The Italian banking sector is primarily governed by Legislative Decree No 385/1993 (the “Consolidated Law on Banking”), which, among other things, regulates:

• the authorisation regime for banking activity;
• banks’ branches and cross-border services;
• banks’ and banking groups’ supervision;
• transparency and conduct requirements in connection with the provision of banking services and payment services;
• deposit guarantee schemes;
• recovery and administration proceedings; and
• sanctions.

The Consolidated Law on Banking, together with the Bank of Italy’s Circular No 285/2013, transposes the EU bank regulatory framework, including the EU Capital Requirements Directive (the “CRD IV” and the “CRD V”) into Italian law and incorporates the options and discretions provided in the EU Capital Requirements Regulation (the “CRR”, “CRR II” and “CRR III”) into Italian law.

Other key Italian laws and regulations in the banking sector are:

• Legislative Decree No 11/2010, which has implemented the EU Payment Services Directive (the “PSD” and the “PSD II”);
• Legislative Decree No 231/2007, which has implemented the EU Anti-Money Laundering Directive (the “AMLD IV” and the “AMLD V”);
• Legislative Decree No 180/2015, which has implemented the EU Bank Recovery and Resolution Directive (the “BRRD” and the “BRRD II”);
• Legislative Decree No 129/2024, which has aligned the national framework to the Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114) (the “MICAR”); and
• Legislative Decree No 58/1998 (the “Consolidated Law on Finance”) and the Commissione Nazionale per le Società e la Borsa (CONSOB) Intermediaries Regulation, which have implemented the EU Markets in Financial Instruments Directive (the “MiFID II”).

Banking supervision is jointly conducted by two main Italian regulators and the European Central Bank (ECB) as follows.

• The Bank of Italy carries out the prudential supervision of banks in co-ordination with the ECB. In particular:
1. the ECB directly supervises “significant” Italian banks and banking groups, identified according to the criteria set out in Article 6(4) of EU Regulation 1024/2013 (the “SSM Regulation”); and
2. the Bank of Italy directly supervises other “less significant” Italian banks and banking groups.
• CONSOB is responsible for the transparency and fairness of banks’ conduct towards investors in the provision of investment services and activities.

Banking supervision in Italy also involves the Unità di Informazione Finanziaria (UIF), which is Italy’s financial intelligence unit. It focuses on preventing and detecting money laundering and terrorist financing. It operates independently of the Bank of Italy.

Secondary national legislation consists of:

• resolutions of the Interministerial Committee for Credit and Savings (CICR), which, upon proposals from the Bank of Italy, provides supervisory guidelines through ministerial regulations;
• circulars, regulations and supervisory rules issued by the Bank of Italy; and
• CONSOB’s regulations.

Authorisation Requirements

“Banking activity” is defined under Italian law as collecting  savings from the publicand granting loans. The exercise of “banking activity” is exclusively reserved for banks. Financial intermediaries are only authorised to carry out lending activities.

The ECB – together with the Bank of Italy – is the competent authority for granting banking authorisations to Italian banks.

Applicants for banking licences in Italy must meet the following requirements.

• Be a joint stock company (società per azioni) or mutual limited liability company (società cooperativa a responsabilità limitata).
• Have an established registered office and headquarters in Italy.
• Have a minimum initial share capital of:
1. EUR10 million for joint stock companies, banche popolari, and mutual loan guarantee banks (banche di garanzia collettiva); or
2. EUR5 million, for mutual credit banks (banche di credito cooperativo).
• Have an initial business plan that focuses on capital and organisational structure, along with the memorandum of incorporation and articles of association.
• Comply with the qualifying shareholders’ requirements.
• Have completed a fitness and propriety assessment for members of the bank’s board of directors, board of statutory auditors and, if appointed, general manager.
• Have no close links with a bank or any entity within or outside the group which could undermine effective supervision.

Authorisation Process

The licensing application must be submitted via the European Information Management System (IMAS) Portal.

The Bank of Italy, in co-operation with the ECB, will then carry out a preliminary assessment of the application.

Based on the preliminary assessment, the Bank of Italy:

• in the case of a positive outcome, will forward a draft authorisation decision to the ECB for its approval; or
• in the case of a negative outcome, will reject the application.

If the preliminary assessment is positive, the ECB will make the final decision within 180 days of receiving the completed application, subject to any suspension or interruption and, in any case, within 12 months.

Before applying, applicants may request a meeting with the Bank of Italy.

During its assessment, the Bank of Italy may request additional information and certifications, conduct investigations and seek the opinion of other national or foreign competent authorities.

Applicants are not required to pay any fee or to use a specific submission form. However, licensed banks are required to pay supervisory fees to the ECB to cover the costs related to banking supervision, the amount of which depends on the bank’s size and risk profile.

Activities Covered by the Banking Authorisation

The banking authorisation covers a wide range of activities and services that must be carried out in compliance with the relevant rules under Italian law. They are:

• taking deposits or other repayable funds from the public and granting of loans;
• payment services;
• electronic money issuance;
• all other financial activities; and
• related or ancillary activities.

Services Requiring Additional Authorisations

In order to provide certain financial services, Italian banks will need additional authorisations. They are as follows.

• For investment services and activities under the MiFID II framework, an authorisation from the Bank of Italy, following consultation with CONSOB, is required.
• For issuing, offering to the public (and/or seeking admission to trading of) asset-referenced tokens under MiCAR, a notification to the Bank of Italy is required at least 90 business days in advance.
• For issuing, offering to the public (and/or seeking admission to trading of) electronic money tokens under MiCAR, a notification to the Bank of Italy is required at least 40 business days in advance.
• For carrying out crypto-asset services under MiCAR, a notification to the Bank of Italy is required at least 40 business days in advance.
• For acting as a depositary bank of collective investment undertakings, an additional Bank of Italy authorisation is required, and the authorisation must be granted or refused within 120 days from the date of receipt of a complete application.

EU Passporting

The exercise of banking activities in other EU member states by Italian banks requires:

in the case of establishment, an advance notice to the Bank of Italy, which will inform the ECB (in case of “significant” banks). If no contrary decision is made by the Bank of Italy or the ECB within two months of the receipt of such notification, the branch may be established and start its activities; and

in the case of cross-border service provision, Italian banks must notify the Bank of Italy, which will give advance notice to the ECB and the host country’s authority.

Prior Approval Requirements

A prior ECB approval, upon a proposal by the Bank of Italy, is required when a prospective acquirer, or more prospective acquirers acting in concert, intends to:

• acquire a direct or indirect holding in a bank which represents 10% or more of the capital or the voting rights or which makes it possible to exercise significant influence or control over the bank’s management (“qualifying holding”);
• increase an existing “qualifying holding”, when the voting rights or share capital reaches or exceeds 20%, 30% or 50%, or when the increase results in control over the bank; and
• acquire, in any form, without purchasing shares (including through an agreement with the bank or a provision in its articles of association) control or significant influence over the bank, or a percentage of voting rights or capital of at least 10%, 20%, 30% or 50%, taking shares already owned into account.

Required Regulatory Filings

For the acquisition of a “qualifying holding” in an Italian bank, the proposed acquirer must submit an advance application to the Bank of Italy and the ECB via the IMAS Portal.

The information and documentation to be provided include:

• a description of the transaction and any other authorisations required in connection thereto;
• information on the proposed acquirer, including its business, the individuals who effectively direct its business, qualifying shareholders, reputation and group;
• information on the persons who will direct the business of the target bank;
• information on the financial soundness and compliance with regulatory requirements, including information on the financing of the transaction and its impact on the supervision of the target bank;
• information on compliance with AML/CFT legislation; and
• additional information depending on the amount of the shareholding to be acquired, including a business plan in case the shareholding reaches or exceeds 20%.

Foreign applicants may also be required to:

• file a separate notification to the Italian government under the foreign direct investments regime; and
• provide additional documentation concerning their group, shareholders, and financial soundness, especially when incorporated in non-EU jurisdictions that are not considered equivalent to Italy in terms of AML and tax treatment.

Approval Process

The Bank of Italy assesses the proposed acquirer and then submits a draft decision to the ECB, either approving or refusing the acquisition.

The approval process lasts 60 working days from the date of the Bank of Italy’s acknowledgement of receipt of a complete application. The term may be suspended only once for up to 30 working days if the acquirer is a non-EU person or a non-regulated EU entity, or for 20 working days in all other cases.

Post-Acquisition Filings

The acquirer(s) must inform the Bank of Italy of the completion of the proposed acquisition within ten days. They must file an advance notice with the Bank of Italy in case they intend to reduce their “qualifying holding” below a relevant threshold.

Alternative Corporate Governance Systems

Italian corporate law contemplates three different governance and supervision systems that stock corporations, including banks, may choose to adopt. These are as follows.

• The traditional and most common Italian model comprises:
1. a board of directors, which is responsible for the bank’s management;
2. a board of statutory auditors, composed of independent members monitoring the board of directors’ operations; and
3. a shareholders’ meeting, which is primarily responsible for the appointment of corporate bodies and for the approval of the financial statements.
• A one-tier model, only consisting of a board of directors, which includes a management audit committee (comitato per il controllo sulla gestione) composed of a majority of independent directors.
• A two-tier model comprising:
1. a supervisory board (consiglio di sorveglianza); and
2. a management board (consiglio di gestione).

Banks must select the most suitable corporate governance model to enhance operational efficiency and ensure effective controls, while considering the associated costs of each model.

Italian banks adopting the two-tier model are required to set up an “internal controls committee” if the supervisory board is responsible for strategic supervision or has a broad composition.

Italian banks adopting the one-tier model are required to set up a “management control committee”, which is primarily responsible for ensuring compliance with laws, regulations, and the bank’s articles of association, as well as for proper governance and for ensuring the bank has an adequate organisational and accounting framework.

Board Committees

Banks that are large or operationally complex are required to set up:

• a nomination committee (comitato nomine);
• a risks committee (comitato rischi); and
• a remuneration committee (comitato remunerazioni).

Composition of Corporate Bodies

Italian banks must comply with limits on the number of board members, with specific thresholds for traditional models (up to a maximum of 15), one-tier models (up to a maximum of 19), and two-tier models (up to a maximum of 22), which can only be exceeded in exceptional cases.

The management body must include an adequate number of non-executive members. The body with strategic supervisory functions must also include independent members.

Banks must identify and assess over time an optimal qualitative-quantitative composition for their governing bodies and define ideal profiles for candidates in terms of professionalism and independence.

The composition of corporate bodies must reflect an appropriate degree of diversity in terms of skills, experience, age, gender and international background. Members of the underrepresented gender in bodies with strategic supervision and control functions must represent at least 33% of the total number.

Internal Control Functions

Banks must establish three lines of defence as follows.

• Business line controls (first line of defence), intended to ensure the proper execution of operations and conduct by the same operational structures.
• Compliance and risk management controls (second line of defence), intended to ensure:
1. the proper implementation of the risk management process; and
2. the compliance of business operations with laws and regulations, including self-regulation standards to avoid penalties, losses and reputational damage.
• Internal audit controls (third line of defence), intended to detect violations of procedures and regulations and periodically assess the completeness, adequacy, functionality and reliability of the internal control and the ICT system.

Key Suitability Requirements

In order to ensure the sound and prudent management of an Italian bank, all members of its corporate bodies and the general manager (if appointed) must satisfy the following suitability requirements:

• professional experience;
• integrity;
• independence;
• competence;
• fairness; and
• time commitment.

The same requirements and criteria also apply to members of the senior management of listed banks and larger banks.

The remit of each requirement is defined and specified in Italian Ministerial Decree No 169/2020.

• “Professional experience” means:
1. for executive members, relevant experience of at least three years;
2. for the chairman, the chief executive officer and the general manager, relevant experience of at least five years; and
3. for non-executive directors, experience of at least three years in university or professional activities across the financial sector.
• “Integrity” refers to the absence of convictions for specific offences or disqualification measures.
• “Independence” (required for independent directors) means the absence of personal or professional relationships with the relevant banking group. Other members must satisfy the independence of judgment requirements.
• “Competence” means having adequate knowledge and practical experience in bank-related matters.
• “Fairness” refers to the absence of situations that could compromise the bank’s sound and prudent management (eg, convictions for certain offences, administrative sanctions or debarment from professional registers management).
• “Time commitment” refers to the requirement that all members of a bank’s corporate body dedicate sufficient time to their offices. For positions at large or operationally complex banks, the following alternative limits apply:
1. one executive and two non-executive positions; or
2. four non-executive positions.

Interlocking Directorates Prohibition

Members of the corporate bodies and general managers of Italian banks are subject to the prohibition on interlocking directorates under Italian law. This prohibition prevents individuals from holding board or senior management positions in competing companies within the Italian banking, financial and insurance sectors to avoid conflicts of interest and ensure fair competition.

Suitability Assessment Process

The suitability of new members of corporate bodies and general managers of “less significant” banks must be assessed by the competent corporate body (either in advance, if appointed by the board, or within 30 days from the appointment, if appointed by the general meeting).

Under Law No 91/2025 (Legge di delegazione europea 2024) and the draft legislative decree implementing CRD VI, the Italian legislator opted for the exercise of the discretion set out under CRD VI, according to which in case of replacement of the majority of the members of a corporate body the suitability assessment must be carried out ex post, to avoid a situation of potential conflict of interests, where the outgoing members would carry out an ex ante assessment of the incoming members.

The relevant assessment must be formalised in detail in the minutes of the meeting of the relevant corporate body and then submitted to the Bank of Italy within 30 days. Within the next 120 days, the Bank of Italy may require the corporate body to take appropriate measures, such as training, to improve the skills necessary to perform the role effectively. It also has the power to initiate an administrative proceeding to remove members found to be unsuitable or in breach of the interlocking prohibition.

The suitability assessment must be carried out by the ECB where the bank is “significant”, which may exercise its powers in line with the SSM Regulation.

The remuneration rules in the CRD V and the EBA Guidelines on Sound Remuneration Policies are transposed into Italian law by Articles 53 and 67 of the Consolidated Banking Act, and by the Bank of Italy’s rules on remuneration and incentive policies and practices in banks and banking groups, as set out in Circular No 285/2013.

Scope of Remuneration Requirements

Sound remuneration policies that avoid excessive risk-taking and are gender-neutral must be applied to all staff members of Italian banks and banking groups.

They must be approved by the bank’s shareholders’ meeting upon a proposal from the strategic supervision body.

Remuneration requirements vary depending on whether:

• staff members are members of corporate bodies;
• staff members carry out professional activities that have a substantial impact on the bank’s risk profile (ie, so-called “material risk takers”);
• staff members are assigned to control functions;
• staff members are not qualified as so-called “material risk takers”; and
• staff members are other collaborators (eg, financial advisors and agents).

Fixed and Variable Remuneration

For all bank staff, the ratio between the fixed and variable component cannot exceed 100%, although an increase up to 200% is allowed if expressly provided in the articles of association and approved by shareholders’ resolution with a supermajority.

For “material risk takers”, however:

• at least 50% of the variable component must be paid in shares or an equivalent ownership interest;
• a minimum retention period of one year applies to remuneration paid in instruments; and
• the variable remuneration must be deferred for at least 40% or, in the case of particularly high amounts of variable remuneration, for at least 60% over five years.

Bank of Italy’s Supervisory Approach

The Bank of Italy has ample investigation and enforcement powers to ensure compliance with bank remuneration requirements. In practice, it is particularly focused on circumvention of remuneration requirements.

Legislative Decree No 231/2007 (the “AML Decree”) (as subsequently amended) sets out Italian rules implementing the AMLD IV and the AMLD V. With respect to credit and financial institutions, the requirements set out in the AML Decree are further specified and clarified in the Bank of Italy’s implementing regulations (the “BoI Regulation”) (collectively known as the “AML Rules”).

Under the AML Rules, certain obliged entities (including credit and financial institutions) are required to comply, among other things, with:

• customer due diligence (or know your customer (KYC)) requirements
• when, among other things, they establish a business relationship; carry out an occasional transaction that amounts to EUR15,000 or more (whether in a single transaction or in several transactions which appear to be linked); and/or make a transfer of funds, as defined in Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets), exceeding EUR1,000;
• record-keeping requirements; and
• suspicious transaction reporting requirements.

Customer Due Diligence Requirements

Under the AML Rules, obliged entities are required to:

• identify the customer and verify the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source;
• identify the beneficial owner (ie, the natural person(s), other than the client, on whose behalf the business relationship is being opened, the activity is being conducted, or the transaction is being carried out, if any) and taking reasonable measures to verify that person’s identity so that the obliged entity is satisfied that it knows who the beneficial owner is;
• obtain and assess information on the purpose and intended nature of the business relationship, as well as, if appropriate, based on the relevant risk, additional information, including on the customer’s source of wealth and source of funds; and
• conduct ongoing monitoring of the business relationship, including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions are consistent with the obliged entity’s knowledge of the customer, the business and risk profile (including, where necessary, the source of funds) and ensuring that the documents, data or information held are kept up-to-date.

While obliged entities are required to comply with customer due diligence requirements with respect to all their customers, they may determine the extent of these measures (standard, simplified or enhanced due diligence) on a risk-sensitive basis.

Record-Keeping Requirements

Obliged entities must retain copies of the documents and information necessary to comply with customer due diligence duties, as well as the original documents (or copies admissible in judicial proceedings) relating to transactions. This obligation applies for ten years after the end of a business relationship with the customer or after the date of an occasional transaction.

Suspicious Transaction Reporting

Where they know, suspect, or have reasonable grounds to suspect that funds, regardless of the amount involved, are the proceeds of criminal activity or are related to terrorist financing, obliged entities must file a suspicious transaction report with the UIF at the Bank of Italy. Obliged entities must refrain from carrying out the specific transaction before filing the report with the UIF and must keep the filing of a report with the UIF strictly confidential.

Finally, the AML Decree provides that all Italian companies and entities (including credit and financial institutions) must obtain information on their beneficial owners and disclose it in public registers (for example, the Companies House (Registro delle Imprese)). On 11 March 2022, the Italian Ministry of Economic Affairs, in consultation with the Ministry of Enterprises and Made in Italy (formerly the Ministry of Economic Development), adopted a decree implementing this requirement, introducing an ultimate beneficial owner register, and providing for the adoption of further implementing decrees. The overall framework was:

• declared to have been fully implemented by Decree dated 29 September 2023; and
• supposed to become effective as of 11 December 2023.

However, the requirement for Italian companies and entities to disclose information on their beneficial ownership in the register was suspended by the Administrative Court of Rome in an order issued on 7 December 2023 and, subsequently, the Council of State in an order issued on 17 May 2024. The suspension by the Council of State is still in effect, pending a decision of the European Court of Justice (in cases C-684/24 and C-685/24) on a preliminary ruling request by the Council of State on the compatibility of the provisions that allow access to information on the beneficial ownership to anyone showing a “legitimate interest”, with EU fundamental rights.

In the meantime, the European Commission has opened an infringement procedure against Italy (and the other 10 Member States) for the lack of transposition of the AMLD VI provisions requiring Member States to guarantee access to national beneficial ownership registries, which had to be transposed by 10 July 2025.

Deposit guarantee schemes (DGSs) aim to avoid, or at least reduce, the systemic impacts of banking crises by either preventing the failure of credit institutions or providing a post-crisis reimbursement function.

In Italy, DGSs are mainly governed by Article 96 et seq of the Consolidated Banking Act (as amended to transpose Directive 2014/49/EU on deposit guarantee schemes (the “DGSD”) into Italian Law), as well as by the supervisory provisions on DGSs issued by the Bank of Italy on 12 November 2024.

Participation Requirements

In line with EU law, Italian law requires credit institutions to be part of a recognised DGS. Specifically, except for mutual credit institutions, which are members of the Depositors’ Guarantee Fund of mutual banks (Fondo di garanzia dei depositanti del credito cooperativo (FGDCC)), all Italian banks, as well as branches of non-EU banks authorised in Italy which are not part of an equivalent deposit protection scheme (DGS), are required to participate in the Interbank Deposit Protection Fund (Fondo Interbancario di tutela dei depositanti (FITD)), which is a private law consortium. Italian branches of EU banks can also join the FITD in order to supplement the guarantee provided by their home DGSs. The Bank of Italy supervises both the FITD and the FGDCC.

Banks are also free to participate in other DGSs set up on a voluntary basis and the rules on mandatory DGSs do not apply to them. The Voluntary Intervention Scheme (Schema Volontario di Intervento (SVI)) was established to overcome the uncertainty under the state aid framework regarding the asserted public nature of the FITD’s resources. The uncertainty was finally resolved in the Tercas case, which clarified that the FITD’s resources are private in nature.

Depositor Guarantee

Italian mandatory DGSs guarantee deposits of up to EUR100,000 per depositor. The limit is valid for each depositor, per individual bank. The protection applies to repayable funds deposited at banks, not only in the form of deposits, but also in other forms (eg, deposit certificates), and regardless of currency. Financial instruments are not included in the guarantee.

Interventions

DGSs intervene to protect deposits in the following ways.

• Where the member bank is in liquidation:
1. by reimbursing depositors within seven working days from the date on which the unavailability of deposits or compulsory administrative liquidation of the bank takes effect; or
2. giving support for the transfer of assets and liabilities, including deposits, to another bank, provided that the cost for the intervention does not exceed the costs of reimbursing depositors (so-called “alternative measures”, such as those in favour of Banca Popolare delle Province Calabre in 2016).
• Preventing bank crises, for example by providing loans or purchasing shares so that a bank can carry on its activities, provided that the cost for the intervention does not exceed the costs of other possible interventions in line with the applicable framework (the so called “preventive measures”, such as those in favour of Banca Carige in 2022 and Banca Popolare di Bari in 2020).
• Where the bank is placed into resolution, the resolution will be financed in accordance with applicable rules.

Contributions to DGSs

Member banks are required to make ex ante contributions at least annually, which may include payment commitments, with the total share not exceeding 30% of total resources. Contributions have to be proportionate to the amount of member banks’ covered deposits and to their risk profile, in order, among other things, to encourage banks to reduce risks linked to their business models. The amount to be contributed by each member bank is determined by the scheme using appropriate models, which can also take into account the EBA Guidelines on Methods for Calculating Contributions to DGS, and must be approved by the Bank of Italy.

If ex ante contributions are insufficient for the DGS to fulfil its reimbursement obligations, it may require members to make extraordinary ex post contributions not exceeding 0.5% of covered deposits per calendar year. Italian DGSs, like all mandatory DGSs, must maintain available financial resources in a segregated financial endowment that is at least 0.8% of their members’ covered deposits. Provided that certain conditions are met, the Italian Ministry of Economy and Finance is allowed, upon approval of the European Commission, to authorise a lower minimum target level (which may not fall below 0.5% of covered deposits).

Legal Framework

As Italy is part of the EU, Italian banks are subject to the capital and liquidity requirements established in the CRR (as amended), which is directly applicable, and in Directive 2013/36/UE (as amended) (the “CRD IV”), which is transposed into Italian law by the Consolidated Banking Act and Bank of Italy Circular No 285/2013 (as amended). The CRR has been amended by the CRR III to implement the Basel 3.1 standards, which apply from January 2025, with certain phase-in periods.

Minimum “Own Funds Requirements”

The minimum “own funds requirements” (expressed as a percentage of an institution’s risk weighted assets (RWAs) after deductions) are equal to:

• 4.5% Common Equity Tier 1 (CET1);
• 6% including Additional Tier 1; and
• 8% total capital, including Tier 2 capital instruments.

Pillar Two Capital Requirements and Guidance

Pillar Two capital requirements refer to additional capital that banks must hold to address risks not fully covered by Pillar One capital requirements, as determined by the Bank of Italy or the ECB through the Supervisory Review and Evaluation Process (SREP). Pillar Two guidance is non-binding advice on the capital a bank should hold to maintain resilience during stressful scenarios.

Capital Buffers

In addition to the minimum capital requirements, the following prudential capital buffers must be met with CET1 capital:

• a capital conservation buffer: equal to 2.5% of a bank’s total exposures;
• a countercyclical buffer: up to 2.5% of RWAs to be determined by the Bank of Italy based on macroeconomic indicators (the buffer is currently set at 0%); and
• global systemic institution buffer: additional CET1 capital requirement ranging from 1% to 2.5% depending on a bank’s systemic importance.

Liquidity Requirements

Banks must comply with two liquidity ratios:

• the liquidity coverage ratio (LCR) is intended to measure whether banks hold an adequate level of unencumbered, high-quality liquid assets to meet net cash outflows under a stress scenario lasting for 30 days (its purpose is to improve short-term resilience); and
• the net stable funding ratio (NSFR) measures the amount of stable funding available to a bank to support its assets and activities over a one-year period (its purpose is to improve resilience in the medium term).

TLAC

Under the CRR, the total loss-absorbing capacity (TLAC) applies to EU banks identified as globally systemically important institutions (G-SIIs). These banks are required to maintain sufficient liabilities and own funds to absorb losses and facilitate recapitalisation during resolution, ensuring financial stability and minimising risks to public funds. The CRR (as amended) integrates TLAC into the existing minimum requirement for own funds and eligible liabilities (MREL), ensuring alignment while accommodating EU-specific resolution frameworks.

Output Floor

The output floor under CRR III, in alignment with the Basel 3.1 framework, establishes a minimum level for risk-weighted assets (RWAs) calculated using internal models at 72.5% of the RWAs determined by the standardised approach. This measure aims to limit excessive variability in capital requirements across banks. The output floor is being phased in gradually, starting at 50% in 2025 and increasing annually by five percentage points until it reaches 72.5% in 2030. Following public consultation, on 27 August 2025, the Bank of Italy updated the Bank of Italy Circular No 285/2013 in order to exercise the option to apply a preferential treatment to low-risk residential mortgages for the purposes of the output floor.

Origin and Purpose of the Bank Recovery and Resolution Framework

The Italian legal framework on banking crises underwent a significant reform process in 2015 in order to implement the EU harmonised rules set out in response to the financial crisis of 2008-2009 and also in light of the principles envisaged by the Financial Stability Board (FSB) in its 12 Key Attributes of Effective Resolution Regimes of 2011 (as revised in 2014). The EU package included:

• the BRRD;
• the DGSD;
• the SSM Regulation;
• Regulation (EU) 806/2014 (the Single Resolution Mechanism Regulation or SRM); and
• the rules on state aid.

The BRRD has also been amended by the BRRD II, which includes updates on the hierarchy of claims and introduced a general depositor preference.

Ordinary bankruptcy procedures have never been applied to Italian credit institutions, considering the “public service” provided by banks. Indeed, banking crises in Italy were originally managed through a pre-insolvency and an insolvency procedure set out in the Consolidated Banking Act, namely:

• special administration (amministrazione straordinaria), which was aimed at avoiding the crisis by means of the replacement of the main bodies of the credit institution; and
• compulsory administrative liquidation (liquidazione coatta amministrativa), which was aimed at winding up the credit institution, possibly through the sale of the business, while the bank was still active. The sale of a business or branch of a failing bank was usually financed by the State, which would step in to pay the difference between the assets and the liabilities taken on by the purchaser. Depositor protection was therefore ensured.

The European recovery and resolution framework intends to:

• prevent the crisis; and
• where this is not feasible, ensure that the crisis is managed in an orderly way, without interrupting the essential activities of the bank (such as granting loans or taking deposits), restoring the viability of the healthy part of the bank, and liquidating the remaining parts.

This framework aims to avoid public interventions in order to protect taxpayers. In particular, to reduce moral hazard, only shareholders (first) and creditors (after shareholders, in accordance with the insolvency creditor hierarchy) bear losses. To achieve these goals, the BRRD has established “bank resolution” as a standardised administrative procedure. This procedure applies to banks that are either failing or likely to fail, but where there is a public interest in resolving the bank rather than liquidating it.

Italian Transposition of the BRRD

The BRRD and the BRRD II have been transposed into Italian law through:

• Legislative Decree No 180 of 2015 of 16 November 2015 that designates the Bank of Italy as the national resolution authority with powers to adopt regulatory measures and includes provisions concerning, among other things, the preparation of resolution plans, resolution powers and tools and the crisis management of cross-border groups. It also establishes a national resolution fund (Fondo di Risoluzione Nazionale), which is funded by the Italian banking sector and managed by the Bank of Italy; and
• Legislative Decree No 181 of 2015 of 16 December 2015 that sets out rules on recovery plans, intra-group financial support, early intervention measures and hierarchy of creditors.

A new Resolution and Crisis Management Unit (Unità di risoluzione e gestione delle crisi) within the Bank of Italy has been entrusted with the resolution powers and functions performed by the Bank of Italy as the national resolution authority. It may apply the following resolution tools (either on a standalone basis or in combination):

• sell the business to a private buyer;
• temporarily transfer the assets and liabilities to a “bridge” institution that continues to carry out critical functions, with the objective of selling them on the market;
• separate the assets or transfer non-performing loans (NPLs) to a vehicle that manages their liquidation; and
• write down equity and other liabilities and convert them into shares to absorb losses and recapitalise the bank, provided that the “no-creditor-worse-off” principle is complied with. This principle states that creditors should not incur greater losses than would have been incurred if the resolution entity had been wound up under normal insolvency proceedings (so-called “bail-in”).

Depositor Preference

The BRRD II introduced a general depositor preference across the EU. This means that all deposits, whether covered (up to EUR100,000) or non-covered by DGS, rank above ordinary unsecured claims in insolvency or resolution proceedings.

Deposits are divided into two categories for ranking purposes, where Tier 1 deposits rank higher than Tier 2 deposits.

Tier 1 includes DGS-covered deposits (up to EUR100,000) and deposits by individuals, microenterprises and SMEs above the amount covered by the DGS.

Tier 2 includes other eligible deposits (eg, those held by large corporate clients).

Even prior to the BRRD II, Italian law provided for an extended depositor preference regime, which prioritises “other deposits” (including those held by corporate clients) over ordinary unsecured claims.

Italian banks are subject to a growing body of ESG requirements driven by EU regulations. These obligations aim to align the banking sector with sustainable finance goals and address climate-related risks. However, compliance with ESG requirements is expected to become less burdensome thanks to the EU Omnibus Package, a set of legislative proposals adopted by the European Commission on 26 February 2025, aimed at streamlining the EU’s ESG framework through significant simplification of existing legislation (the “Omnibus Package”).

Key ESG-Related Requirements

Sustainable Finance Disclosure Regulation (SFDR)

While primarily targeting asset managers, the SFDR, which is directly applicable in Italy, affects EU banks offering investment products, requiring disclosures on sustainability risks and adverse impacts.

Corporate Sustainability Reporting Directive (CSRD)

Large corporations and small and medium-sized listed corporations (including banks) must adhere to detailed ESG reporting requirements under the CSRD, which is transposed into Italian law by Legislative Decree No 125/2024. Such requirements already apply to banks and other public interest entities that have (or are parent companies of groups that, on a consolidated basis, have) an average of 500 employees per year and a balance sheet total of EUR200 million or a net turnover of EUR40 million (so-called “wave one companies”). Following the transposition of the so-called “Stop the Clock” directive issued by the EU legislator in the context of the Omnibus Package, the application of ESG reporting requirements has been postponed:

• From 2026 (FY 2025) to 2028 (FY 2027) for companies that (or parent companies of groups that, on a consolidated basis) meet two of the following thresholds:
1. 250 employees over the financial year;
2. net annual revenue of EUR40 million; or
3. a balance sheet total of EUR20 million.
• From 2027 (FY 2026) to 2029 (FY 2028) for SMEs that are listed on an EU-regulated market and small and non-complex institutions (under the CRR), as well as captive insurance undertakings meeting certain criteria.

Sustainability reports will have to comply with detailed European Sustainability Reporting Standards (ESRS), which include general requirements as well as sector-specific requirements.

CSRD disclosures must consider a “double materiality” perspective, meaning that a company must report how sustainability risks and opportunities affect its financial performance, position and development (so-called “outside-in”) as well as how the company’s performance, position and development affect people and the environment (so-called “inside-out”).

Exemptions apply to individual sustainability reporting requirements if information on a company and its subsidiaries is included in the consolidated sustainability reporting requirements of its parent undertaking.

The Omnibus Package includes, among others, a proposal for a Directive amending the CSRD aimed at reducing the scope of entities subject to CSRD requirements by increasing the existing thresholds. Negotiations between the European Parliament and the Council are still ongoing.

Taxonomy Regulation

Companies under the CSRD must disclose the extent to which their activities align with the taxonomy using specific KPIs in their sustainability reports. Simplified requirements are expected to be adopted under the Omnibus Package.

ECB Guidelines on climate risks

Under the SSM Regulation, Italian banks are subject to the ECB’s expectations regarding climate-related and environmental risks. They must integrate these risks into governance, strategy and risk management frameworks.

Bank of Italy guidance

The Bank of Italy has issued recommendations for banks to:

• integrate ESG factors into risk management and credit policies;
• enhance transparency through robust non-financial disclosures; and
• support green and social projects through sustainable lending practices.

ESG governance and risk management requirements under the CRD VI

The CRD VI requires banks to integrate robust strategies, policies, processes and systems into their governance and risk management frameworks to identify, measure, manage and monitor ESG risks across short, medium and long-term horizons, conduct resilience testing using credible scenarios and align ESG practices with regulatory objectives. The competent authorities must assess these efforts. The EBA issued ad hoc Guidelines in January 2025, which apply from 11 January 2026 to credit institutions other than small and non-complex institutions (to which they will apply at the latest from 11 January 2027).

ESG risks disclosure under the CRR III

The CRR III mandates banks to disclose information on ESG risks, clearly differentiating between environmental, social, and governance risks, as well as distinguishing between physical risks and transition risks related to environmental factors.

Key DORA Requirements

DORA entered into force on 16 January 2023 and applies from 17 January 2025. It requires financial entities, including banks, to increase the digital operational resilience in relation to “ICT services” by:

• establishing an effective ICT risk management framework within their overall risk management system (ICT risk management pillar). This framework must address risk identification, mitigation and monitoring as well as reporting processes to ensure resilience against both internal and external threats;
• implementing comprehensive systems for the detection and reporting of ICT-related incidents (incident reporting pillar). Specifically, any significant ICT-related incidents must be reported to the competent authority within specified timeframes to enable prompt response and co-ordination;
• regularly testing their own ICT systems to evaluate the related operational resilience (testing pillar). This implies conducting vulnerability assessments, penetration testing and scenario-based exercises. These tests enable systems to be robust enough to handle cyber-attacks and other ICT-related disruptions;
• ensuring that relevant ICT third-party service providers meet high operational resilience standards, carrying out audits on a regular basis and maintaining adequate oversight on them (ICT third-party risk management pillar);
• developing detailed crisis management plans which ensure the delivery of critical services during ICT-related disruptions (business continuity and crisis management pillar). These plans must address, among other things, data recovery, communication strategies and established escalation procedures; and
• establishing processes for sharing information about ICT-related threats, vulnerabilities and incidents, both within the organisation and with relevant external stakeholders (ICT information sharing pillar).

In order to prepare for complying with DORA, Italian banks should:

• conduct a gap analysis against current ICT incident reporting and risk management requirements under Italian law, to assess their current level of preparedness for DORA;
• establish a cross-functional team (IT, risk management, compliance, legal and operations) to develop an integrated approach in relation to digital operational resilience; and
• invest in cybersecurity technology and related training to ensure that all bank staff are aware of their respective roles and responsibilities under DORA.

ICT Third-Party Risk

In relation to any ICT third-party services, banks must:

• conduct a pre-contractual analysis to assess the suitability of the prospective provider, including an assessment of its substitutability; and
• ensure that the relevant contract, in the form of a written document, includes all the key provisions expressly mentioned by DORA.

In relation to ICT third-party services supporting a bank’s “critical or important” function, meaning any function the disruption of which would materially impair its financial performance, banks must also:

• adopt an internal policy focusing on ex ante risk assessment, due diligence, management of conflict of interest, exit strategies and monitoring of contractual arrangements;
• inform the competent authority about any planned contractual arrangements on the use of these ICT services;
• ensure that the relevant contract, in the form of a written document, includes all the additional key provisions expressly mentioned by DORA; and
• include all the contracts on the use of these ICT third-party services in a dedicated section of a register specifically designed for ICT third-party services arrangements.

Sanctions for Non-Compliance With DORA

In cases of non-compliance with DORA, the related administrative sanctions can consist of:

• monetary fines (up to 10% of a bank’s annual turnover or EUR10 million, whichever is higher); and
• operational restrictions imposed by the competent supervisory authority.

EU and national regulatory developments impacting Italian banks are expected in the following areas.

Updated Capital and Prudential Requirements

The CRD VI is scheduled to take effect in January 2026, save for the provisions on third-country branches, which will apply from January 2027. The transposition process is currently ongoing.

AML Package

The transposition of the AML legislative package is currently ongoing. Transposition must be completed by July 2027, while the new European AML authority (AMLA) is preparing to assume direct supervision over a selected number of entities starting in 2027.

Retail Investment Strategy

The European Commission Proposal on the Retail Investment Strategy, which aims to make amendments to the MiFID Directive, the PRIIPs Regulation, the AIFMD, the UCITS Directive, the Insurance Distribution Directive and the Solvency II Directive on important investor-protection topics (such as inducements and product governance), is still being negotiated between the European Parliament and the Council and is expected to be finalised and adopted in 2025.

Review of the Consolidated Law on Finance

The Italian government is delegated to undertake a comprehensive and systematic review of the Consolidated Law on Finance, which has governed Italy’s financial markets and investment services for over 25 years. The review is aimed at reforming the legislation to modernise and streamline the legislative framework and address the demands of market changes. This ambitious reform,  of which the Italian Government preliminarily approved a first draft in October 2025, should be completed in the first part of 2026.

Alignment of Existing Italian Cybersecurity and ICT Services Requirements to DORA

Efforts are being made to align Italy’s national cybersecurity and ICT service requirements with DORA, aiming to prevent inconsistencies and overlaps with existing frameworks.

MiCAR

The Italian transitional period for existing virtual asset service providers (VASPs) expires on 30 June 2026, after having been extended in June 2025. Italian VASPs have to apply for authorisation as crypto-asset service providers (CASPs) by 30 December 2025.

PSD3/PSR Negotiations

Following the European Commission’s initial proposal in June 2023, negotiations on the new PSD3/PSR package are still ongoing. The agreement on the Council’s negotiating mandate reached on 18 June 2025 allowed the presidency to start the so-called “trilogue negotiations” on the final text.

FIDA

The Financial Data Access Regulation (“FIDA”), proposed by the European Commission in June 2023, seeks to promote open finance by allowing consumers and businesses to securely share financial data with other financial institutions, fostering innovation and competition while ensuring GDPR compliance. However, the proposal has proven politically sensitive, raising concerns over privacy, liability, and interoperability. After the Commission considered withdrawing the proposal in early 2025, FIDA entered the trilogue phase, which is currently being negotiated.