Financial Services Regulation 2025 Comparisons

The Italian financial services framework comprises national statutes (which are largely based on EU directives), directly applicable EU regulations, and second-level statutory instruments issued by the national competent authorities.

The main pieces of national legislation on financial services are as follows.

• Banking Code (Legislative Decree No 385 of 1 September 1993): The Italian Banking Code sets the licensing parameters and obligations of banks and specialised lenders. It defines the concept of banking groups and allocates prudential and supervisory powers to the Bank of Italy. Payment institutions, e-money institutions, financial agents and loan brokers are also subject to the regime set out in the Banking Code.
• Financial Code (Legislative Decree No 58 of 24 February 1998): The Financial Code defines the rules applicable to financial institutions providing investment and collective investment management services, in particular investment firms, undertakings for collective investment in transferable securities (UCITS) management companies and alternative investment fund managers (AIFMs). Banks are also subject to the rules set forth in the Financial Code, as far as the provision of investment services is concerned. The Financial Code also sets forth the provisions applicable to regulated markets and other trading venues, central security depositories and trading/post-trading infrastructures in general, and the rules on prospectus requirements.
• Insurance Code (Legislative Decree No 209 of 7 September 2005): The Insurance Code defines the regulatory framework applicable to the provision of insurance and reinsurance services, as well as to insurance and reinsurance distribution activities.
• AML Decree (Legislative Decree No 231 of 21 November 2007): The AML Decree implements the EU framework for the fight against money laundering and CTF. It identifies the national competent authorities that are responsible in this regard, as well as the obligations that must be complied with by regulated financial institutions and other obliged entities.
• Consumer Code (Legislative Decree No 206 of 6 September 2005): The Consumer Code sets out the rules on distance marketing of financial services, and other obligations applicable to the offer of financial services or products, such as the requirements regarding unfair market practices and unfair terms.

Other standalone national statutes relevant to the provision of financial services include Legislative Decree No 180 of 16 November 2015, implementing the Bank Recovery and Resolution Directive (BRRD), Legislative Decree No 129 of 5 September 2024, implementing the Markets in Crypto-Assets Regulation (MiCAR), Decree-Law No 25 of 17 March 2023 (the so-called Fintech Decree), which provides for a comprehensive framework for the issue of financial instruments through distributed ledger technology (DLT), and Legislative Decree No 252 of 5 December 2005 on pension funds.

The national regulatory framework is supplemented by directly applicable EU regulations which are part of the EU Single Rulebook, such as the Capital Requirements Regulation (CRR), the Market in Financial Instruments Regulation (MiFIR), the Market Abuse Regulation (MAR), the Prospectus Regulation, the Benchmark Regulation, the Crowdfunding Regulation, the Packaged Retail and Insurance-Based Investment Products (PRIIPs) Regulation, the Sustainable Finance Disclosure Regulation (SFDR)/Taxonomy Regulation, the Digital Operational Resilience Act (DORA), the European Long-Term Investment Fund Regulation (ELTIF), the European Venture Capital Fund Regulation (EuVECA), the European Social Entrepreneurship Fund Regulation (EuSEF) Regulations, MiCAR, etc.

The main products and services that are regulated in Italy are as follows.

• Deposit-taking: Deposit-taking activity can only be carried out by authorised Italian banks, or by EU/non-EU banks that are passported or authorised to carry on banking business in Italy. Deposit-taking is defined as the taking of deposits or other repayable funds from the public. Banks are the only institutions that can engage in deposit-taking activities, in addition to granting credit for their own accounts, in line with the EU framework – ie, the Capital Requirements Directive (CRD)/Capital Requirements Regulation (CRR).
• Financing: The granting of financing in any form is subject to regulatory authorisation requirements under Italian law. The definition of financing covers different forms of arrangements, including consumer credit, mortgage or unsecured loans, receivable purchase transactions, etc. The authorisation requirements apply regardless of whether the financing is extended to business entities or consumers.
• Payment services and e-money: In line with the EU rules – ie, Payment Services Directive 2 (PSD2)/Electronic Money Directive 2 (EMD2) – payment services and e-money are regulated services under the Banking Code. They can generally be performed only by banks, e-money institutions and payment institutions.
• Distribution and brokerage of financing products: The promotion, conclusion or brokerage of financing products are also regulated activities in Italy, with a licence being required to operate as a financial agent or loan broker. The licence to register as a financial agent also applies to agents acting on behalf of Italian e-money or payment institutions for the provision of payment services, although payment agents are subject to a simplified regime.
• Investment services: Investment services can only be performed by banks, investment firms, UCITS management companies, AIFMs and regulated financial intermediaries. The concept of investment services is aligned with the definition set out in MiFID2 at the EU level, and is applicable in cases where the services are provided in relation to MiFID2 financial instruments (transferable securities, units or shares of collective investment undertakings, derivatives, etc).
• Collective investment management: The setting-up and management of open-ended funds established in accordance with the UCITS Directive or alternative investment funds (AIFs) is subject to regulatory authorisation requirements under Italian law.
• Insurance and reinsurance: Insurance and reinsurance business can only be carried out by licensed insurance or reinsurance undertakings. Insurance distribution activities also constitute a regulated business requiring registration in the Italian register of insurance distributors (Registro Unico degli Intermediari assicurativi e riassicurativi; RUI). Specific rules apply to insurance-based investment products (IBIPs) – ie, insurance policies having a financial nature – which are considered to be equivalent to financial instruments in several respects, and are largely subject to the same rules set out for the provision of investment services under MiFID2.
• Pension funds: The Italian retirement system is based on three pillars: the public pension system, the supplementary pension system and individual pension products. The supplementary pension system and individual pension products are managed by private institutions, including private associations, asset management companies and insurance companies. The creation and marketing of supplementary or individual pension products is subject to an extensive set of rules and supervisory requirements.
• Crowdfunding: The EU Crowdfunding Regulation imposes regulatory authorisation requirements on crowdfunding services. Crowdfunding services can be carried out in the form of lending- or investment-based crowdfunding. Crowdfunding service providers must be authorised by the Companies and Securities Commission (CONSOB) and are subject to supervision by CONSOB and the Bank of Italy.
• Crypto-asset services: Following the entry into force of MiCAR, crypto-asset services are subject to licensing obligations. The MiCAR regime applies to all persons carrying out crypto-asset services, subject to certain exemptions contemplated in MiCAR.
• Trading and post-trading and other regulated services: Trading and post-trading facilities are subject to regulatory authorisation requirements under EU and Italian law. Other regulated services and products in Italy include credit rating services, fiduciary services, micro-credit and collective guarantees for SMEs, etc.

There is no common set of exemptions applicable under Italian law to the provision of financial services in general. The most common exemptions used throughout the various areas of the Italian financial services framework are as follows.

Provision of Regulated Services Towards the Public and By Way of Business

Under Italian law, regulatory authorisation is generally required where a regulated activity is carried out “towards the public” and “by way of business”. In practice, this captures activities that are performed on an organised basis (ie, through human, technological and/or tangible resources) and are potentially directed towards a plurality of legal entities or individuals. One-off transactions are not exempt if these requirements are met, as Italian case law has traditionally adopted a very strict approach to this matter.

Intra-Group Exemptions

Intra-group transactions are generally subject to exemptions under the Italian financial services legislation. In particular, these exemptions are expressly contemplated in relation to the provision of investment services, payment services and financing.

Reverse Enquiry Principle

Financial services are deemed to be subject to the Italian financial services regulatory framework only if they are offered in the Italian territory. If an Italian entity or individual voluntarily contacts a foreign financial institution in order to benefit from the services or products it offers, this activity is generally considered to fall outside the scope of the Italian legislation (so-called reverse enquiry).

The reverse enquiry applies only if the Italian customer contacted the foreign financial institution in the absence of any marketing, solicitation, promotional or similar activities carried out by the foreign financial institutions towards Italian customers, either directly or indirectly (through third-party agents, promoters, sponsors, advertisers, etc). The satisfaction of these conditions must be assessed on a case-by-case basis, in light of the indications given by the European Securities and Markets Authority (ESMA) on reverse solicitation.

Scope, Legal Classifications and Relationship With Securities Law

Crypto-assets in Italy are primarily governed by the EU framework introduced by MiCAR, and by the MiCAR implementing rules set forth in Legislative Decree No 129 of 5 September 2024 (the “MiCAR Decree”).

MiCAR created a single EU regime for crypto-assets that are not already regulated as financial instruments. The applicable regime depends on the legal qualification of the token and on the activity performed. Where a token qualifies as a financial instrument under MiFID II (security token), all EU and Italian securities law rules apply (eg, MiFID II/PRIIPs/Prospectus where relevant, plus the Italian Financial Act and secondary rules).

For non-securities crypto-assets, MiCAR distinguishes three different categories of tokens: asset-referenced tokens (ARTs), e-money tokens (EMTs) and other crypto-assets (which include utility tokens). The issuance, offer to the public, admission to trading and provision of crypto-asset services in respect of such tokens are all subject to the MiCAR regime, although the legal obligations differ depending on the nature of the tokens.

Core MiCAR Obligations By Token Type

Issuers of ARTs are subject to regulatory authorisation requirements (unless they are credit institutions), and must comply with stringent governance, reserve, custody, conflict management and disclosure obligations. A white paper must be published in respect of the ARTs offered to the public and submitted to the competent regulatory authorities, and continuing obligations apply to reserves, stabilisation mechanisms, redemption policies and disclosure. Significant ARTs are subject to enhanced regulatory scrutiny, with EU level co-ordination.

The issuance of EMTs is restricted to banks and licensed e-money institutions. EMT issuers must comply with e-money rules and MiCAR’s additional requirements, including white paper approval, 1:1 reserve and redeemability safeguards and ongoing disclosure. Significant EMTs are subject to reinforced prudential and operational requirements and heightened supervisory engagement.

In the case of crypto-assets that do not qualify as ARTs or EMTs, offers to the public and admissions to trading generally require the publication of a MiCAR white paper by the issuer, with prescriptive content but no prior approval. Exemptions exist for small, limited-value offers and certain narrowly defined cases. Marketing must be fair, clear and not misleading, and consistent with the white paper.

A specific EU market abuse regime applies to crypto-assets admitted to trading on, or for which admission has been requested to, a trading platform for crypto-assets. This regime mirrors the prohibitions on insider dealing, unlawful disclosure and market manipulation that are set out in the MAR, and imposes surveillance, record-keeping and reporting expectations on platforms and other relevant actors.

CASP Authorisation and Conduct Framework

Crypto-asset service providers (CASPs) require an EU authorisation to perform services such as custody and administration of crypto-assets on behalf of clients, the operation of a trading platform, the exchange of crypto-assets for funds or for other crypto-assets, the execution of orders, the placing of crypto-assets, the reception and transmission of orders, the provision of transfer services, and the provision of advice and portfolio management services in respect of crypto-assets. Authorised CASPs benefit from an EU passport and can operate in all EU member states on the basis of the authorisation granted by the competent authority of their home member state.

CASPs are subject to certain organisational and prudential requirements calibrated to the services provided, including initial capital, governance and “fit and proper” standards for directors and key function holders. Specific rules apply to the safeguarding and segregation of clients’ crypto-assets and funds, as well as to complaints handling, best execution and order handling, conflicts of interest controls, outsourcing and information and communication technologies (ICT) risk management.

Third-country providers cannot service EU clients on a cross-border basis without authorisation and passporting. Only genuinely unsolicited reverse solicitation is tolerated.

Italian Implementation and Supervisory Allocation

The MiCAR Decree implemented MiCAR domestically and allocated supervisory responsibilities between national competent authorities.

In general terms, CONSOB is designated for the authorisation and on-going supervision of CASPs, as well as for market conduct, disclosure and authorisation obligations. It must also review white papers submitted in respect of crypto-assets other than ARTs and EMTs, monitor marketing communications and enforce the crypto-asset market abuse regime.

The Bank of Italy is responsible for prudential and organisational aspects of the CASP authorisation process, and for authorising and supervising issuers of ARTs and EMTs, including with regard to their white papers, reserve management, redemption and liquidity arrangements.

The MiCAR Decree also sets out the Italian framework on administrative sanctions, investigative powers, co-operation mechanisms between the two authorities and with EU bodies, and the operational details for supervisory fees and on-site inspections. It defines the transitional regime applicable to virtual asset service providers (VASPs) that were registered in the Italian VASP Register before the MiCAR regime entered into force.

Under the Italian transitional regime, VASPs can continue to operate under the pre-existing rules until end of June 2026, provided that they submit an application to be authorised as CASPs in Italy by the end of December 2025.

The key national competent authorities in Italy are the Bank of Italy (Banca d’Italia), CONSOB and the Insurance Supervisory Authority (Istituto per la Vigilanza sulle Assicurazioni; IVASS).

Their main supervisory responsibilities can be summarised as follows.

• Bank of Italy: The Bank of Italy is primarily responsible for the supervision of banks and financial intermediaries, and of payment and e-money institutions. It also has supervisory responsibility for the authorisation and oversight of UCITS management companies and AIFMs, while also carrying out certain supervisory tasks in relation to MiFID2 investment firms. The Bank of Italy has macro-prudential oversight responsibilities on the Italian financial system in general, and is the key regulator in Italy for AML/CFT compliance. The Italian Financial Intelligence Unit (Unità di Informazione Finanziaria per l’Italia; UIF) is established within the Bank of Italy. It receives and analyses suspicious transaction reports and co-ordinates AML/CFT investigation activities.
• CONSOB: CONSOB is the regulatory authority responsible for capital markets and financial services supervision. CONSOB authorises MiFID investment firms and crowdfunding service providers. It carries out supervisory activities on the compliance by banks, UCITS management companies, AIFMs and MiFID2 investment firms with the rules of conduct applicable to the provision of investment services and collective investment management activities. CONSOB oversees public offers and admissions to trading, market disclosure and transparency, market abuse, short selling and the functioning of Italian trading venues in general. It enforces the EU and Italian securities framework (including the rules on tender offers and prospectus obligations). CONSOB is also the main regulator for the supervision of CASPs, in accordance with the Italian rules implementing MiCAR.
• IVASS: IVASS is the national authority responsible for the supervision of insurance and reinsurance undertakings, as well as insurance and reinsurance distributors.
• Ministry of Economy: The Ministry of Economy and Finance (MEF) has overarching policy and regulatory powers in several areas, as well as some enforcement responsibilities in the field of AML/CTF. However, it does not have day-to-day supervisory responsibilities for regulated financial institutions.

Other national regulators include the following.

• COVIP: The Italian Pension Fund Supervisory Commission (Commissione di Vigilanza sui Fondi Pensione; COVIP) is responsible for the supervision of Italian pension funds. It oversees compliance with the applicable governance and organisational requirements, investment policies and limits, risk management and disclosure obligations, etc.
• OAM: The Italian Agents and Brokers Supervisory Body (Organismo degli Agenti e dei Mediatori; OAM) is the competent authority for the supervision of financial agents and loan brokers, as well as of additional regulated entities or persons, such as those providing money exchange services.
• OCF: The Italian Financial Advisers Supervisory Body (Organismo di Composizione e Funzionamento; OCF) is responsible for the registration and supervision of individuals acting as financial advisors on behalf of banks, investment firms and asset managers, as well as of financial advisory companies (società di consulenza finanziaria; SCF). Financial advisors are tied agents that engage in the “door-to-door” sale of financial products or investment services to retail clients.

EU authorities are also involved in the supervision of Italian financial institutions. The European Central Bank (ECB) plays a crucial role in the supervision of credit institutions in the context of the Single Supervisory Mechanism (SSM). The ECB is entrusted with day-by-day supervisory responsibilities in relation to “significant” credit institutions or groups, while co-ordinating the supervisory activities carried out by national regulators (such as the Bank of Italy, as far as Italian banks and banking groups are concerned) in respect of “less significant” credit institutions and groups.

ESMA is directly responsible for the authorisation and supervision of credit rating agencies. ESMA is one of the three European Supervisory Authorities (ESAs), along with the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA). The ESAs have a significant role in shaping the regulatory framework applicable to Italian financial institutions. A material role will also be played by the new European authority responsible for AML matters (the Anti-Money Laundering Authority; AMLA).

The main rules and guidance of the Italian regulators are generally published on their websites, while the EU financial services legislation is available on the Single Rulebook pages made available by EBA and ESMA.

Over the years, Italian national competent authorities have issued a number of second-level regulations that further define the rules applicable to regulated financial institutions operating in Italy. The main pieces of legislation relevant in this respect are as follows:

• Bank of Italy Circular No 285 of 17 December 2013 (the “Supervisory Handbook for Banks”);
• Bank of Italy Regulation of 17 May 2016 (the “Supervisory Handbook for Payment Institutions and E-Money Institutions”);
• the Bank of Italy Regulation of 19 January 2015 on collective investment management activities;
• the Bank of Italy Regulation of 23 December 2022 on the supervision of investment firms;
• the Bank of Italy Regulation of 30 July 2019 on AML/CFT customer due diligence obligations;
• the Bank of Italy Regulation of 26 March 2019 on the internal organisation of financial institutions for AML/CFT compliance purposes;
• CONSOB Regulation No 11971/1999 (the “Issuers’ Regulation”);
• CONSOB Regulation No 20307/2018 (the “Intermediaries’ Regulation”);
• CONSOB Regulation No 20249/2017 (the “Markets’ Regulation”);
• CONSOB Regulation No 22720/2023 (the “Crowdfunding Regulation”);
• IVASS Regulation No 41/2018 on the disclosure requirements and documentation concerning insurance products;
• IVASS Regulation No 40/2018 on insurance distribution activities;
• IVASS Regulation No 44/2019 on AML obligations applicable to insurance products; and
• IVASS Regulation No 38/2018 on the internal governance of insurance and reinsurance undertakings.

Additional “soft law” guidance and interpretations are provided on the websites of the Italian national competent authorities. However, the volume of such guidance and interpretations is progressively reducing due to the increasing importance of the indications given by EU supervisory authorities on financial services regulatory matters (EBA, ESMA and EIOPA, as well as the ECB). It is expected that this trend will persist in the future with the establishment of AMLA.

Italy has implemented the Basel III framework as part of the wider implementation of the EU banking package, starting from 1 January 2014.

The Basel III framework was introduced at the EU level through the CRR and the CRD IV. The framework has been further strengthened with the introduction of additional provisions and requirements under the so-called Basel IV review, which entered into force in Europe and Italy on 1 January 2025.

The rules set forth in the CRD are largely implemented in the Italian Banking Code and Bank of Italy Circular No 285 of 17 December 2013.

The capital requirements framework set out under the rules referred to in the foregoing is further complemented in Italy by the rules on the recovery and resolution of credit institutions, which are set out at the EU level in the BRRD Directive and the Single Resolution Mechanism (SRM) Regulation. In addition to regulating the resolution of credit institutions, these rules provide for additional capital requirements in the form of minimum requirement for own funds and eligible liabilities (MREL)-eligible instruments.

Credit institutions must satisfy the MREL in order to ensure that resolution tools (particularly the bail-in tool) can be used in a smooth and effective manner in the event of resolution. The MREL also implements the total loss-absorbency capacity (TLAC) requirement applicable to systemically important global banks, in accordance with the guidelines issued by the Financial Stability Board (FSB).

Italian trading venues currently follow a T+2 settlement cycle in line with EU requirements.

On 12 February 2025, the European Commission published a proposal to shorten the settlement period for EU transaction in transferable securities from two days to one. The proposal provides that the settlement cycle for all securities trades executed on EU trading venues will be shortened from no later than two business days (so-called T+2) to no later than one business date after the trade date (so-called “T+1”).

The new measures will be introduced by amending the Central Securities Depositories Regulation (CSDR) and are aimed at aligning the settlement cycle of EU trading venues (including Italian trading venues) with those adopted by non-EU regulated markets, which have also shortened their settlement cycles or are in the process of doing so.

The proposal provided for some exemptions from the new T+1 obligations, particularly with respect to:

• transactions that are negotiated privately but executed on a trading venue;

• transactions that are executed bilaterally but reported to a trading venue; and
• the first transaction where the transferable securities concerned are subject to initial recording in book-entry form pursuant to the relevant provisions of the CSDR.

On 7 May 2025, the European Parliament and the Council reached a provisional agreement on reducing the settlement cycle for transactions executed on EU trading venues, essentially endorsing the proposal made by the European Commission.

Based on the information available on the contents of the provisional agreement, certain securities financing transactions (SFTs) will not be subject to the “T+1” settlement rule. The exemption will only apply to SFTs that are documented as single transactions composed of two linked operations.

The new rules regarding the settlement cycle are still due to be adopted by EU institutions. They will apply from 11 October 2027.

In Italy, there is a dense EU-derived regulatory framework that applies to financial market participants, products and disclosures, designed to steer capital towards sustainable investments and deter greenwashing. The applicable rules are those deriving from the EU sustainable finance rulebook, which is designed to channel capital into sustainable activities and to improve the transparency and comparability of ESG products.

The key pillars of the EU sustainable finance rulebook include the following.

• SFDR: The SFDR establishes a disclosure framework to improve the transparency of how financial market participants and investment firms integrate sustainability risks, address principal adverse impacts, and describe environmental and social characteristics – and sustainable investment objectives – in their products. It applies to EU asset managers, insurance undertakings offering IBIPs, investment firms and other financial institutions. At the firm level, the SFDR requires public policies on sustainability risk integration and statements on principal adverse impact (on a complain-or-explain basis for smaller firms). At the product level, the SFDR distinguishes between Article 6 products (ie, those with no specific ESG-related features), Article 8 products (ie, those promoting ESG characteristics) and Article 9 products (ie, those pursuing an ESG-related objective). The SFDR prescribes standardised pre-contractual, website and periodic disclosures through detailed templates.

• EU Taxonomy Regulation: The EU Taxonomy Regulation provides a common classification system for environmentally sustainable economic activities. An activity is aligned to the EU Taxonomy regime where it makes a substantial contribution to at least one of the six objectives pursued by the Regulation, does no significant harm to the others and complies with minimum social safeguards. The six objectives underpinning the EU Taxonomy regime are: climate mitigation, climate adaptation, water and marine resources, circular economy, pollution prevention and control, and biodiversity and ecosystems.
• Corporate Sustainability Reporting Directive (CSRD): The CSRD requires large EU undertakings and EU-listed companies to report on sustainability reporting standards. Reports must cover governance, strategy, targets and transition plans, metrics and due diligence across the value chain where material, with digital tagging and external assurance. The purpose of the CSRD is to provide the data backbone for investors and product manufacturers to make the assessments required under the SFDR and the EU Taxonomy Regulation, thereby improving the comparability of the sustainability information.
• EU Climate Transition Benchmarks Regulation: The EU Climate Transition Benchmarks Regulation requires benchmark administrators to explain how ESG factors are taken into account for the purposes of the benchmark statements.
• EU Green Bond Regulation: The EU Green Bond Regulation established a voluntary “EU Green Bond” label for companies wishing to collect capital through the issuance of green bonds. The label is based on stringent use-of-proceeds and disclosure obligations.

In addition to the foregoing regulations, specific rules have been introduced in relation to the provision of investment services with respect to the sustainability preferences of clients. Investment firms must consider clients’ sustainability preferences in the context of the suitability assessment and product governance obligations, with a view to ensuring that ESG-aligned products are distributed to those clients that express a preference towards ESG-compliant investments.

Specific disclosure requirements have also been introduced in the offering documents to be prepared by issuers of transferable securities and tokens. In particular, ESMA issued a statement identifying the supervisory expectations regarding sustainability-related disclosure provided in prospectuses, with respect to both equity and non-equity instruments. Similarly, specific ESG-related disclosure obligations are imposed or recommended in the context of the white papers to be issued for the offer of crypto-assets under MiCAR.

ESMA also issued guidance on funds’ names using ESG or sustainability-related terms, in order to provide recommendations on the labelling of EU investment funds in the light of the applicable ESG regulatory framework.

Specific guidelines and recommendations have been issued by Italian regulators setting out their supervisory expectations on ESG compliance matters. Italian firms and investment funds tend to operate under a strict disclosure, labelling and distribution regime, as the ESG rules are monitored and enforced quite strictly by Italian regulatory authorities.

It is expected that the EU (and the Italian) ESG framework will be significantly reshaped in the coming months in order to simplify the obligations applicable to EU financial institutions and companies. In particular, the SFDR will likely be subject to a major overhaul, with a view to materially reducing the obligations that must be complied with by EU financial institutions in order to deal with ESG-related products.

There is no bespoke Italian AI regime for financial services at this stage. The use of AI by financial institutions must be consistent with the obligations set out under the “AI Act” (Regulation (EU) 2024/1689), which introduces a comprehensive regulatory framework for AI in the EU.

The AI Act is a directly applicable EU regulation that introduces a number of requirements for AI applications and programmes in accordance with a “risk-based” approach. It prohibits a narrow set of practices that are considered to be unacceptable (eg, indiscriminate real-time remote biometric identification in public spaces outside of certain law enforcement uses) and imposes prescriptive obligations on “high-risk” AI systems, such as those used in sensitive areas (including, for instance, creditworthiness assessment). Providers of high-risk AI systems must comply with certain organisational and procedural rules, which are detailed in the AI Act.

The AI Act also sets transparency duties for AI that interacts with people, emotion recognition and biometric categorisation systems, and synthetic contents, so that people are informed when they engage with AI or see AI-generated/edited content.

Italy has complemented the AI Act with a national law adopted in 2025 (Law No 132 of 23 September 2025; the “Italian AI Law”). The Italian AI Law is based on a human-centred approach, aimed at safeguarding the centrality of the human being and human oversight in decision-making processes involving AI systems. It provides, among other things, that the use of AI must not undermine human autonomy and decision-making power. The Italian AI Law also introduces some sector-specific rules not specifically aimed at financial institutions.

While encouraging experimentation in the field of AI and machine learning (for instance, through the Milano Hub and the Fintech Channel managed by the Bank of Italy), Italian regulators have consistently emphasised that AI and machine-learning models must be governed like other business models and ICT-enabled processes, specifically with regard to the applicable rules of conduct and the responsibilities of financial institutions.

The main areas where AI can impact the Italian and EU regulatory framework, as well as the business practices adopted by Italian and EU financial institutions, include:

• the biometric identification of customers in the context of the AML customer due diligence obligations;
• the risk profiling and on-going monitoring of customers for the purpose of meeting the AML requirements;
• the risk scoring of customers for the purposes of creditworthiness assessments; and
• decisions concerning the allocation of the financial portfolio and the provision of investment advisory services.

Italian Fintech Environment

Italy’s regulatory stance towards fintech is pro-innovation and open. A number of policy and supervisory initiatives were taken by the Italian government and national competent authorities to support market entry, scale-up and prudent experimentation, while maintaining consumer and financial stability safeguards. Milan has emerged as the country’s principal fintech hub, with an active ecosystem comprising incumbent players, start-ups and accelerators.

The MEF has established a Fintech Committee to steer the supervisory policies and legislation affecting fintech companies. National competent authorities have also made efforts to support the Fintech environment, in particular through the creation of the Milano Hub and the Fintech Channel, managed by the Bank of Italy. Milan hosts a dense private sector ecosystem (which is largely driven by the Fintech District) that facilitates partnerships among members.

Italian Regulatory Sandbox

Italy operates a cross-sector regulatory sandbox that is jointly managed by the Bank of Italy, CONSOB and IVASS, under the supervision and co-ordination of the Fintech Committee. The regulatory sandbox admits both supervised firms and non-supervised innovators to test technologically innovative activities in banking, financial, payment and insurance services under close supervisory engagement. The regulatory sandbox can last for up to 18 months, with the possibility of benefitting from targeted exemptions or simplified authorisation requirements proportionate to the risks arising from the business model and public interest objectives.

Multiple application windows have been opened since 2021, and several projects have been admitted in the regulatory sandbox, for instance in relation to DLT-based financial instruments, instant lending and algorithmic credit scoring.

Fintech Decree

Another innovative element characterising the Italian regulatory framework is represented by the rules on DLT-based financial instruments introduced via the so-called Fintech Decree (Decree-Law No 25/2023).

The Fintech Decree permits the issuance and registration on DLT of a broad range of financial instruments, including shares and bonds of joint stock companies, notes issued by limited liability companies, other debt securities, depositary receipts, money market instruments and units or shares of Italian AIFs or UCITS funds. DLT-based securities must be recorded on a DLT ledger maintained by an authorised DLT registrar.

The DLT registrar must be licensed by CONSOB. Eligible applicants include companies specialised in the provision of DLT services and existing regulated firms (banks, investment firms, etc), provided that the requirements set out in the Fintech Decree are met.

Unlike the temporary EU pilot regime, the Italian rules set out in the Fintech Decree are permanent and also apply to instruments not traded on a regulated venue.

Central Bank Digital Currency (CBDC)

Being a member state of the Euro area, Italy is not pursuing a national retail CBDC. The Bank of Italy participates in the Eurosystem’s work on the digital euro project, which are led by the ECB. The ECB launched its preparation phase in late 2023 to refine the rulebook, scheme design, distribution modality and technical options, in parallel with the EU legislative process for the introduction of the digital Euro.

Retail and other vulnerable customers are subject to a series of protective measures envisaged under Italian law. The most important set of provisions is represented by the rules on unfair terms, unfair commercial practices, and distance marketing of financial services, which are set out in the Italian Consumer Code. These rules are aimed at ensuring that Italian consumers are adequately informed about the nature and characteristics of the financial services offered to them, are not misled as a result of the advertisement or marketing activities conducted by financial institutions, and are not bound by contractual terms that are detrimental to their interests.

Sector-specific rules apply in addition to those mentioned in the foregoing. For instance, a higher compliance standard is set under the Bank of Italy regulations on the transparency of banking and financial services or products for services that are offered to “retail customers”. The category of retail customers includes (i) consumers, (ii) individuals carrying out a professional or craftmanship activities (eg, self-employed persons), (iii) non-profit organisations and (iv) micro-enterprises.

Retail customers are also subject to higher protection standards in the context of the rules governing the provision of investment services implementing MiFID2. Furthermore, specific requirements apply under the Italian Financial Code in case of “door-to-door” sales of financial products or investment services to retail customers, providing, among other things, for a termination right of the retail customer after the agreement is executed (cooling-off period). Other rules and requirements apply in the event of financial products or investment services offered through means of distance communication (internet, email, telephone calls, etc).

A strict usury regime applies in Italy. The Italian rules on usury are meant to protect vulnerable customers from aggressive practices followed by lenders. They apply regardless of the nature of the customers and the lenders, as well as of the features of the financing transactions. The maximum limit to the interest, charges, costs and expenses that can be paid by a borrower is set on a quarterly basis by the Italian government. Failure to comply with such limit is a criminal offence under Italian law.

The Bank of Italy and CONSOB have established alternative dispute resolution (ADR) mechanisms designed to facilitate the submission of claims and complaints by retail customers against financial institutions, thereby avoiding the initiation of long and complex litigations before competent courts. A similar ADR mechanism has recently been launched by IVASS in relation to insurance disputes.

The Bank of Italy, CONSOB and IVASS are actively engaged in financial education and financial literacy initiatives, which are aimed at increasing the awareness of retail and more vulnerable customers of certain key aspects concerning the provision of financial services and products.

In Italy, there is no comprehensive set of rules addressing shadow banking issues. In recent years, Italian authorities paid attention to certain phenomena that can be related to shadow banking activities, particularly credit funds and buy-now-pay-later (BNPL) products.

Credit Funds

Italy has established a relatively flexible framework for private credit, with specific national rules applying to credit funds – which are layered on top of the EU AIFMD regime. Under Italian law, AIFs are permitted to originate and acquire loans. This possibility applies only to AIFs that are established in Italy or in other EU member states; non-EU AIFs are excluded from the scope of the Italian direct lending regime.

EU AIFs must complete a non-objection procedure with the Bank of Italy in order to start carrying out direct lending activities in Italy. In the context of this procedure, the Bank of Italy assesses whether the EU AIF fulfils the following requirements.

• Authorisation: The EU AIF must be licensed to perform direct lending activities by the competent authority of its home member state. Should no specific licensing obligations apply in the home member state, the requirement can be fulfilled by providing a legal opinion confirming such circumstance among the documents attached to the Bank of Italy filing.
• Closed-ended nature: The EU AIF must be closed-ended in accordance with the definition provided for in the Italian Financial Code – ie, it must not permit the early reimbursement of units or shares upon the request of investors.
• Operating rules: The operating rules of the EU AIF (in particular, those relating to the relationships with investors) must be similar to those applicable to Italian credit AIFs. The similarity assessment is based on the rules governing subscriptions and redemptions, as well as the investment policy and strategy of the EU AIF.
• Risk diversification and limitation: The rules on risk diversification and limitation (including leverage limits) applicable to the EU AIF under the laws and regulations of its home member state must be equivalent to those that Italian credit AIFs have to follow. These rules differ depending on whether Italian credit AIFs are marketed only to MiFID2 professional clients (and certain other semi-professional clients) (so-called reserved AIFs) or are also marketed to retail clients in general (so-called non-reserved AIFs). In case of reserved AIFs, the main limits are as follows:
1. leverage – the leverage cannot exceed a maximum ratio of 1.5, and the AIF may borrow funds only from banks, licensed financial intermediaries and other entities that are allowed to perform direct lending activity;
2. loan maturity – the maturity of the loans held in the AIF’s portfolio cannot exceed the term of the AIF;
3. no consumer borrowers – the AIF cannot extend loans to consumers; and
4. diversification – the AIF must ensure a minimum diversification of its investment portfolio (but no quantitative limits apply).

Once the application is submitted, the Bank of Italy has 60 calendar days to confirm whether the foregoing conditions are satisfied.

The rules on credit funds are expected to be amended as a result of the entry into force of the AIFMD2 Directive, which must be implemented by April 2026. The AIFMD2 provides for a set of harmonised rules at the EU level on loan origination funds, also permitting the setting-up of such funds as open-ended structures.

BNPL products

The Bank of Italy has taken a number of supervisory actions and regulatory initiatives in order to regulate BNPL finance providers. BNPL products are offered in the Italian market either through regulated lending services carried out by banks, e-money and payment institutions or through securitisation mechanisms – where a securitisation SPV purchases the receivables originating from the payment deferral granted by the merchant to the consumer, and the purchase is funded by third parties investing in the notes issued by the SPV.

The Bank of Italy highlighted the importance of ensuring compliance with the applicable transparency and consumer protection obligations, but at the same time it underlined that such obligations are not applicable if the BNPL product is offered through a securitisation SPV.

A comprehensive review of the rules on BNPL products is expected to be conducted in the context of the implementation of Consumer Credit Directive II (CCDII). Based on the draft legislative proposal published by the Italian government, stricter regulatory obligations will be introduced in all cases where BNPL products are offered to consumers – including when the BNPL product is based on the purchase of receivables by a securitisation SPV.

The authorisation processes differ depending on the nature of the application to be submitted and the competent authorities. However, there are some common elements that are typical of the approach taken by Italian regulators and apply to all application procedures, regardless of their nature and purpose.

• Preparation phase and pre-filing contacts: It is generally advisable to contact the competent regulatory authority before the filing is submitted. Informal pre-filing contacts should be aimed at illustrating the main purposes of the project, addressing the key elements of the filing (qualification of the services, regulatory capital obligations, internal organisation, etc), presenting the key members of the applicant’s management and having a preliminary discussion of the approach to be taken with respect to the formal filing. Depending on the case, the regulators may ask the applicant to submit the draft application on an informal basis, before the filing is formally submitted (so-called pre-filing). The regulator may also give its preliminary feedback on the draft application.
• Formal filing: Once the preparation phase is completed, the applicant may submit the formal filing. The formal filing is submitted electronically via certified e-mail. In some cases, it is possible to submit the filing (or at least certain documents, such as the internal policies and procedures, financial statements, etc) in English.
• Starting date of the authorisation procedure: Once the formal filing is submitted, the regulator must confirm that the application is complete, and that all documents have been regularly drafted and submitted. The regulator also confirms that the authorisation procedure has officially started. If the application is incomplete, the regulator indicates the additional information/documents to be provided in order to start the procedure. Once these additional information/documents are submitted, the authorisation process starts.
• Suspension of the procedure: Normally, the authorisation procedure is suspended by the regulator in order to gather additional information, documents or clarifications on the submitted application. The duration of the suspension period may vary depending on the nature of the authorisation process. Once the follow-up documents and information are provided to the regulator, the authorisation procedure starts to run again.
• Final decision: The regulator takes a decision on the application within the statutory term provided for under the applicable regulations (which may be suspended in accordance with the foregoing). If the draft decision is negative, the applicant must normally be informed in advance, so that it can provide its comments on the draft decision and challenge it before it is formally adopted. The final decision is communicated to the applicant and, in case of denial, can be challenged before competent courts.
• Supervisory fees for the application: No supervisory fees must be paid for the purpose of submitting an application to be authorised as a financial institution in Italy. The only exception will likely be introduced in relation to the application to be authorised as a CASP according to MiCAR, as CONSOB recently proposed to introduce supervisory fees connected with such applications.

The statutory term of the authorisation procedure differs depending on the nature and purpose of the application and the applicable regulations. Normally, these terms range between 90 and 120 days from the date when a complete application is submitted to the Bank of Italy. However, the statutory term may be suspended for a certain period of time, as detailed in the applicable regulations.

Overall, the time required to be authorised to operate as a financial institution ranges from a minimum to six months to a maximum of ten months – excluding the additional time necessary to prepare the filing and manage the pre-filing contacts, which depends on the complexity of the application (group structure, nature of the services that the applicant wishes to provide, etc).

While there is no UK-style Senior Managers and Certification Regime in Italy, senior individuals of authorised financial institutions are subject to regulatory scrutiny and can be assessed, held to account and sanctioned in their own right.

Directors and general managers of banks, investment firms, asset managers, e-money and payment institutions, and other financial institutions are subject to “fit-and-proper” requirements with respect to integrity, professional competence, correctness and time commitment. These requirements derive from EU rules and the Italian implementing measures.

Italian law provides for personal administrative liability of directors and managers for regulatory infringements. However, this liability applies only in case of serious breaches of the applicable law, as normally only the financial institution is liable. Criminal liability can also apply in case of breach of certain rules, such as market abuse requirements, or the rules concerning the segregation of clients’ money and funds.

In October 2025, the Italian government published a draft bill aimed at reforming the Italian Financial Code with a view to introducing a number of simplifications and new requirements for Italian financial institutions and companies. As far as financial services are concerned, the main reforms envisaged by the Italian government are as follows.

Sub-Threshold AIFMs

The reform will introduce a new registration regime for “sub-threshold” AIFMs – ie, AIFMs managing AIFs with less than EUR500 million of assets under management (or EUR100 million if they use leverage). Under the existing regime, sub-threshold AIFMs must be authorised by the Bank of Italy, even though they are subject to a less restrictive regulatory framework compared to ordinary AIFMs. However, the existing Italian regime goes beyond the minimum requirements set out under the AIFMD, where sub-threshold AIFMs are subject to registration/notification obligations – but no authorisation is necessary.

The reform is intended to replace the gold-plating rules introduced in 2014 in the context of the AIFMD implementation, with a “light-touch” regulatory regime that is more consistent with the EU framework.

Sub-threshold AIFMs that will be subject to registration obligations will have to comply with certain restrictions, as they will only be allowed to manage closed-ended reserved AIFs that are marketed to (i) MiFID2 professional investors, or (ii) MiFID2 retail clients investing at least EUR500,000 in the fund, and having a financial portfolio of at least EUR5 million (lower thresholds are permitted only for AIFM directors and certain personnel).

Partnership Limited By Shares

The reform will also create a partnership-style fund form for private equity and venture capital vehicles, by permitting the establishment of Italian funds in the form of partnerships limited by shares (società in accomandita per azioni). The purpose of these rules is to increase the flexibility in structuring Italian fund vehicles in line with the international market practice for private equity, venture capital and similar funds.

New Rules on Closed-Ended Funds

The reform will amend the rules on closed-ended funds in order to introduce the possibility of setting up “hybrid” funds providing for the reimbursement rights of the investors.

The reimbursement rights will be subject to certain conditions and limitations, as specified in the relevant provisions of the Italian Financial Act. The reform reflects the recent trends in EU legislation, in particular the ELTIF 2.0 Regulation and AIFMD2, and will introduce significant flexibility in the structuring of this type of fund.

Simplified Investment Companies (SIS)

Due to the new rules on sub-threshold AIFMs, it is envisaged that the Italian regime for the creation of simplified investment companies (società di investimento semplice; SIS) will be repealed. Simplified investment companies were introduced to permit the creation of venture capital funds by derogating to certain requirements that were otherwise applicable to sub-threshold AIFMs. They were quite popular for the setting-up of small venture capital funds.

Other Reforms

Additional reforms that are expected to be approved or implemented in the forthcoming months include the following.

• Payment Services Directive (PSD)3/Payment Services Regulation (PSR): The EU payments package presented by the EU Commission replaces PSD2/Electronic Money Directive 2 (EMD2), with a split between a new Payment Services Directive (focused on the authorisation requirements and supervisory regime) and a directly applicable Payment Services Regulation (focused on rules of conduct and operational processes). The proposal consolidates the licensing regime applicable to payment institutions and e-money institutions, bringing the latter into the PSD’s purview. It improves certain legislative measures, for instance with regard to open banking access to payment account information.
• Retail investment strategy (RIS): The RIS is aimed at reforming the rules on the distribution of financial instruments and IBIPs, as well as of UCITS and AIFs. The purpose of the RIS is to boost retail participation and improve value for money. The proposed Directive introduces price and value benchmarks, and strict product governance tests. It revises the rules on inducements and strengthens the requirements on marketing.
• Financial information data access (FIDA): The European Commission proposed the introduction of a comprehensive “open finance” framework, permitting access to data concerning financial transactions by regulated financial institutions and financial information service providers (FISPs). The framework should be set out in a directly applicable Regulation on Financial Information Data Access (FIDA), which should set the conditions and requirements for the purpose of accessing and using the relevant data, also in compliance with the EU data protection legislation.
• AIFMD2: The revision of the AIFMD on AIFMs establishes an EU-wide framework for loan-originating AIFs. It requires the adoption of documented credit policies, as well as of risk management and monitoring tools, in case of AIFMs managing loan-originating AIFs. Specific requirements are detailed in the Directive, including on leverage caps, borrower/concentration limits and related-party lending prohibitions. The AIFMD2 also expands the ancillary services that can be carried out by AIFMs, enhances the reporting obligations and tightens delegation requirements.
• CCDII: CCDII revises the EU framework on consumer credit in order to address certain issues concerning digital lending, credit intermediation and new business models (BNPL products, small-ticket facilities, etc). The Directive widens the scope of application of the rules on consumer credit, and restricts the use of certain exemptions. Mandatory risk warnings and a revised set of pre-contractual disclosure obligations are introduced, along with strict requirements on creditworthiness assessment (data minimisation, limits on using sensitive /personal-social data, etc). In general, CCDII raises the safeguards and conduct standards that must be complied with by authorised consumer lenders.

Except for the AIFMD and CCDII, which have already been approved and must be transposed by the Italian government, the measures mentioned in the foregoing are still subject to discussion and debate at the EU level. In particular, based on the statements issued by EU institutions, it is likely that the scope and contents of the RIS will be significantly revised in order to introduce certain simplifications in the provision of investment services by EU banks and investment firms. It is also unclear whether the FIDA framework will actually be introduced at EU level.