions related to the cybersecurity of your products with digital elements are predominantly taken. An Italian-registered sales subsidiary with engineering offshore is not the main establishment. If your engineering team, your SDLC governance, and the people approving security-update releases sit in Italy, this guide is for you.

If your main establishment is elsewhere in the EU and you only ship into Italy, your CRA reports route through the CSIRT of your main-establishment Member State, not CSIRT Italia. The Italian-language obligation for user-facing information still applies for any product placed on the Italian market.

ACN and CSIRT Italia: the Italian CSIRT route

CRA notifications route through the CSIRT designated as coordinator of the Member State where the manufacturer has its main establishment in the Union. For a manufacturer whose main establishment is in Italy, that CSIRT is CSIRT Italia, the national CSIRT operated within ACN.

ACN, established under Decree-Law 82/2021 (converted by Law 109/2021), is Italy's national cybersecurity authority. It reports to the Prime Minister's office and acts as the single national reference point for cybersecurity policy, certification, and regulation. CSIRT Italia publishes Italian-language vulnerability advisories and operates the consumer-product incident response stream.

The technical channel for the 24h / 72h / 14d reporting cadence is the ENISA single reporting platform, which goes operational on 11 September 2026. An Italian manufacturer files via that platform with CSIRT Italia as the receiving coordinator. The CSIRT designation is the routing. The platform is the transport.

Notified bodies: ACN notifies, ACCREDIA accredits

Important Class I products need a notified body (Module B+C or Module H) only where harmonised standards, common specifications, or a certification scheme do not fully cover them. Important Class II products use a notified body (Module B+C or Module H) or an available and applicable certification scheme. Critical products (Annex IV) follow Article 32(4): the Article 8(1) certification route where the Commission has triggered it, otherwise the same Article 32(3) routes.

The Italian institutional split is:

  • ACN is the notifying authority that formally designates Italian notified bodies to the European Commission, anchored in Legge 36/2026 and operationalised by the implementing decree.
  • ACCREDIA (Ente Italiano di Accreditamento) is the Italian national accreditation body and assesses the technical competence of a candidate under ISO/IEC 17065:2012. Accreditation is described by ACCREDIA as the preferred tool to attest competence and independence, although it is not a strictly mandatory prerequisite for notification under the CRA.

The CRA framework for notified bodies applies from 11 June 2026, after which designated bodies can begin issuing CRA conformity-assessment certificates. Italian candidates with relevant product-certification expertise include IMQ, RINA Services, Bureau Veritas Italia, and TÜV Italia. Final CRA designations are published in the European Commission NANDO database. An Italian manufacturer can use any EU-notified body, not only Italian-designated ones.

ACN: the CRA market-surveillance authority

Unlike Spain (where the ministry carries market-surveillance) and France (where ANFR does), Italy consolidates both notification and market surveillance inside ACN. Legge 36/2026 identifies ACN as the autorità di vigilanza del mercato under CRA Article 52, alongside its notification role under Article 36.

Every formal CRA interaction by an Italian manufacturer routes through ACN as the single counterpart: reasoned requests for technical documentation, document-language requests, on-site inspections, and the cessation-of-operations notice. The Codice del Consumo (Decreto Legislativo 206/2005) governs general consumer-product safety in Italy through the Ministero delle Imprese e del Made in Italy (MIMIT) and AGCM, but the formal CRA market-surveillance authority for products with digital elements is ACN.

Sanctions sit within the CRA's EU-level ceilings (up to 15 million euros or 2.5% of global annual turnover for the most serious infringements). The Italian implementing decree is expected to set the Italian fines scale within those ceilings.

OCSI and the European EUCC scheme

The Organismo di Certificazione della Sicurezza Informatica (OCSI) is Italy's Common Criteria certification body, housed within ACN since 1 July 2022 (transferred from the former Ministry of Economic Development). OCSI is accredited by ACCREDIA under UNI CEI EN ISO/IEC 17065:2012 to operate within the EUCC scheme adopted under EU Regulation 2019/881.

OCSI's national legacy schema ceased activity on 26 February 2026 and OCSI now operates solely under the EUCC. Under CRA Article 27, EU cybersecurity certification schemes can support presumption of conformity for covered requirements when the scheme is specified by a Commission delegated act. Until the EUCC route is specified for CRA purposes, treat an OCSI-issued EUCC certificate as strong evidence for the covered scope, not as a standalone live shortcut.

Italian-language requirements in practice

The CRA requires user-facing product information to be in a language easily understood by users and the local market-surveillance authority. For products placed on the Italian market, that is Italian. The Codice del Consumo independently requires Italian in consumer product information, so the CRA obligation aligns with a long-standing national rule.

Must be in Italian:

  • The user instructions and product information shipping with the product.
  • The manufacturer contact details, wherever they appear.
  • The end-of-support date disclosure shown at the point of purchase.

Can be multilingual:

  • The product label and CE marking.
  • Packaging text.
  • Online documentation, provided an Italian version is reachable.

English is normally accepted for:

  • Internal technical documentation. ACN can request an Italian translation under reasoned request, so plan for that contingency.

The EU Declaration of Conformity may be drawn up in any EU official language, but expect an Italian translation request during any ACN inspection. German in South Tyrol, French in Aosta Valley, and Slovenian in the Friuli Venezia Giulia border zone are co-official under their regional statutes but not CRA-mandated. Regional procurement contracts or sector regulators may add their own language clauses, separately from the CRA.

Selling cross-border from Italy

Italian manufacturers selling into Germany, France, Spain, or any other EU Member State carry the same single-routing rule: your reports still go to CSIRT Italia, because routing follows main establishment, not per-shipment destination. You do not file with the German, French, or Spanish CSIRT.

The language obligation does fan out per market. A product shipped into the French market needs French user-facing content. A product shipped into the German market needs German content. The single Italian-language pack does not cover those markets.

Each receiving Member State's market-surveillance authority can also request your technical documentation in a language easily understood by that authority. If your supply runs broadly across the EU, expect requests in at least one widely-used working language, and treat early translation of the most-requested technical-documentation sections as a practical hedge.

National funding programmes

The funding picture for Italian manufacturers planning CRA investment in 2026 has SECURE, sector-specific regional lines, and the closing Transizione 5.0 and PNRR windows. Be precise about what is still open and technically admissible before you plan a line item against any of these.

  • Piano Transizione 5.0 is a MIMIT-administered tax-credit programme with a 6.3 billion euro envelope, tied to eligible digital and energy transformation of production processes. For 2026 planning, verify residual status and technical admissibility before relying on it; do not treat it as a new open-ended cybersecurity or compliance fund. CRA-driven SBOM tooling, vulnerability-handling platforms, and security-by-design infrastructure may fit only where the cybersecurity work is part of eligible production-process transformation.
  • SECURE (Strengthening EU SMEs Cyber Resilience) is a new EU-funded project explicitly built to support SME CRA implementation. Total budget around 22 million euros, of which 16.5 million euros is direct financial support to SMEs. ACN is the Italian partner in a 7-country consortium. The first call ran from 28 January to 29 March 2026 with a maximum of 30,000 euros per project. Manufacturers, importers, distributors, and software developers are all eligible. Watch the ACN announcements stream for the next call.
  • PNRR (Piano Nazionale di Ripresa e Resilienza) is in its closing window. All NextGenerationEU-funded projects must be executed by 31 August 2026, with Italy's final payment requests due by 30 September 2026. PNRR is therefore not a viable planning vehicle for the 11 December 2027 CRA compliance deadline.
  • Regional digitalisation vouchers run through the chambers of commerce remain operational in 2026, typically capped between 20,000 and 30,000 euros per beneficiary. Useful for an initial diagnosis, not for the full CRA programme.

For compliance investment dated against the 11 December 2027 obligation deadline, the realistic public funding picture in Italy is SECURE (and follow-up EU SME programmes), residual or successor Transizione 5.0-style production-transformation incentives where technically admissible, and sector-specific regional lines.

Frequently Asked Questions

Which Italian CSIRT receives my CRA vulnerability notifications?

CSIRT Italia, operated within ACN, when the manufacturer's main establishment is in Italy. The CRA defines main establishment as the place where decisions related to the cybersecurity of products with digital elements are predominantly taken. Reports are submitted through the ENISA single reporting platform from 11 September 2026, with CSIRT Italia as the receiving coordinator.

Who designates Italian notified bodies, ACCREDIA or ACN?

ACN is the notifying authority that formally designates Italian CRA notified bodies to the European Commission under the framework set by Legge 36/2026. ACCREDIA accredits the candidate bodies under ISO/IEC 17065:2012 as the preferred technical step before that notification. Accreditation is described by ACCREDIA itself as the preferred but not strictly mandatory tool for attesting competence. An Italian manufacturer can still use any EU-notified body for CRA conformity assessment. The Italian chain matters for procurement, not as a CRA requirement.

Does my OCSI or EUCC certification cover CRA conformity assessment?

OCSI has operated solely under the EUCC since 26 February 2026, so an OCSI-issued EUCC certificate is directly relevant evidence for the covered security claims. The CRA presumption route depends on Article 27 and a Commission delegated act specifying the European cybersecurity certification scheme for CRA purposes. Until that EUCC route is specified, do not treat the certificate as a standalone live shortcut. Treat it as a strong input to your CRA file, with the conformity-assessment route filling in the residual scope.

Which Italian authority is the CRA market-surveillance authority?

ACN. Unlike Spain (where the ministry is positioned as market-surveillance authority) and France (where ANFR carries that role), Italy consolidates notification and market surveillance inside ACN per Legge 36/2026 (Articles 36 and 52 of the CRA respectively). MIMIT and AGCM retain their long-standing general consumer-product safety roles under the Codice del Consumo, but the formal CRA market-surveillance authority for products with digital elements is ACN. Plan filings, document requests, and inspections against ACN as the single national counterpart.

When will Italy publish its national CRA implementing decree in the Gazzetta Ufficiale?

The CRA is an EU Regulation with direct effect, so Italy does not need to transpose it for the substantive obligations to apply on 11 December 2027. What Italy does need to publish is the decreto legislativo foreseen by Legge 17 marzo 2026, n. 36 (Gazzetta Ufficiale n. 70 del 25 marzo 2026), which gives the Government six months from the law's entry into force to adopt the implementing decree. That decree is expected to confirm ACN's institutional designations, set the Italian fines scale within the CRA's EU-level ceilings, and clarify coordination with NIS2-related Italian legislation. Until that decree publishes, ACN's role rests on the legge delega framework.

Do I need to translate everything into Italian for B2B sales?

For products placed on the Italian market with end users in Italy, yes. The CRA requires user information in Italian. The Codice del Consumo independently requires Italian in consumer information for B2C, and the Italian market-surveillance authority can request Italian-language technical documentation under reasoned request for any product. B2B sales between professionals have some flexibility on contract language but no exemption from the CRA's user-information obligation once the product is placed on the Italian market. Plan to deliver Italian user information, Italian support-period disclosure, and Italian manufacturer contact details across both consumer and professional channels.

Can Transizione 5.0 or PNRR funds pay for my CRA compliance tooling?

Transizione 5.0 may help only where cybersecurity work is part of eligible production-process digital and energy transformation. Verify residual status and technical admissibility before relying on it, and do not treat it as a generic cybersecurity or compliance fund. Pure compliance work (audits, conformity-assessment fees) is harder to fit. PNRR is in its closing NextGenerationEU window with project execution due 31 August 2026 and final payment requests due 30 September 2026, so it is not a viable planning vehicle for the 11 December 2027 deadline. The new EU SECURE project (16.5 million euros in direct SME support, ACN as Italian partner) is purpose-built for CRA implementation and the most directly relevant 2026 funding stream to watch.

I ship from Italy into other EU Member States. Where do I report incidents?

Through CSIRT Italia, regardless of which Member States you ship into. The CRA ties notification routing to main establishment, not to per-shipment destination. The language obligation does fan out per market: French-language product information for products shipped to France, German-language for products shipped to Germany, and so on. Pre-stage at least the most-requested technical-documentation sections in a widely-used working language to absorb cross-border reasoned requests from other Member States' market-surveillance authorities.

For Italian manufacturers preparing for 11 December 2027

  1. Confirm your manufacturer obligations using the manufacturer cluster guide.
  2. Verify your main establishment is in Italy and document the rationale. The location of cybersecurity decision-making, not the registered office, is what matters.
  3. Map your CRA reporting flow to CSIRT Italia, with a tested submission to the ENISA single reporting platform once it goes live on 11 September 2026.
  4. Build a single ACN-facing escalation playbook covering both conformity-assessment notification and market surveillance.
  5. If your conformity-assessment route needs a notified body, scope ACCREDIA-accredited and ACN-notified bodies as the home option, plus a cross-border alternative.
  6. If you hold or plan an OCSI-issued EUCC certificate, map its scope against your product line and treat it as strong evidence while tracking the CRA Article 27 delegated-act route for EUCC presumption of conformity.
  7. Translate user instructions into Italian. Add per-market translations for any other EU Member States you ship into.
  8. Scope EU SECURE first, then check whether residual or successor Transizione 5.0-style incentives fit eligible production-process transformation. Do not plan against PNRR for 2027 obligations.
  9. Read the supplier due diligence questionnaire for the manufacturer-side component-due-diligence framework.

This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for specific CRA compliance guidance.

CRA Italy Vulnerability Management
Share

Related Articles

Back to all articles

Does the CRA apply to your product?

Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.

Check Now

Ready to achieve CRA compliance?

Start managing your SBOMs and compliance documentation with CRA Evidence.

Start 14-Day Free Trial

Deep dive into CRA topics

Evergreen guides covering the specific requirements, processes, and roles defined by the Cyber Resilience Act.

EU Declaration of Conformity

What the Declaration of Conformity must contain, who signs it, and when it is required.

Read guide →
Conformity Assessment

How conformity assessment works under the CRA and when a notified body is required.

Read guide →
Technical Documentation

What CRA technical documentation must contain (Annex VII section by section) and how manufacturers should structure it.

Read guide →
Products

How the CRA classifies products by risk level, with product-specific classification guides.

Read guide →
SBOM Requirements

What the CRA requires for SBOMs and how BSI TR-03183 defines quality criteria.

Read guide →
Vulnerability Reporting

How the 24-hour ENISA notification requirement works and what counts as an actively exploited vulnerability.

Read guide →
Importer Obligations

What Article 19 requires of importers and how to verify manufacturer compliance.

Read guide →
Support Period Planning

What the CRA support period obligation means for security updates and end-of-life planning.

Read guide →
View full CRA compliance guide