In Italy, there are several laws and regulations that set out the fundamental cybersecurity and data protection requirements.

Italian Data Protection Code

The Italian Data Protection Code (Legislative Decree 196/2003) regulates the processing of personal data and establishes the obligations of data controllers and data processors.

GDPR

The General Data Protection Regulation (GDPR) is the European Regulation that establishes a single set of rules for the protection of personal data. The Regulation was transposed in Italy through Legislative Decree 101/2018, which amends the Italian Data Protection Code.

National Cybersecurity Perimeter

Decree-Law No 105 of 2019 (converted and amended by Law No 133 of 18 November 2019) formally established a National Cybersecurity Perimeter (PSNC). Its provisions aim to ensure a high level of security for networks, information systems and IT services of both the public administration and national, public, and private services, entities, and operators.

The Italian Cybersecurity Framework

The framework was introduced by the DPCM on 8 July 2020 and requires operators of essential services and digital service providers to take appropriate measures to manage cyber risks and report cybersecurity incidents. In terms of incident response and notification requirements, the framework requires operators of essential services and digital service providers to report cybersecurity incidents to the Computer Emergency Response Team and the competent authority within 72 hours of becoming aware of them.

Decree-Law No 82 of 14 June 2021

Decree-Law No 82 of 14 June 2021 called “Urgent provisions on cybersecurity, definition of the national cybersecurity architecture and establishment of the National Cybersecurity Agency”, redefined national cybersecurity governance and established a specialised national agency.

Transposition of Specific European Regulations

In terms of the transposition of EU regulations and directives, the following should be noted.

• Legislative Decree 51/2018, which transposed Directive (EU) 2016/680 in Italy. The Decree contains a series of requirements to regulate the adoption of security measures for the protection of data processed by law enforcement agencies in the context of judicial police activities.
• Legislative Decree 65/2018, which transposed Directive EU 2016/1148 (NIS Directive), providing guidance on risk management and the prevention, mitigation and notification of cyber incidents and attacks.

Regarding differences between data breach incidents and cybersecurity incidents that may not involve personal information, it is important to note that while data breaches typically involve the unauthorised access to or disclosure of personal information, cybersecurity incidents can involve a range of activities that threaten the confidentiality, integrity, or availability of information systems or data, regardless of whether personal information is involved.

In terms of enforcement and fines, the General Data Protection Regulation establishes fines of up to EUR20 million or 4% of an organisation’s global annual revenue. In addition, operators of essential services and digital service providers who fail to comply with the requirements of the Italian Cybersecurity Framework may face fines and sanctions from the relevant authorities.

In Italy, there are several regulators and government authorities responsible for cybersecurity and personal data protection.

The Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) is responsible for monitoring the compliance to GDPR and Italian Data Protection Code.

The Italian Communications Regulatory Authority (AGCOM) is responsible for regulating the communications sector in Italy. The Italian Computer Security Incident Response Team (CSIRT) is responsible for managing and responding to cybersecurity incidents affecting government entities and critical infrastructure. The National Anti-Corruption Authority (ANAC) is responsible for ensuring the integrity and transparency of public procurement processes, including in the procurement of IT systems and services. The National Cybersecurity Agency (ACN) was established through Decree-Law No 82 of 14 June 2021 to protect national interests in the field of cybersecurity and to provide a path to transfer the Computer Security Incident Response Team responsibilities to the ACN.

As far as the implementation and supervision of the Network and Information Security (NIS) Directive legislation is concerned, the institutional model is highly decentralised. In fact, five ministries are designated as competent NIS authorities.

In terms of audits and investigations, the Italian Data Protection Authority and other regulators have the power to conduct inspections and audits to ensure compliance with data protection and cybersecurity laws. Investigations may also be initiated as a result of complaints or incidents reported by affected individuals, companies, or government entities.

In addition to these regulatory bodies, there are also various non-regulatory government authorities that play a direct role in cybersecurity. These include incident response entities, critical infrastructure agencies such as the National Centre for Cybersecurity, and secure software review entities such as the National Centre for Software Technologies (CNTS). Law enforcement agencies such as Polizia Postale are also directly relevant to cybersecurity, as they are responsible for investigating cybercrime and prosecuting cybercriminals.

In Italy, the administrative process that cybersecurity regulators or data protection authorities must follow to investigate and impose fines depends on the specific laws and regulations that are being enforced. However, in general, the process typically involves the following steps.

• Investigation ‒ The regulator or authority initiates an investigation into a reported incident or potential violation. This may involve requesting information from the respondent, conducting on-site inspections or audits, and interviewing relevant parties.

• Determination of violation ‒ The regulator or authority determines whether a violation of applicable laws or regulations has occurred.

• Imposition of fines ‒ If a violation is found, the regulator or authority may impose fines, which can include administrative sanctions, or orders to take corrective actions.

Respondents have the right to due process, which includes the right to be informed of the charges against them, to respond to the charges, and to appeal any fines imposed. The specific legal standards or criteria that are used to determine whether a violation has occurred can vary depending on the nature of the incident and the laws and regulations being enforced.

The main difference between data breach incidents and other cybersecurity events is that data breaches typically involve the unauthorised access to or disclosure of personal information, while cybersecurity incidents can involve a range of activities that threaten the confidentiality, integrity, or availability of information systems or data, regardless of whether personal information is involved.

In the case of supply chain and software vulnerabilities, the DPA may investigate to determine whether any personal data has been compromised or whether any violation of the Data Protection Regulation has occurred. If a violation is found, the DPA may impose fines under the GDPR. However, if no personal data is involved, other regulatory or legal frameworks may apply.

GDPR

Legislative Decree No 101 of 2018 established the national transposition of the provisions of the General Data Protection Regulation (GDPR). The Decree harmonised the provisions of the Italian Privacy Code with the ones set out in European Regulation 2016/679.

Directive (EU) 2016/680

Legislative Decree 51/2018, dated 18 May 2018, transposed Directive (EU) 2016/680 in Italy. This legislative decree contains a series of requirements to regulate the adoption of security measures regarding the protection of personal data processed by law enforcement agencies in the context of judicial police activities.

NIS Directive

Legislative Decree 65/2018 transposes EU Directive No 2016/1148 on the security of networks and information systems within the Union (the so-called NIS Directive). It is necessary to mention that, following the proposed update in December 2020, the NIS2 Directive was approved on 14 December 2022 by the European Parliament and the Council. Currently, from a regulatory point of view, the NIS Directive is still in force; however, the operational implementation of NIS2 is in progress and its transposition is expected no later than 17 December 2024.

Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA) came into force across the European Union on 17 January 2023. The DORA Regulation addresses the need to establish a new regulatory framework to ensure adequate operational resilience standards for entities belonging to the financial sector.

Cyber Resilience Act

The European Commission has published two proposals for a Regulation known as the Cyber Resilience Act (CRA). The CRA is aimed at ensuring that all products with digital elements that are placed on the European market present sufficient guarantees in terms of cybersecurity, thus revealing an adequate level of accountability of the manufacturers.

It has to be noted that data protection and cybersecurity are regulated in a centralised manner and there are no subnational obligations.

In recent years, there has been an exponential increase in the attention and valorisation of the interaction between private companies and major governmental and non-governmental organisations for the purposes of sharing cybersecurity information. 

In this context, it is worth mentioning the role of the National Cybersecurity Agency (ACN), which, in defining and implementing the national security strategy, has called on organisations to get involved in strengthening the country’s security. The ACN has initiated several collaborations with private companies aimed at sharing information relevant to cybersecurity. The most recent include:

• the establishment of a memorandum of understanding between the ACN and Cisco Italy that involves collaboration on joint actions aimed at preventing cyber-attacks to support the country’s cyber resilience and digital security through the exchange of information on cyber threat intelligence (20 January 2023);
• the establishment of a memorandum of understanding between the ACN and CERTFin (Computer Emergency Response Team of the Italian Financial Sector), which involves the strengthening of dialogue between the two entities and the sharing of data, surveys and statistical analysis on the status and evolution of cyber threats (25 January 2023); and
• the launch of a collaboration platform between the ACN and Amazon Web Services for the implementation of a programme aimed at sharing information on cyber risks (2 February 2023).

Italy’s data protection and cybersecurity regime is broadly aligned with the European Union’s (EU) regulatory framework, and it goes far beyond it.

In Italy, the protection of critical infrastructures is a priority for the government, and cybersecurity plays a crucial role in ensuring the resilience and security of these systems. To this end, Italy has established a set of regulations and requirements for the cybersecurity of critical infrastructures. These requirements apply to organisations that operate critical infrastructures, including those in the energy, transportation, and telecommunications sectors.

In the legislative and regulatory framework of the European Union, there have been several developments during the last 12 months. Specifically, it is worth mentioning:

• the approval of the NIS2 Directive;
• the publication by the European Commission of two proposals for regulations (the so-called Cyber Resilience Act), aimed at ensuring that all products with digital elements placed on the European market have sufficient guarantees in terms of cybersecurity;
• the adoption of the Digital Operational Resilience Act (DORA); and
• the EDPB’s approval of the Europrivacy Certification to assess and certify data processing compliance with the GDPR.

At the national level, Italy has further implemented its regulatory framework through the establishment of the National Cyber Security Perimeter.

In addition, it is worth mentioning that, in the context of Decree-Law No 105 of 21 September 2019, also known as “Decreto Crescita 2.0” or “Growth Decree 2.0”, the Italian government established the Cybersecurity Fund (Fondo per la Cybersecurity). 

More specifically, the Decree-Law includes a range of provisions related to economic growth, including tax incentives for businesses and measures to support small and medium-sized enterprises.

In this context, the Cybersecurity Fund is intended to encourage Italian businesses to invest in cybersecurity and to promote the development of a robust cybersecurity industry in Italy.

While other countries may have similar requirements related to cybersecurity in their laws, the specific provisions of the “Decreto Crescita 2.0” are unique to Italy. The law reflects the Italian government’s recognition of the importance of cybersecurity and its efforts to promote the development of a secure digital economy in Italy.

There are several issues and aspects that impact the current cyber landscape, and, to date, emerging threats and the geo-political context are particularly relevant.

It has been observed that cyber-attacks on companies worldwide increased by 42% in the first six months of 2022. Particular attention was drawn to the increase in state-sponsored hacker groups and the massive use of ransomware as the main weapon of attack.

In this scenario, the National Agency for Cybersecurity, which can act as a regulator of the supply chain of public administrations, has recently issued an important measure (Directorial Decree 307/2022) regulating the requirements for cloud service providers and, in general, for providers of cloud-based solutions (IaaS, PaaS, SaaS).

These requirements are based on two parallel tracks and a distinction between categories of data processed by providers.

In this sense, the requirements identified concern the possession of specific certifications such as ISO/IEC 27001, ISO 9001, ISO 20000-1, ISO 22301, and the compliance with the provisions of DPCM 81/2021, ie, with the set of technical and organisational security measures derived from the American NIST framework and readapted for Italy by the National Interuniversity Consortium for Informatics (CINI), thus de facto equating the position of the providers with that of the subjects included in the National Cybersecurity Perimeter.

In conclusion, in the course of 2023, vendors of cloud, IaaS, PaaS and SaaS solutions for the Italian public administration will have to align themselves with the main international standards in terms of cybersecurity and with the regulations affecting companies whose compromise could harm national security.

The GDPR regulates the processing of personal data by private individuals and public entities to ensure that said processing is carried out respecting the rights and freedoms of the data subjects.

The provisions of the National Cyber Security Perimeter apply to the networks, information systems and IT services of public administrations and national, public and private entities and operators. Specifically, the Perimeter includes entities that perform:

• activities that are instrumental to the exercise of essential State functions;
• activities that are necessary for the exercise of fundamental rights;
• activities that are necessary for the continuity of supplies and the efficiency of infrastructure and logistics; and
• any research activities and business-related activities in the field of high technology and in any other sector where they have economic and social significance, also for the purpose of ensuring national strategic autonomy, competitiveness and development of the national economic system.

As far as legislation at the European level is concerned, it should be noted that the NIS Directive and the subsequent NIS2 Directive apply to operators of essential services and digital service providers.

As far as the implementation of the NIS Directive is concerned, the Italian government has adopted a decentralised model that provides for the designation of five ministries (Economic Development, Infrastructure and Transport, Economy and Finance, Health and Environment, and Land and Sea Protection) as “competent NIS authorities”.

In addition, the Italian Computer Security Incident Response Team (CSIRT) was established by Legislative Decree 65/2018.

The National Cybersecurity Agency (ACN) was established by Decree-Law No 82 of 14 June 2021 to protect national interests in the field of cybersecurity.

The National Assessment and Certification Centre (CVCN) is one of the reference bodies for the monitoring of the subjects included in the National Cybersecurity Perimeter. Specifically, for such entities, there is an obligation to notify the CVCN to procure the supply of ICT assets, systems and services for use on networks, information systems and for the performance of IT services.

The European Union Agency for Cyber Security (ENISA) is a European Union agency established in 2004 with the aim of improving the level of cybersecurity in Europe. ENISA supports member states in developing and implementing cybersecurity policies and strategies. The agency aims to promote co-operation and information sharing between member states, institutions, and the private sector.

In Italy, ENISA provides technical assistance and advice to the Italian government and other stakeholders. The agency supports the development of cybersecurity capacity in Italy through training and capacity building initiatives. ENISA promotes information sharing between Italian stakeholders and other EU member states, improving co-ordination and co-operation on cybersecurity.

In Italy, the Data Protection Authority is the Garante per la Protezione dei Dati Personali, also known as the “Garante Privacy”.

The Garante Privacy is an independent administrative authority responsible for assuring the protection of personal data and privacy rights. It is responsible for ensuring compliance with the EU General Data Protection Regulation (GDPR) and the Italian Data Protection Code and works closely with other regulatory bodies and law enforcement agencies to investigate and prosecute violations of the data protection legislative framework.

The Garante Privacy has a range of powers and responsibilities, including the following.

• Investigating complaints ‒ It has the power to investigate complaints and reports of alleged violations of data protection rules. It can carry out inspections, collect evidence, and take action to enforce compliance.

• Imposing administrative fines ‒ It can impose fines and sanctions for violations of data protection rules. The fines can be up to 4% of a company’s annual global revenue or EUR20 million.

• Providing guidance and information ‒ It provides guidance and information to individuals and organisations about data protection rules and best practices. It also provides information on its website and through other channels to help individuals and organisations understand their rights and obligations under the law.

• Promoting awareness ‒ It works to raise awareness about data protection and privacy issues. It organises training and awareness-raising initiatives for individuals, organisations, and other stakeholders.

In Italy, financial sector regulators play an important role in ensuring the cybersecurity of financial institutions and protecting the integrity and stability of the financial system.

The primary financial sector regulator in Italy is the Bank of Italy (Banca d’Italia), which oversees banks, financial institutions, and payment service providers.

The Bank of Italy has implemented several measures to promote cybersecurity in the financial sector, including:

• issuing regulations that require financial institutions to adopt appropriate cybersecurity measures and to establish a cybersecurity risk management framework;
• conducting periodic assessments of financial institutions’ cybersecurity systems and practices to ensure compliance with regulations and best practices;
• investigating and responding to cybersecurity incidents or breaches reported by financial institutions; and
• providing guidance and best practices to financial institutions on how to protect against cyber threats and manage cybersecurity risks.

Other sectoral regulators in Italy also have a role to play in promoting cybersecurity in their respective industries.

For example, the Italian Communications Authority (Autorità per le Garanzie nelle Comunicazioni) regulates the telecommunications sector and promotes cybersecurity in areas such as network security and data protection.

In addition, the Italian Energy Authority (Autorità per l’Energia Elettrica il Gas e il Sistema Idrico) oversees the energy sector and promotes cybersecurity in areas such as critical infrastructure protection and incident response.

Overall, sectoral regulators in Italy work to promote cybersecurity within their industries, develop and enforce regulations, and collaborate with other regulatory bodies and law enforcement agencies to protect against cyber threats and respond to incidents.

In addition to the Data Protection Authority and financial sector regulators, there are several other key regulators and agencies in Italy that have a role to play in promoting cybersecurity.

The Italian Postal and Communications Police (Polizia Postale e delle Comunicazioni) is a specialised law enforcement agency that focuses on investigating cybercrimes and enforcing laws related to cybersecurity and data protection.

The Italian National Anti-Corruption Authority (Autorità Nazionale Anticorruzione) is responsible for promoting transparency and preventing corruption in the public sector. It works to ensure that government agencies and public institutions adopt appropriate cybersecurity measures to protect sensitive information and prevent data breaches.

The National Centre for Cybersecurity (Centro Nazionale per la Cybersecurity) is a government agency that is responsible for developing and implementing national cybersecurity strategies and co-ordinating cybersecurity efforts across government agencies and industry sectors.

The Italian Digital Transformation Team (Equipe di Trasformazione Digitale) is a government agency that is responsible for driving digital transformation across government agencies and promoting the adoption of new technologies.

The Italian Competition Authority (Autorità Garante della Concorrenza e del Mercato) is responsible for enforcing competition laws and preventing anti-competitive practices in the marketplace. It works to ensure that businesses adopt appropriate cybersecurity measures to protect sensitive information and prevent data breaches.

It is advisable for organisations to put in place a comprehensive cybersecurity framework to address any specific risks and have a global approach to possible threats. This should at least include policies and procedures on information security, access control, asset management, encryption, network management, third-party management and business continuity.

Frameworks

The National Institute of Standards and Technology (NIST) Framework and the CINI (Comitato Interministeriale per la Sicurezza della Repubblica Italiana) Framework are both IT security management tools.

The NIST Framework was developed in the United States by the National Institute of Standards and Technology and provides a set of guidelines and best practices for IT security management. It consists of three main parts:

• the Core Framework that defines a set of activities, categories and subcategories that represent the areas of information security management;
• the Implementation Tiers Framework that defines the maturity levels of information security management in an organisation; and
• the Profiles Framework that allows organisations to tailor the Framework to their specific needs.

The CINI Framework was developed in Italy and is based on the NIST Framework but adapted to the specific needs of Italy. It was introduced by DPCM 81/2021 and it consists of four main parts:

• the General Part that describes the basic concepts of cybersecurity;
• the Organisational Part that defines the responsibilities and activities of the different roles within an organisation;
• the Operational Part that defines the operational processes for managing cybersecurity; and
• the Reference Part that provides a set of best practices for managing cybersecurity.

Provisions and Guidelines

Under Article 14 of Legislative Decree 65/2018 (concerning digital service providers) and Article 32 of the GDPR, organisations must demonstrate that they have put in place all the appropriate technical and organisational measures to prevent risks to the freedoms and rights of data subjects.

In addition, the latest Confindustria Guidelines for the implementation of an Organisation, Management and Control Framework pursuant to Legislative Decree No 231 of 8 June 2001 specify that companies must promote integrated forms of compliance, also in the field of cybersecurity, so that all IT and security procedures put in place are co-ordinated with each other and suitable to protect the company from any possible form of liability.

Furthermore, the guidelines of the Italian Data Protection Authority for the protection of personal data must also be considered. These guidelines cover a range of topics, including data breaches, data minimisation and privacy by design.

Lastly, specific policies and procedures are described in the new version of the ISO/IEC 27001 standard, which has integrated cloud security and data protection requirements, and in the provisions of Prime Ministerial Decree No 81/2021 on the National Cybersecurity Perimeter, based on the CINI framework.

There is no single consensus or commonly applied framework for “reasonable security” in Italy. Instead, organisations are expected to take a risk-based approach to cybersecurity and implement appropriate measures based on their specific risks and threats.

However, there are some frameworks and guidelines that are commonly used by organisations in Italy to guide their cybersecurity practices. For example, the NIS Directive and Legislative Decree 105/2019 provide specific requirements for operators of essential services and public administrations, respectively. Additionally, AgID guidelines and guidelines from the Italian Data Protection Authority provide guidance on best practices for information security and personal data protection.

In practice, organisations in Italy may use a combination of these frameworks and guidelines, along with other standards such as ISO 27001 and NIST Cybersecurity Framework, to develop and implement their cybersecurity programmes. The specific measures that organisations implement may vary based on their size, industry, and specific risks and threats.

In any case, it must be emphasised that the existence of DPCM 81/2021, based on the CINI framework (ie, the Italian adaptation of the NIST framework) and Directorial Decree 307/2022, shifts the focus to the national adoption of the security measures contained therein, and in 2023 they will become a benchmark for the main organisations operating in Italy.

Written Information Security Plans or Programmes

There is no specific legal requirement for written information security plans or programmes in Italy, but it is generally considered a best practice for organisations to document their cybersecurity policies and procedures. Organisations may use guidelines such as ISO 27001 or NIST Cybersecurity Framework to develop their information security plans.

Incident Response Plans

The NIS Directive and Legislative Decree 105/2019 require operators of essential services and public administrations, respectively, to develop and implement incident response plans. Guidelines from the Italian Data Protection Authority and AgID provide guidance on developing and implementing incident response plans.

Required Security Practices

The specific security practices required will depend on the industry and the data being protected. However, the NIS Directive and Legislative Decree 105/2019 provide specific security requirements for operators of essential services and public administrations, respectively.

Appointment of Chief Information Security Officer

There is no legal requirement for organisations to appoint a Chief Information Security Officer (CISO) in Italy. However, it is generally considered a best practice for organisations to designate a person or team responsible for overseeing cybersecurity.

For organisations falling within the National Cyber Security Perimeter, such an obligation can be found in DPCM 81/2021, as it requires such companies to appoint a person in charge of contacts with the competent authority, who can be responsible for the implementation of the technical and organisational security measures contained in the aforementioned regulation.

Involvement of Board of Directors

The involvement of the board of directors in cybersecurity is not specifically required by law in Italy. However, the NIS Directive and Legislative Decree 105/2019 require operators of essential services and organisations falling within the National Cyber Security Perimeter, respectively, to ensure that their senior management is involved in cybersecurity risk management.

Conducting Internal Risk Assessments, Vulnerability Scanning, Penetration Tests, Etc

There is no legal requirement for organisations to conduct internal risk assessments, vulnerability scanning, or penetration testing in Italy. However, it is generally considered a best practice for organisations to conduct these activities to identify and address potential security risks and an activity that is aligned to the obligation arising from Article 32 of the GDPR.

Multi-Factor Authentication, Anti-Phishing Measures, Protection Against Business Email Compromise, Ransomware, Threat Intelligence

There are no specific legal requirements for multi-factor authentication, anti-phishing measures, protection against business email compromise, ransomware, or threat intelligence in Italy. However, guidelines from the Italian Data Protection Authority and AgID provide guidance on best practices for information security and personal data protection and DPCM 81/2021 that regulates the technical and organisational security measures that organisations falling within the National Cyber Security Perimeter has to implement explicitly includes the above-mentioned measures.

Insider Threat Programmes

There are no specific legal requirements for insider threat programmes in Italy. However, it is generally considered a best practice for organisations to develop and implement a programme to mitigate the risks associated with insider threats, but it can be deduced from the application of the whole cybersecurity legislative framework.

Vendor and Service Provider Due Diligence, Oversight and Monitoring

There are specific legal requirements for vendor and service provider due diligence, oversight, and monitoring in Italy. Organisations are expected to ensure that their vendors and service providers implement appropriate security measures to protect the data and systems they are entrusted with. This obligation arises from the application of the Italian Cybersecurity Perimeter.

Use of Cloud, Outsourcing, Offshoring

There are specific legal requirements for the use of cloud, outsourcing, or offshoring in Italy. The National Agency for Cybersecurity, which can act as a regulator of the supply chain of public administrations, has recently issued an important measure (Directorial Decree 307/2022) regulating the requirements for cloud service providers and, in general, for providers of cloud-based solutions (IaaS, PaaS, SaaS).

Payment of Ransomware

Paying ransomware is generally discouraged as it can encourage further attacks and there is no guarantee that paying the ransom will result in the return of data, it can be also considered a criminal activity pursuant Article 379 of the Italian Criminal Code.

Secure Software Development or Patching

There are no specific and general legal requirements for secure software development or patching in Italy. However, it is generally considered a best practice for organisations to implement a software development lifecycle that includes security considerations and to promptly patch known vulnerabilities. For organisations falling within the National Cyber Security Perimeter, such an obligation can be found in DPCM 81/2021.

Responsible Disclosure of Software Vulnerabilities

In Italy, there is no specific legal requirement for responsible disclosure, but some industry groups and professional associations have established guidelines and best practices for vulnerability disclosure.

For example, in 2015, the National Cyber Security Center (CNS) established a vulnerability disclosure framework for public administration entities.

In addition, some Italian companies and organisations have established their own responsible disclosure programmes to encourage security researchers to report vulnerabilities in their products and services.

Training

The legal requirement for organisations to provide training to their resources in Italy is based on Article 29 GDPR and for organisations falling within the National Cyber Security Perimeter, such an obligation can be found in DPCM 81/2021.

Italy is an active participant in many international initiatives and organisations related to cybersecurity, including the following.

• European Union (EU) ‒ Italy participates in EU initiatives related to cybersecurity, such as the EU Network and Information Security Directive and the EU Cybersecurity Act. Italy has also contributed to the development of the European Union Agency for Cybersecurity (ENISA).

• North Atlantic Treaty Organization (NATO) ‒ Italy participates in various cybersecurity initiatives and programmes, including the NATO Cooperative Cyber Defense Center of Excellence and the Cyber Defense Pledge.

• United Nations (UN) ‒ Italy participates in various UN initiatives related to cybersecurity, such as the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security.

• Council of Europe ‒ Italy is a member of the Council and has ratified the Convention on Cybercrime, which provides a framework for international co-operation on cybercrime investigations and prosecutions.

Italy also participates in various other international organisations and initiatives related to cybersecurity, such as the G7, the Organization for Security and Co-operation in Europe (OSCE), and the Global Forum on Cyber Expertise (GFCE).

Personal data in Italy is regulated by the GDPR, which mandates that organisations comply with various affirmative security requirements when carrying out data processing activities. These requirements can include:

• carrying out a Data Protection Impact Assessment (DPIA) for any processing of personal data that is likely to result in high risk to the rights and freedoms of individuals;
• implementing security measures to ensure the safety of personal data;
• notifying the Italian Data Protection Authority of any data breaches that may result in a risk to the rights and freedoms of individuals;
• ensuring that personal data transferred outside Italy and the EU is protected and complies with the principles stated by the Regulation; and
• maintaining records of data processing activities and making them available to the Italian Data Protection Authority upon request.

The EU Market Abuse Regulation (MAR) regulates the protection of material business data and material non-public information in Italy. To comply with MAR, organisations must adhere to various affirmative security requirements. These include maintaining an up-to-date insider list, disclosing inside information, disclosing personal transactions, conducting market audits according to the established rules, reporting suspicious transactions, establishing an effective compliance function, and obtaining certification.

These affirmative security requirements aim to prevent insider trading and market manipulation, protect material non-public information, and ensure a fair market.

In July 2019, as required by the Network and Information Security (NIS) Directive and Legislative Decree 65/2018, Italy provided organisations with guidelines on risk management and the prevention, mitigation and notification of cyber incidents and attacks.

Moreover, the Agency for Digital Italy (AgID), now within the powers of the ACN, accredited CSA STAR certification as the only alternative to ISO 27001 certification (integrated with ISO 27017 and 27018) to certify the security of software as a service cloud services for the Italian Public Administration.

In addition, the Decree of the President of the Council of Ministers 81/2021 on the National Cybersecurity Perimeter provided technical and organisational security measures aimed at managing security incidents and improving the cybersecurity posture of institutions that are critical for national security.

The Legislative Decree 105/2019 mandates that organisations implement appropriate technical and organisational measures to prevent denial-of-service (DoS) attacks and ensure the availability and integrity of their information systems.

Affirmative security requirements include regular risk assessments, vulnerability testing, intrusion detection, and incident response plans. Critical infrastructure operators must report any cyber incidents to the National Cybersecurity Agency and obtain certification from a third-party assessment body.

Service providers and cloud operators must ensure that their networks and systems meet the same security standards. In the event of a DoS attack or similar incident, organisations must promptly report it to the authorities, work to restore the availability of the systems and minimise damage. Failure to comply with these requirements may result in sanctions or fines, and the National Cybersecurity Agency may also initiate investigations and audits to ensure compliance.

The implementation of a business continuity management system can provide the necessary elements to implement these and other measures aimed at improving organisations’ availability profiles. Specific requirements for the implementation of such a system are identified and detailed within the ISO/IEC 22301: 2019 standard.

IoT devices

With regard to IoT devices, reference can be made to the publication of the first version of the standard ISO/IEC 27400:2022. The standard contains guidelines, principles, and controls to mitigate information security and data protection risks in IoT applications.

Supply Chain Security

In the national legislative framework, supply chain security is a fundamental requirement. Specifically, reference can be made to:

• the obligation for the entities included in the National Cybersecurity Perimeter to notify the National Assessment and Certification Centre (CVCN) when proceeding with the procurement of ICT goods, systems and services; and
• the requirements deriving from the NIS Directive concerning the management of risk and vulnerabilities of supply chains.

Secure Software Development

AgID published a set of guidelines to implement a secure software development process, during all software development lifecycle (SDLC) phases, through the identification and implementation of appropriate security actions. These also include guidelines for threat modelling and identification of mitigation actions in accordance with Security/Privacy by Design principles.

In the context of the Italian cybersecurity legislative framework, there are no specific requirements applicable to ransomware attacks.

However, under Article 379 of the Italian Criminal Code, it is a criminal offence to helps someone to secure the product or profit or the price of an offence.

This means that payment of a ransom to an attacker who has carried out a ransomware attack may be considered as aiding and abetting a criminal offence. Therefore, it is generally discouraged, and in some cases it may even be illegal.

Additionally, companies are required to report any cybersecurity incidents, including ransomware attacks, to the Data Protection Authority. They may also be required to notify law enforcement, depending on the circumstances.

A potentially reportable data security incident, breach or cybersecurity event is typically defined as an actual or suspected unauthorised access, acquisition, use, disclosure, disruption, or destruction of personal or confidential data or information systems, or any other event that compromises the security or integrity of such data or systems.

The definition of a reportable event may vary depending on the jurisdiction or industry and may be based on factors such as the nature and scope of the incident, the types of data involved, and the potential harm or risk to affected individuals or organisations.

In many cases, data security incidents or breaches are subject to notification or reporting requirements, which may include timelines for reporting, methods of reporting, and specific information that must be included in the report. Failure to report a reportable event may result in fines or fines, depending on the relevant legal framework.

Under Italian law, data breach and cybersecurity event reporting and notification requirements are primarily governed by the GDPR and the Italian Data Protection Code.

The data elements covered in these requirements include the categories of personal data and the approximate number of data subjects affected by the breach.

When reporting the event, organisations must also provide additional information regarding the nature of the breach, its possible consequences, and technical and organisational measures that have been implemented to address it and to prevent it from happening again.

When reporting and notifying a data breach or cybersecurity event in Italy, the following elements of the system are typically covered:

• the data collection and storage systems, such as databases that have been affected by the breach;
• the security controls and measures that were in place to protect the data or network, such as firewalls, encryption, access controls, and other protective measures;
• the components of the organisation’s network infrastructure, such as servers and routers that may have been used as an entry point by eventual attackers;
• the human elements of the system, such as the individuals responsible for data protection and IT security, as well as any third-party vendors or contractors involved in the collection, processing, or storage of personal data; and
• the actions that have been carried out on the systems to respond to the incident and mitigate its consequences.

Medical devices are regulated in the EU by the Medical Devices Regulation (MDR) and the In-Vitro Diagnostic Medical Devices Regulation (IVDR). These regulations provide a legal framework for the safety and performance of medical devices and establish specific requirements for their design, manufacture and use. 

Furthermore, with regard to aspects related to the security of the networks and information systems involved in the above-mentioned activities, it should be noted that these are regulated by the NIS Directive.

Specifically, it is worth mentioning that the NIS2 Directive identifies manufacturers of medical devices and in vitro diagnostic medical devices as Important Entities (IEs) that, if considered critical during a public health emergency, are classified as Essential Entities (EEs).

In Italy, medical devices are regulated by the Ministry of Health through the Italian Institute of Health. The cybersecurity requirements for medical devices are specified in the Ministerial Decree of 2 April 2020 on the “Technical requirements for medical devices and software”.

Under this decree, medical devices must be designed and developed in accordance with the state of the art, with particular attention paid to ensuring their security and protection against cyber threats. The decree establishes specific requirements for cybersecurity, including:

• ensuring the confidentiality, integrity, and availability of data processed by the device;
• implementing appropriate technical and organisational measures to protect the device against unauthorised access, disclosure, alteration, or destruction;
• regularly updating the device’s software to address vulnerabilities and security issues; and
• conducting periodic risk assessments to identify potential security threats and vulnerabilities.

The decree also requires manufacturers of medical devices to report any security incidents or breaches that may impact the safety or performance of the device to the Italian Institute of Health.

In Italy, industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems are subject to cybersecurity regulations and standards, such as Legislative Decree no 65/2018 on the cybersecurity of networks and information systems, as well as the technical regulations issued by the Italian National Agency for New Technologies, Energy and Sustainable Economic Development (ENEA).

ENEA has issued guidelines on the technical measures to be implemented to ensure the security of ICS and SCADA systems, including the use of firewalls, intrusion detection and prevention systems, secure remote access controls, and encryption of sensitive data.

There are currently no legally binding security requirements for IoT devices.

However, in cases where such devices are involved in the processing of personal data and/or are part of the infrastructure of organisations critical to national security, the corresponding requirements of the GDPR and/or, as far as cybersecurity is concerned, the requirements of the National Cybersecurity Perimeter are applicable and it is recommended to refer to the ISO 27400 standard.

There are currently no legally binding security requirements for secure software development.

In this context, however, it is worth mentioning that AgID published a set of guidelines to implement a secure software development process, during all SDLC phases, through the identification and implementation of appropriate security actions.

In Italy, reporting requirements for cybersecurity incidents are governed by several laws and regulations, including the NIS Directive, the GDPR, and the provisions for the entities included in the National Cybersecurity Perimeter.

Articles 33 and 34 of the GDPR require data controllers to notify security incidents where the breach is likely to result in risks to the rights and freedoms of data subjects to the DPA and data subjects within 72 hours of becoming aware of them.

In addition, pursuant to Article 28 of the GDPR, the processor shall promptly inform the controller of security incidents that have occurred.

According to Article 12 of the NIS Directive, operators of essential services shall notify the Italian CSIRT and the competent NIS authority of incidents having a significant impact on the continuity of the essential services provided.

Prime Minister’s Decree 81/2021 requires those included in the national cybersecurity perimeter to notify the Supervisory Authority of any security incident impacting the organisation’s ICT assets and/or services. Annex A of the decree establishes the timing for notifying incidents according to a classification based on their severity.

Although there is no specific legal obligation in Italy for individuals to report cybersecurity incidents, they may report incidents to law enforcement agencies or consumer protection organisations, specifically if they have been victims of cybercrime.

In Italy, any data breach that could result in a risk to the rights or freedoms of individuals must be notified to the Italian DPA (Garante per la Protezione dei Dati Personali) without undue delay and, where feasible, not later than 72 hours after having become aware of the breach.

The threshold for notifying affected individuals depends on the severity of the breach and the risks it poses to individuals. If the breach poses a high risk to the individuals’ rights and freedoms, the data controller must also inform the affected individuals without undue delay.

In addition, specific notification obligations apply to certain types of personal data, such as health data, where the breach can pose a risk to the health or safety of the data subjects.

There are no specific thresholds or standards for notifying other third parties, apart from the ones listed above, under Italian law. The decision to notify other third parties will depend on the circumstances of the breach and the legal and contractual obligations of the data controller.

As far as defence measures for cybersecurity are concerned, organisations are free to adopt and implement those they deem most appropriate, while considering all legal requirements, especially in the case of network monitoring activities. Specifically, organisations may use software to monitor network traffic, detect anomalies, and identify potential security threats. However, the use of such software must be transparent and comply with privacy laws.

Network monitoring activities are also subject to regulatory requirements concerning the monitoring of employees’ activities. These include the following.

• Legal basis and justification ‒ Employers must have a legitimate reason to monitor their employees’ activity on the internal network. The monitoring must be necessary to protect the employer’s legitimate interests, such as ensuring network security, preventing illegal activities, or ensuring compliance with legal and regulatory requirements.

• Notice and consent ‒ Employers must inform their employees in advance about the monitoring and the reasons for it. The employees must be provided with clear and transparent information about the monitoring practices, the data collected, and the purposes for which the data will be used. Employees must give their explicit and informed consent to the monitoring, and their consent must be obtained before the monitoring starts.

• Proportionality ‒ The monitoring of employees’ activity on the internal network must be proportionate to the purpose for which it is conducted. Employers must use the least intrusive means possible to achieve their legitimate aims. The monitoring must not be excessive or go beyond what is necessary to achieve the employer’s legitimate interests.

The intersection of cybersecurity and data protection laws gives rise to potential conflicts and challenges. Cybersecurity laws aim to protect computer systems, networks, and data from cyber threats, while privacy laws aim to safeguard individuals’ personal data and privacy rights.

When these intersect, conflicts may arise because measures that enhance cybersecurity, such as monitoring or data retention, may conflict with data protection laws that limit the collection and retention of personal data. For example, monitoring employees’ internet activities or email communications to improve cybersecurity may conflict with data protection laws that mandate the protection of individuals’ private communications.

To navigate these conflicts, organisations must balance the need for cybersecurity measures with the protection of individuals’ personal data and privacy rights. To this end, it is advisable for organisations to adopt a risk-based approach to cybersecurity and privacy, ensuring that measures to enhance cybersecurity do not infringe on individuals’ privacy rights, and that the disclosure of personal data is limited to the extent necessary to comply with the relevant laws and regulations.

Currently, apart from the security incident and data breach reporting obligations derived from the national regulatory framework, there are no mandatory requirements in place for sharing cybersecurity information with government authorities.

However, there are several initiatives to involve organisations in cyber threat information sharing practices with the aim of increasing the level of national cybersecurity.

In this context, it is worth mentioning the role of the ACN, which, in defining and implementing the national security strategy, has called on organisations to get involved in strengthening the country’s security. The ACN has initiated several collaborations with private companies aimed at sharing information relevant to cybersecurity.

In the national and European context, the voluntary sharing of information regarding cybersecurity and cyber threats is considered as an effective instrument to be able to prevent and promptly respond to new forms of cyber-attacks.

Specifically, regarding security incidents, reference can be made to the provisions of Article 18 of Legislative Decree 65/2018, which sets out the possibility of voluntary notification for entities that are not identified as essential service operators or digital service providers. The notification of an incident occurring to an organisation that has IT systems and infrastructure like those of the entities for which notification is mandatory may enable the competent NIS authorities and the CSIRT to put in place preventive actions to avoid incidents that could impact on services that are considered essential.

Currently, cybersecurity enforcement in Italy is mainly conducted by the Italian DPA, which has issued several notable fines for data breach violations. Sanctioned entities include:

• one of the leading Italian banks; and
• one of the leading national telecommunications operators.

Some of the most significant fines issued by the Italian Data Protection Authority include:

• a fine of EUR600,000 issued to one of the leading Italian banks following a complex investigation into a data breach caused by abusive access to the personal data of over 700,000 customers;
• a EUR27.8 million fine issued to one of the leading national telecommunications operators for several instances of unlawful data processing in relation to marketing activities that affected millions of data subjects;
• a EUR50,000 fine to an insurance company for infringements of the GDPR in relation to a data breach; and
• a EUR70,000 fine issued to a health organisation for having violated Articles 5(1)(f) and 9 of the GDPR by sending newsletters with all recipients in CC.

In Italy, the applicable legal standards for cybersecurity and data breach regulatory enforcement and litigation are primarily based on the Italian Data Protection Code (Legislative Decree no 196/2003) and the General Data Protection Regulation (GDPR).

Moreover, if the violation is caused by a computer crime committed in the interest and to the advantage of the entity and this is the result of a lack of adequate security measures, such violation may entail, in addition to the administrative sanctions referred to above, criminal liability under Article 24-bis of Legislative Decree No 231/2001.

There have been a number of high-profile data security incidents and breaches in Italy that have resulted in private litigation. For example, in 2017, Italian telecommunications company Telecom Italia was sued by a group of consumer associations for a data breach that exposed the personal information of around 600,000 customers. The plaintiffs alleged that Telecom Italia failed to take adequate security measures to protect their personal data and sought damages of EUR100 million.

In another case, a class action lawsuit was filed against the Italian branch of the University of Maryland after a data breach that exposed the personal information of over 300,000 students and staff. The plaintiffs alleged that the university failed to adequately protect their personal data and sought damages of EUR1 billion.

More recently, in 2021, a group of Italian consumers filed a class action lawsuit against Meta for a data breach that exposed the personal information of over 533 million users worldwide, including over 35 million in Italy. The plaintiffs alleged that Facebook failed to take adequate security measures to protect their personal data and sought damages of EUR5 billion.

In the Italian regulatory framework, class actions were initially defined and regulated within the Consumer Code (Article 140 bis). In 2019, the Parliament approved Law No 31 of 2019, aimed at reforming class action with the purpose of strengthening this institution by broadening its scope and placing it under the Code of Civil Procedure.

The rules for such actions are strict and require a large number of claimants to join the action before it can proceed. In general, collective actions are not common in Italy, and the courts have not yet dealt with many cybersecurity-related cases.

In recent years, there has been an increase in individual claims related to data breaches and cybersecurity incidents in Italy.

In general, the disposition of these cases in court will depend on the specific facts of the case and the evidence presented.

In the national regulatory framework, there are no specific provisions on roles for corporate governance and specific standards for the resilience of organisations.

However, it is worth mentioning that the issue of governance is addressed within the provisions of the National Cybersecurity Perimeter. Specifically, reference can be made to the security measures that entities must implement, which include those related to corporate governance and provide for the drafting and updating of appropriate documentation regarding roles and responsibilities for cybersecurity and how risk is assessed and managed. Those aspects are regulated through DPCM 81/2021.

In conducting diligence in corporate transactions in the Italian cybersecurity legislative framework, several issues and considerations should be considered.

First of all, it is important to determine whether the target company has implemented an adequate cybersecurity programme and whether it complies with relevant cybersecurity laws and regulations. Due diligence should include a review of the company’s information security policies, procedures, and protocols, as well as its past security incidents or data breaches.

In addition, a review should be performed on the target company’s contracts and relationships with third-party vendors and service providers that have access to the company’s systems and data. Due diligence should assess whether these third parties have adequate security measures in place to protect the company’s systems and data.

Furthermore, an evaluation of the target company’s IT infrastructure, including hardware, software, and cloud-based services should be carried out in order to identify any vulnerabilities or weaknesses that could be exploited by cyber threats.

Lastly, it is important to assess the target company’s ability to respond to cybersecurity incidents or data breaches. This includes a review of its incident response plan and its history of incident response.

There are no cybersecurity-specific laws in the Italian legislative framework that specifically mandate the disclosure of an organisation’s cybersecurity risk profile or experience.

However, there are various laws and regulations, such as the GDPR and the NIS Directive that require organisations to take appropriate measures to protect personal data and secure their network and information systems.

In addition, some regulations, such as the CONSOB Regulation on issuers and the MiFID II Directive, require publicly traded companies to disclose information that may be relevant to their investors, which could include information about cybersecurity risks and incidents.

Overall, while there is no specific law mandating the disclosure of an organisation’s cybersecurity risk profile or experience, various laws and regulations require organisations to take appropriate measures to protect personal data and secure their network and information systems, which may indirectly impact their cybersecurity risk profile and the need for disclosure.

There are insurance policies that cover cybersecurity breaches, and they are usually included in the broader coverage related to personal data protection. They also cover cybersecurity and losses resulting from events such as cyber terrorism and cyber-attacks, as well as service interruptions and access interruptions.

The use of such insurance policies has become more widespread since the GDPR came into force, which, among other things, requires the adoption of appropriate technical and organisational security measures. In this context, the coverage of the risk is often conditional on the policyholder putting in place the security measures required by the Regulation.