Cybersecurity 2024

Last Updated March 14, 2024

Italy

Law and Practice

Authors



ICT Legal Consulting (ICTLC) is an international law firm that offers strategic support in legal compliance (privacy, IP and TMT) and assists in drafting and developing governance, organisation, management, security and control models for data-driven organisations. The firm has successfully assembled a close-knit team of more than 80 qualified professionals specialising in the fields of ICT, privacy, data protection, cybersecurity, and IP law. ICTLC has offices in Italy (Milan, Bologna, and Rome), the Netherlands (Amsterdam), Greece (Athens), France (Paris), Spain (Madrid), Finland (Helsinki), Nigeria (Lagos), Kenya (Nairobi), Saudi Arabia (Riyadh) and Australia (Melbourne). It has also established partnerships with law firms and professionals in 54 other countries, giving clients access to the most qualified professionals who are most suited to their specific needs.

In Italy, there are several laws and regulations that set out the fundamental cybersecurity and data protection requirements.

Italian Data Protection Code

The Italian Data Protection Code (Legislative Decree 196/2003) regulates the processing of personal data and establishes the obligations of data controllers and processors.

GDPR

The General Data Protection Regulation (GDPR) is a European regulation that establishes a single set of rules for the protection of personal data across the EU. The Regulation was transposed in Italy through Legislative Decree 101/2018

National Cybersecurity Perimeter

Decree-Law No 105 of 2019 (converted and amended by Law No 133 of 18 November 2019) formally established a National Cybersecurity Perimeter.  Its provisions aim to ensure a high level of security for networks, information systems and IT services of both the public administration and national, public, and private services, entities, and operators. 

The Italian Cybersecurity Framework

The framework was introduced by the DPCM 81/2021 and requires operators of essential services and digital service providers to take appropriate measures to manage cyber risks and report cybersecurity incidents. In terms of incident response and notification requirements, the framework requires operators of essential services and digital service providers to report cybersecurity incidents to the Computer Emergency Response Team and the competent authority within 72 hours or less of becoming aware of them.

Decree-Law No 82 of 14 June 2021

Decree-Law No 82 of 14 June 2021 “Urgent provisions on cybersecurity, definition of the national cybersecurity architecture and establishment of the National Cybersecurity Agency” redefined national cybersecurity governance and established a specialised national agency. 

Transposition of Specific European Regulations

In terms of the transposition of EU regulations and directives, the following should be noted:

  • Legislative Decree 51/2018, which transposed Directive (EU) 2016/680 in Italy, contains a series of requirements to regulate the adoption of security measures for the protection of data processed by law enforcement agencies in the context of judicial police activities.
  • Legislative Decree 65/2018, which transposed Directive EU 2016/1148 (NIS Directive), provides guidance on risk management and the prevention, mitigation and notification of cyber incidents and attacks. After the issue of NIS 2 Directive, in Italy the Legislative Decree will be amended in order to adapt the framework to the new obligations deriving from the Directive; also, the same applies to DORA, the European Regulation regarding the financial sector.

Regarding differences between data breach incidents and cybersecurity incidents that may not involve personal information, it is important to note that while data breaches typically involve the unauthorised access to or disclosure of personal information, cybersecurity incidents can involve a range of activities that threaten the confidentiality, integrity, or availability of information systems or data, regardless of whether personal information is involved.

In terms of enforcement and penalties, the Italian Data Protection Code establishes fines of up to EUR20 million or 4% of an organisation’s global annual revenue, whichever is greater, for serious violations of the regulation.

In addition, operators of essential services and digital service providers who fail to comply with the requirements of the Italian Cybersecurity Framework may face penalties and sanctions from the relevant authorities.

The essential requirements for cybersecurity, which include data security, secure software development, and incident response, are primarily governed by international standards, particularly the ISO/IEC 27002:2022. These standards outline a range of controls and procedures to protect information and manage information security risks, particularly in the context of supplier relationships and cloud services.

In Italy, a multitude of regulatory bodies and government entities are tasked with overseeing cybersecurity and the protection of personal data.

  • The Italian Data Protection Authority (DPA) (Garante per la Protezione dei Dati Personali), safeguards personal data privacy across the nation.
  • The Italian Communications Regulatory Authority (AGCOM) oversees the communications sector, focusing on cybersecurity and data protection.
  • The Central Anti-Crime Directorate is pivotal in cybercrime investigations and the prosecution of offenders.
  • The Italian Computer Emergency Response Team plays a crucial role in managing and mitigating cybersecurity incidents that impact government operations and critical infrastructure.
  • The Cybersecurity Division within the Italian State Police is involved in cybercrime investigations and aids other law enforcement bodies in cybersecurity issues.
  • The National Anti-Corruption Authority (Autorità Nazionale AntiCorruzion – ANAC) ensures the integrity and transparency of public procurement, including IT systems and services procurement.
  • Established by Decree-Law No 82 on 14 June 2021, the National Cybersecurity Agency (Agenzia per la Cybersicurezza Nazionale – ACN) is dedicated to safeguarding national cybersecurity interests.

The framework for implementing and overseeing the Network and Information Security (NIS) Directive is notably decentralised, involving five ministries as the competent NIS authorities.

For audits and investigations, the Italian Data Protection Authority, among other regulators, is authorised to conduct inspections and audits to verify adherence to data protection and cybersecurity regulations. These probes can be triggered by complaints, reports from individuals, companies, or government bodies.

Furthermore, several non-regulatory government authorities are directly involved in cybersecurity efforts. These include incident response teams, critical infrastructure entities like the National Centre for Cybersecurity, and secure software review bodies such as the National Centre for Software Technologies (CNTS). Law enforcement agencies, including the Italian State Police and the Central Anti-Crime Directorate, also play a crucial role in addressing cybercrime and bringing perpetrators to justice.

In Italy, the procedural framework that cybersecurity regulators or data protection authorities (DPAs) adhere to for conducting investigations and levying penalties is dictated by the specific laws and regulations in question. Generally, this process encompasses several key steps:

  • Investigation: The initiating step involves the regulator or authority launching an investigation following a report of an incident or suspected infringement. This phase may include requesting details from the involved party, executing on-site checks or audits, and conducting interviews with pertinent individuals.
  • Determination of violation: After the investigation, the authority assesses whether there has been a breach of the relevant laws or regulations.
  • Imposition of penalties: In instances where a violation is confirmed, the authority is empowered to apply penalties. These may range from fines and administrative sanctions to directives for undertaking remedial measures.

Individuals or entities subject to such proceedings are entitled to due process, ensuring their right to be notified of the accusations, to present a defence, and to appeal any sanctions imposed.

The criteria or legal benchmarks employed to ascertain the occurrence of a violation can differ, influenced by the incident’s specifics and the applicable regulatory framework.

Distinguishing between data breaches and other forms of cybersecurity incidents is critical. Data breaches specifically refer to unauthorised access to or disclosure of personal data. Conversely, cybersecurity incidents encompass a broader spectrum of activities that may compromise the confidentiality, integrity, or availability of information systems or data, without necessarily involving personal information.

Regarding supply chain and software vulnerabilities, the DPA may conduct investigations to verify if personal data has been jeopardised or if there has been a breach of the Data Protection Regulation. Should a violation be identified, the DPA is authorised to impose penalties in accordance with the GDPR. For incidents not involving personal data, alternative regulatory or legal standards may be applicable.

EU Network and Information Security 2 (NIS2) Directive

National cybersecurity strategy

Each EU member state is required to adopt a national cybersecurity strategy. This includes strategic objectives, resources, policy measures, governance frameworks, risk assessment mechanisms, incident response measures, and stakeholder co-ordination.

Implementation aspects

  • objectives and priorities: covering specific sectors and establishing governance frameworks for achieving these objectives;
  • roles and responsibilities: clarifying stakeholder roles at the national level and ensuring co-operation between competent authorities, single points of contact, and Computer Security Incident Response Teams (CSIRTs);
  • asset identification and risk assessment: focusing on identifying relevant assets and assessing cybersecurity risks within the member state.
  • incident preparedness and recovery: developing measures for responsiveness to and recovery from incidents, including public-private sector co-operation;
  • stakeholder involvement: involving various authorities and stakeholders in strategy implementation;
  • enhanced co-ordination: creating a policy framework for improved co-ordination between competent authorities for information sharing on cyber and non-cyber risks and incidents; and
  • cybersecurity awareness: implementing measures to enhance general cybersecurity awareness among citizens.

Specific policies under national cybersecurity strategy

  • supply chain cybersecurity: addressing cybersecurity in the supply chain for ICT products and services;
  • public procurement: specifying cybersecurity-related requirements for ICT products and services in public procurement;
  • vulnerability management: promoting co-ordinated vulnerability disclosure;
  • internet integrity and confidentiality: sustaining the general availability, integrity, and confidentiality of the public core of the open internet;
  • advanced technologies: promoting the development and integration of advanced technologies for state-of-the-art cybersecurity risk-management measures;
  • education and training: developing education and training programmes on cybersecurity, including awareness-raising initiatives;
  • support for research institutions: enhancing and promoting the deployment of cybersecurity tools and secure network infrastructure;
  • information sharing: supporting voluntary cybersecurity information sharing between entities in accordance with Union law;
  • SME cyber resilience: strengthening the cyber resilience of small and medium-sized enterprises, especially those not covered by the Directive; and
  • active cyber protection: encouraging the adoption of proactive cyber protection measures.

Notification and assessment

  • strategy notification: member states must notify their national cybersecurity strategies to the European Commission within three months of their adoption; and
  • regular strategy assessment: national cybersecurity strategies should be assessed regularly, at least every five years, using key performance indicators; the European Union Agency for Cybersecurity (ENISA) assists member states in developing or updating their cybersecurity strategies to align with the Directive’s requirements.

Cybersecurity Information Exchange Framework

  • Voluntary information sharing: Private entities, both within and outside the scope of the NIS2 Directive and/or PSNC, are encouraged to voluntarily exchange cybersecurity information. This includes data on cyber threats, vulnerabilities, techniques, and adversarial tactics.
  • Objectives of information sharing:
    1. Prevention and response: The aim is to prevent, detect, respond to, and recover from incidents, as well as mitigate their impact.
    2. Enhancing cybersecurity: Information sharing is designed to enhance overall cybersecurity by raising awareness, supporting defence capabilities, vulnerability remediation, and promoting collaborative research between public and private sectors.

The implementation of information sharing works as follows:

  • Community-based exchange: Information exchange is to be conducted within communities of essential and important entities and their suppliers or service providers.
  • Cybersecurity information-sharing arrangements: These are implemented through formal arrangements, considering the sensitive nature of the shared information. They may include dedicated ICT platforms, automation tools, and specific conditions for sharing.
  • Facilitation by member states: Member states are responsible for facilitating the establishment of these information-sharing arrangements, potentially imposing conditions on the information made available by public authorities like the ACN or CSIRTs.

Responsibilities of Entities

  • Notification of participation: Entities must notify competent authorities of their participation in these information-sharing arrangements, as well as of their withdrawal from such arrangements.
  • Support by ENISA and ACN: ENISA and the ACN assist in establishing these arrangements by exchanging best practices and providing guidance.

Italy’s data protection and cybersecurity landscape is intricately aligned with the EU’s regulatory standards, yet it extends significantly beyond these parameters.

The safeguarding of critical infrastructure represents a paramount concern for the Italian government, with cybersecurity serving as a foundational pillar to bolster the resilience and security of these essential systems. In pursuit of this goal, Italy has instituted a comprehensive regulatory framework and set of requirements tailored to the cybersecurity needs of critical infrastructures. This framework mandates compliance for organisations operating within key sectors such as energy, transportation, and telecommunications, among others.

Moreover, this regulatory environment is further enriched by incorporating standards from the Network and Information Security Directive 2 (NIS2), the Digital Operational Resilience Act (DORA), and the PSNC, alongside the mandates of the ACN for engagement with the Italian public administration. Central to these expanded requirements is the adherence to international standards such as ISO 27001:2022, focusing on information security management systems, and ISO 22301:2019, which pertains to business continuity management systems. These incorporations underscore Italy’s comprehensive approach to enhancing the security and resilience of its critical infrastructures, ensuring they meet both European and international best practices.

In the past year, the landscape of cybersecurity law and regulatory activity has seen notable developments, reflecting the evolving nature of cyber threats and the need for robust cybersecurity measures. The Italian Council of Ministers approved a bill aimed at strengthening national cybersecurity through three new measures necessary in the current geopolitical context characterised by cyber attacks and AI cyber warfare.

The bill grants the ACN an additional mission beyond those established by the founding decree No 82 of 2021: to promote and develop initiatives, including public-private partnerships, leverage artificial intelligence as a resource for enhancing national cybersecurity, while also encouraging the ethical and proper use of AI-based systems. This perspective, influenced by the approach of the Undersecretary to the Presidency of the Council of Ministers, Alfredo Mantovano, sees AI not merely as a risk but as an opportunity to strengthen the country’s cybersecurity.

The bill also emphasises the importance of co-ordinating responses between the ACN and the judiciary in cases of cyber attacks, a collaboration that was absent in the decree establishing the national cyber agency. It mandates prompt notification by the ACN to the national anti-mafia and anti-terrorism prosecutor in the event of attacks on IT systems, as well as reciprocal communication from public prosecutors to the ACN regarding cyber attacks.

Furthermore, the bill outlines the obligation for central public administrations and other significant entities to enhance their cyber defences through a dedicated cybersecurity strategy and the appointment of a cybersecurity liaison. Specifically, this includes central public administrations, in-house companies, regions, autonomous provinces of Trento and Bolzano, municipalities with populations over 100,000, regional capitals, urban public transport companies serving over 100,000 users, and local health companies. Failure to report cyber incidents can result in fines ranging from EUR25,000 to EUR125,000 by the ACN.

Entities must report cyber incidents to the ACN within 24 hours of becoming aware of them, followed by a complete notification of all available information within 72 hours. The cybersecurity liaison, chosen based on professional qualifications, will act as the administration’s single point of contact with the ACN regarding cybersecurity legislation and regulations.

The bill does not allocate new funding for these cybersecurity resilience measures; public administrations are expected to comply using existing resources. This raises concerns about the adequacy of financial resources given the increasing digitalisation of public and private sectors and the expanding “attack surface” vulnerable to cybercriminals and state-sponsored groups. The National Cybersecurity Strategy allocates, until 2026, 1.2% of gross national investments annually to cybersecurity, a target currently only on paper. The bill’s progression through parliament may bring changes, potentially addressing the issue of financial resource allocation.

Italy’s cybersecurity landscape is undergoing rapid development, reflecting broader global trends. In the upcoming year, several areas are poised for significant attention, as outlined below.

The rise of ransomware has been a notable trend in Italy, especially in 2023, with critical infrastructure and businesses being prime targets. The sophistication of these attacks is expected to increase, alongside heightened concerns over data theft and extortion tactics. The SolarWinds incident has cast a spotlight on the vulnerabilities within supply chains, prompting Italian organisations to prioritise securing their software supply chains against the backdrop of increasing interconnectivity risks.

The emergence of deepfakes represents a growing challenge to reputations, electoral integrity, and societal cohesion. Italian authorities are likely to tackle the misuse of such technologies and work to minimise their harmful impacts. Additionally, the expansion of AI usage brings to the fore issues related to its malicious application, such as adversarial AI, and potential security weaknesses in AI systems, prompting Italy to possibly enhance investments in research and regulatory frameworks to address these issues.

On the policy and regulatory front, the National Cybersecurity Strategy for 2023-2027 aims at fortifying national cyber resilience and fostering the development of innovative cybersecurity solutions, which will significantly influence the cybersecurity domain in the near future. The transposition of the EU’s NIS 2 directive into Italian law will enforce more stringent cybersecurity requirements for vital sectors, necessitating that organisations gear up for compliance. Furthermore, the ACN, established in 2021, is set to take a more visible role in orchestrating national cybersecurity initiatives, delivering threat assessments, and bolstering incident response activities, with its influence expected to grow in 2024.

The GDPR governs the processing of personal and sensitive data by both private and public entities, ensuring such activities respect the rights and freedoms of individuals.

Additionally, the provisions of the National Cyber Security Perimeter (Perimetro di Sicurezza Nazionale Cibernetica) extend to the networks, information systems, and IT services of public administrations as well as national, public, and private entities and operators. This Perimeter encompasses entities involved in:

  • activities critical to the functioning of essential state operations;
  • activities vital for the upholding of fundamental rights;
  • activities crucial for ensuring the continuity of supply chains and the effectiveness of infrastructure and logistics; and
  • research activities and business operations in high technology and other sectors of economic and social importance, aiming also to secure national strategic independence, competitiveness, and the growth of the national economy.

At the European level, legislation such as the NIS Directive, and its enhancement, NIS 2, targets operators of essential services and digital service providers. Moreover, DORA has been introduced to bolster the digital operational resilience of the financial sector, ensuring that firms can withstand, respond to, and recover from ICT-related disruptions and threats. This act, along with the National Cyber Security Perimeter, signifies a comprehensive approach to enhancing cybersecurity and operational resilience across critical sectors and the financial industry, reflecting an integrated effort to safeguard both personal data and the essential functions of the state and economy against cyber threats.

Regarding the implementation of the NIS Directive, the Italian government has previously embraced a decentralised approach, assigning the roles of “competent NIS authorities” to five ministries: Economic Development, Infrastructure and Transport, Economy and Finance, Health, and Environment, and Land and Sea Protection. This will change in 2024, as the government intends to centralise the approach, giving the ACN the power to regulate and monitor NIS2 and DORA compliance. The ACN was established with the mission of safeguarding national interests in the realm of cybersecurity.

Moreover, the Italian Computer Security Incident Response Team (CSIRT) was established through Legislative Decree 65/2018 to enhance national cybersecurity incident response capabilities.

The National Assessment and Certification Centre (CVCN) serves as a key institution for overseeing entities within the National Cybersecurity Perimeter. These entities are required to notify the CVCN when acquiring ICT assets, systems, and services intended for use in networks, information systems, and the provision of IT services, ensuring a monitored and secure procurement process in line with national cybersecurity standards.

ENISA

ENISA serves as a hub of expertise for cybersecurity within the European Union. It supports EU member states, the private sector, and citizens by developing advice, recommendations, and good practices in information security.

The agency’s aim is to strengthen the resilience of Europe’s critical information infrastructure and networks and to foster a collaborative environment among member states to enhance network and information security across the EU.

DPAs such as the Italian “Garante” are critical in the landscape of personal data protection. Their role encompasses a variety of responsibilities, including:

  • Oversight and enforcement: DPAs ensure compliance with data protection laws such as the GDPR. They monitor and assess whether personal data is handled in accordance with the established rules on consent, purpose definition, and data proportionality.
  • Guidance and advice: DPAs provide guidance on data protection requirements, including privacy by design, privacy impact assessments, and the application of privacy seals.
  • Audits and inspections: DPAs have the authority to conduct audits and inspections to verify compliance with data protection standards.
  • Data breach management: In the event of a data breach, DPAs are responsible for receiving notifications and managing the response in co-ordination with the affected entity to mitigate potential harm.
  • Tool implementation: DPAs advocate for the implementation of data protection tools such as encryption and secure data disposal to safeguard personal information through specific guidelines, considering the collaboration with the ACN.
  • Public awareness: DPAs raise awareness about privacy rights and data protection measures among the public and within organisations.

In Italy, the regulation of the financial sector plays a pivotal role in bolstering the cybersecurity of financial institutions, thus safeguarding the system’s integrity and stability.

The Bank of Italy stands at the forefront of financial sector regulation, supervising a broad spectrum of entities including banks, financial institutions, and payment service providers. It has undertaken numerous initiatives to enhance cybersecurity within the financial sector, notably:

  • enforcing regulations that mandate financial institutions to implement robust cybersecurity measures and establish comprehensive risk management frameworks for cybersecurity;
  • periodically evaluating the cybersecurity systems and protocols of financial institutions to ensure they align with regulatory standards and industry best practices;
  • investigating cybersecurity incidents or breaches that financial institutions report and co-ordinating responses to such events; and
  • offering guidance and recommending best practices to financial institutions for defending against cyber threats and effectively managing cybersecurity risks.

Beyond the financial sector, other regulatory authorities in Italy contribute to advancing cybersecurity within their domains.

The Italian Communications Authority, which oversees the telecommunications sector, champions cybersecurity efforts focused on network security and data protection. Similarly, the Italian Energy Authority, which regulates the energy sector, emphasises cybersecurity, particularly in the protection of critical infrastructure and incident response strategies.

With the potential inclusion of the ACN as the monitoring authority for compliance with DORA, the landscape of cybersecurity regulation in Italy’s financial sector might see further enhancement. This development would position the ACN as a key player in ensuring that financial entities not only comply with cybersecurity regulations but also possess resilience against digital operational disruptions.

Collectively, these regulatory bodies in Italy are dedicated to fostering a secure cyber environment across various sectors, formulating and implementing regulations, and facilitating co-operation among different regulatory entities and law enforcement agencies to mitigate cyber threats and handle cybersecurity incidents efficiently.

Beyond the DPA and financial sector regulators, Italy hosts a range of critical regulators and agencies dedicated to advancing cybersecurity.

The Italian Postal and Communications Police specialises in cybercrime investigations and the enforcement of cybersecurity and data protection laws. This specialised law enforcement body plays a crucial role in maintaining digital security and privacy.

ANAC champions transparency and combats corruption within the public sector. It ensures that governmental bodies and public institutions implement effective cybersecurity protocols to safeguard sensitive data and thwart potential breaches.

The National Centre for Cybersecurity is tasked with crafting and executing national cybersecurity strategies. It also co-ordinates cybersecurity initiatives across various governmental entities and industrial sectors, reinforcing Italy’s cyber defences.

The Digital Transformation Team spearheads the digital overhaul of government operations, promoting the integration of modern technologies. This agency is pivotal in enhancing the digital infrastructure and cybersecurity posture of public sector entities.

Finally, the Italian Competition Authority oversees the enforcement of competition laws and curtails anti-competitive behaviours in the market. It advocates for businesses to adopt stringent cybersecurity measures, protecting confidential information and preventing unauthorised data access.

Together, these entities form a comprehensive network aimed at bolstering Italy’s cybersecurity framework, safeguarding digital spaces against threats, and ensuring the secure and ethical use of information technologies across all sectors.

Cybersecurity and data protection are governed by a variety of frameworks and standards, each designed to provide guidance and establish best practices across different aspects of cybersecurity. Here are some of the key frameworks:

  • ISO/IEC 27001: This is an international standard for managing information security. It provides a model for establishing, implementing, maintaining, and continually improving an information security management system.
  • CSA CCM (Cloud Controls Matrix): This framework provides fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.
  • BSI C5 (Cloud Computing Compliance Controls Catalogue): Issued by the German Federal Office for Information Security, this catalogue outlines the security requirements that cloud services should meet.
  • COBIT 5: Standing for “Control Objectives for Information and Related Technology”, COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT.
  • CIS CSC (Critical Security Controls for Effective Cyber Defense): These controls provide a prioritised, actionable set of practices to stop today’s most pervasive and dangerous cyber attacks.
  • OCF (CSA STAR PROGRAM AND OPEN CERTIFICATION FRAMEWORK): This framework includes a comprehensive certification programme for cloud service providers to help users make informed decisions about their service offerings.
  • NIST (National Institute of Standards and Technology) Cybersecurity Framework: This framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. It is widely respected and followed by various organisations globally, especially in the United States.

Moreover, the updated Confindustria Guidelines for implementing an Organisation, Management, and Control Model in accordance with Legislative Decree No 231 of 8 June 2001, emphasise the necessity for businesses to foster integrated compliance approaches, including in cybersecurity. This integration mandates that all IT and security measures are harmonised and effectively shield the company from potential liabilities.

In parallel, the DPA’s guidelines for personal data protection are essential. These guidelines encompass a variety of topics, such as handling data breaches, minimising data collection, and embedding privacy into the design of systems and processes.

Additionally, the revised ISO/IEC 27001 standard, which now encompasses cloud security and data protection requirements, outlines specific policies and procedures. This standard, along with the directives from Prime Ministerial Decree No 81/2021 regarding the National Cybersecurity Perimeter, sets a comprehensive framework for securing digital assets and protecting sensitive information in the evolving cyber landscape.

In the realm of cybersecurity, various frameworks and standards are commonly applied to establish “reasonable security”. These frameworks and standards are instrumental in guiding organisations towards implementing and maintaining robust security practices. The key frameworks and standards include ISO 27001:2022 and ISO 22301:2019.

When discussing legal requirements and applicable standards in cybersecurity, it is essential to highlight that various frameworks and standards serve as benchmarks for establishing “reasonable security”. Based on DORA, NIS2, and PSNC perspectives, here is a concise overview:

  • Written information security plans or programmes: NIS2, DORA and PSNC emphasise the need for entities to have in place comprehensive information security strategies that are regularly updated and reflect the current threat landscape.
  • Incident response plans: Such plans are mandatory under these frameworks, detailing procedures for swiftly responding to and recovering from cybersecurity incidents, and apply to the entire framework.
  • Required security practices: These frameworks outline specific security measures tailored to the nature of the entity and the data it handles, including critical sectors and refer mainly to ISO 27001 and ISO 22301.
  • Appointment of Chief Information Security Officer (CISO): Such appointment is either encouraged (NIS2/DORA) or required (PSNC), with the purpose of ensuring dedicated oversight of cybersecurity strategies and practices.
  • Involvement of board of directors: This is emphasised as crucial for embedding cybersecurity into organisational culture and governance, and is included in ISO standards.
  • Risk assessments, vulnerability scanning, penetration tests: Regular assessments are mandated to identify and mitigate risks timely, and are an obligation under DORA, NIS2 and PSNC.
  • Multi-factor authentication, anti-phishing measures: Such measures are recommended as essential practices to protect against various cyber threats, and derive from ISO standards and respect the principles included in DORA, NIS2 and PSNC.
  • Insider threat programmes: Such programmes are recommended to mitigate risks posed by internal actors, and are regulated by the relevant ISO standards.
  • Vendor and service provider due diligence: Entities must ensure their suppliers meet cybersecurity standards to protect the supply chain, and this is emphasised in NIS2, DORA and PSNC.
  • Use of cloud, outsourcing, and offshoring: This requires careful management of data security and compliance with relevant legislation, regardless of location.
  • Payment of ransomware: This is generally discouraged, with a focus on prevention, preparedness, and response strategies instead.
  • Secure software development and patching: This is deemed critical for maintaining the integrity and security of software products, and is included in ISO 27001:2022.
  • Responsible disclosure of software vulnerabilities: This is encouraged to ensure timely and effective remediation of security flaws; however, there are no legal obligations regarding this matter in Italy.
  • Training: This is essential to raise awareness and equip staff with the knowledge to recognise and mitigate cybersecurity threats, and is an obligation that derives from the entire framework.

Multinational relationships play a crucial role in addressing and managing cybersecurity risks and incidents. Here is an overview of the key aspects of these relationships:

  • International co-operation networks: CSIRTs participate in international co-operation networks beyond the CSIRTs network established by the NIS2 Directive. This enables them to exchange information, including personal data, with teams or competent authorities of third countries under specific conditions of Union data protection law.
  • CSIRTs network and operational co-operation: The CSIRTs network enhances operational co-operation at the Union level and may invite Union bodies like Europol to participate in its work. This network contributes to strengthening trust and effective operational co-operation among member states.
  • Public-private partnerships (PPPs): PPPs in cybersecurity provide a framework for knowledge exchange, sharing best practices, and establishing a common understanding among stakeholders. Member states promote policies underpinning the establishment of cybersecurity-specific PPPs, leveraging private sector expertise to develop advanced services and processes.
  • Support for small and medium-sized enterprises: Addressing the specific cybersecurity needs of small and medium-sized enterprises is a focus area, with member states providing guidance and assistance to these enterprises, particularly against threats like ransomware.
  • Alignment with international standards: There is an ongoing effort to align with international standards and best practices in areas like supply chain security assessments, information sharing, and vulnerability disclosure.
  • Co-ordinated vulnerability disclosure policies: Member states, in co-operation with ENISA, are encouraged to establish national policies for co-ordinated vulnerability disclosure. These policies aim to address the challenges faced by vulnerability researchers, including their potential exposure to criminal liability.
  • European vulnerability database: ENISA is tasked with establishing a European vulnerability database where entities can disclose publicly known vulnerabilities. This database addresses the unique challenges posed by risks to Union entities.
  • EU cybersecurity crisis response framework: Member states contribute to this framework through existing networks, such as the EU-CyCLONe and the CSIRTs network. This framework is crucial for managing large-scale cybersecurity incidents and crises at the Union level.
  • International agreements: The Union can conclude international agreements with third countries or international organisations to allow their participation in activities like the Cooperation Group, the CSIRTs network, and EU-CyCLONe, ensuring the Union’s interests and adequate data protection.
  • Peer reviews: Peer reviews are introduced to strengthen mutual trust and achieve a high common level of cybersecurity across member states, leading to valuable insights and recommendations.
  • Self-assessment methodology: The Cooperation Group establishes a self-assessment methodology for member states, covering various factors like the implementation of cybersecurity risk-management measures and reporting obligations.
  • EU: Italy participates in EU initiatives related to cybersecurity, such as the EU Network and Information Security Directive and the EU Cybersecurity Act. Italy has also contributed to the development of ENISA.
  • NATO: Italy participates in various cybersecurity initiatives and programmes, including the NATO Cooperative Cyber Defense Center of Excellence and the Cyber Defense Pledge.
  • UN: Italy participates in various UN initiatives related to cybersecurity, such as the UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security.
  • Council of Europe: Italy is a member of the Council and has ratified the Convention on Cybercrime, which provides a framework for international cooperation on cybercrime investigations and prosecutions.

Italy also participates in various other international organisations and initiatives related to cybersecurity, such as the G7, the Organization for Security and Co-operation in Europe (OSCE), and the Global Forum on Cyber Expertise (GFCE).

In Italy, the GDPR safeguards personal data by requiring organisations to adhere to comprehensive security protocols during data processing activities. These protocols mandate:

  • the execution of a Data Protection Impact Assessment (DPIA) for processing activities with potential high risks to individual rights and freedoms;
  • the adoption of measures to secure personal data;
  • the notification of data breaches to the DPA if they pose risks to individual rights and freedoms;
  • the assurance of protection for personal data transferred outside Italy and the EU; and
  • the maintenance and provision of data processing records to the DPA upon request.

The EU Market Abuse Regulation (MAR) governs the safeguarding of essential business data and confidential information in Italy. Organisations are required to comply with comprehensive security measures under MAR, which include keeping an updated list of insiders, publicising insider information, reporting personal transactions, adhering to market sounding protocols, notifying authorities of suspicious transactions, creating a robust compliance function, and securing certification. These measures are designed to deter insider trading and market manipulation, safeguard confidential information, and promote market integrity.

Key affirmative security requirements, encompassing necessary reporting, certification, or other external involvement for critical infrastructure, networks, systems, information systems, or software, are mandated to adhere to the stringent standards set forth by DORA, NIS2, and PSNC. This adherence underscores a comprehensive compliance framework that extends to being in line with NIS, ISO 27001:2022, and ISO 22301:2019. Such a holistic approach to cybersecurity and resilience mandates ensures that entities not only meet specific regulatory requirements but also align with internationally recognised best practices for information security management and business continuity, enhancing the overall security posture and resilience of critical infrastructures and digital operations.

Reporting of Information Security Events

Organisations are required to establish mechanisms for personnel to report observed or suspected information security events promptly.

This supports timely, consistent, and effective reporting, crucial for preventing or minimising the impact of security incidents.

Directive on Reporting Significant Incidents

The NIS2 Directive mandates a multi-stage approach for reporting significant incidents.

Essential or important entities must submit an early warning within 24 hours of becoming aware of a significant incident, followed by an incident notification within 72 hours. This approach balances swift reporting for mitigation and in-depth reporting for drawing lessons to enhance cyber resilience.

The directive emphasises the importance of initial assessments in determining the severity of incidents, considering various factors like the affected network, information systems, the severity and technical characteristics of cyber threats, and the vulnerabilities being exploited.

Key affirmative security requirements for areas such as the Internet of Things (IoT), supply chain security, secure software development, and other data or systems are designed to establish a robust cybersecurity framework. These requirements necessitate adherence to standards that may include mandatory reporting of security incidents, obtaining relevant certifications, and engaging with external audits or assessments to verify compliance.

Specifically, for IoT and connected devices, this means implementing measures to protect against unauthorised access and ensuring data integrity across devices and networks. Supply chain security emphasises the importance of vetting and continuously monitoring third-party vendors for compliance with security standards, thereby mitigating risks posed by interconnected ecosystems. Managing third-party risks is a central focus of DORA, NIS2, and PSNC, highlighting the critical importance of ensuring that external partners and suppliers adhere to stringent cybersecurity and resilience standards.

This comprehensive management approach includes ensuring compliance with NIS directives, as well as aligning with ISO 27001:2022 for information security management and ISO 22301:2019 for business continuity management. The emphasis on third-party management under these frameworks underscores the necessity for organisations to rigorously assess, monitor, and control the security and resilience of their supply chains and external business relationships, ensuring that all interconnected systems and services meet high standards of security and reliability, thereby safeguarding against potential vulnerabilities and enhancing the overall security posture of the organisation.

In the realm of secure software development, adopting practices that integrate security considerations throughout the software development lifecycle (SDLC) is essential, including code reviews, vulnerability assessments, and patch management. These efforts are complemented by adherence to international standards such as ISO 27001:2022 for information security management and ISO 22301:2019 for business continuity management, ensuring a comprehensive approach to safeguarding critical data and systems across all facets of technology and operations.

Within the Italian cybersecurity legislative framework, there are no explicit requirements specifically targeting ransomware attacks.

However, Article 379 of the Italian Criminal Code criminalises assisting anyone in obtaining the proceeds or benefits from a crime. Consequently, paying a ransom to a perpetrator of a ransomware attack could be interpreted as facilitating a criminal offence, making such payments generally discouraged and, in certain situations, potentially unlawful.

Moreover, organisations are mandated to report cybersecurity incidents, which include ransomware attacks, to the DPA. Depending on the specifics of the incident, there may also be an obligation to inform law enforcement agencies, ensuring a co-ordinated response to such cyber threats.

The legislative framework set out by PSNC, DORA and NIS2 encompasses the same definitions, as follows:

  • “Incident” means an event compromising the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data, or services offered by or accessible via network and information systems.
  • “Large-scale cybersecurity incident” means an incident causing disruption exceeding a member state’s capacity to respond, or significantly impacting at least two member states.
  • “Major ICT-related incident” means an incident with a high adverse impact on network and information systems supporting critical functions of a financial entity.
  • “Information security breach” means a compromise leading to undesired destruction, loss, alteration, disclosure, or access to protected information.
  • “Information security event” means an occurrence indicating a potential security breach or failure of controls.
  • “Information security incident” means related and identified events harming an organisation’s assets or compromising operations.

Reporting Requirements

  • Early warning and notification: Essential and important entities must submit an early warning within 24 hours, and an incident notification within 72 hours of becoming aware of a significant incident.
  • Communication to service recipients: Entities should communicate to service recipients any measures to mitigate risks from significant cyber threats and inform them of the threats when likely to materialise.
  • Public electronic communications networks and services: Providers should implement security by design and inform their service recipients of significant cyber threats and protective measures.
  • Proactive approach to cyber threats: Entities are encouraged to voluntarily report cyber threats as part of effective cybersecurity risk management.

Detailed Reporting

Entities must provide an intermediate report on status updates and a final report within one month after the incident notification, detailing the incident, its impact, and mitigation measures.

Sensitive information is covered within the DORA, NIS2 and PSNC frameworks; personal data is covered within the GDPR and data protection framework.

Every asset of an organisation identified by the government within the DORA, NIS2 and PSNC frameworks and every asset in which personal data is processed for GDPR compliance, are covered.

In the EU, medical devices are governed by the Medical Devices Regulation (MDR) and the In-Vitro Diagnostic Medical Devices Regulation (IVDR). These regulations establish a comprehensive legal framework to ensure the safety and efficacy of medical devices, detailing specific criteria for their design, production, and application.

Additionally, the cybersecurity of networks and information systems related to these activities falls under the jurisdiction of the NIS Directive. Notably, the NIS2 Directive classifies manufacturers of medical devices and in vitro diagnostic medical devices as Important Entities (IEs), which, in the context of a public health emergency, may be designated as Essential Entities (EEs) due to their critical importance.

In Italy, the regulation of medical devices is overseen by the Ministry of Health and the Italian Institute of Health. The cybersecurity requirements for medical devices are articulated in the Ministerial Decree of 2 April 2020, concerning the “Technical requirements for medical devices and software”. According to this decree, medical devices must be crafted and engineered to meet contemporary standards, with a strong emphasis on security and resilience against cyber threats. The decree outlines explicit cybersecurity obligations, including:

  • preserving the confidentiality, integrity, and availability of data managed by the device;
  • enforcing suitable technical and organisational safeguards to defend the device from unauthorised access, exposure, alteration, or destruction;
  • continuously updating the device’s software to mitigate vulnerabilities and address security concerns; and
  • routinely conducting risk evaluations to detect and mitigate potential security threats and weaknesses.

Furthermore, the decree mandates that medical device manufacturers report any security incidents or breaches that could affect the device’s safety or functionality to the Italian Institute of Health.

The security requirements for industrial control systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, encompass various aspects of information security. These requirements are primarily guided by the principles of secure system architecture and engineering, as outlined in the ISO/IEC 27002 standard.

At present, there are no specific legal security obligations for IoT devices.

Nevertheless, when these devices are engaged in processing personal data or form a component of the infrastructure of organisations pivotal to national security, they fall under the purview of the GDPR for data protection and the National Cybersecurity Perimeter for cybersecurity concerns. In such instances, it is advisable to consult the ISO 27400 standard for guidance on securing IoT devices, ensuring compliance with relevant regulations and bolstering the overall security posture of the involved systems.

As of now, there are no legal mandates specifically concerning security measures in software development.

However, it is important to note that the Agency for Digital Italy (AgID) has released a comprehensive set of guidelines aimed at fostering secure software development practices. These guidelines are designed to guide organisations through each phase of the Software Development Life Cycle (SDLC), recommending the identification and application of suitable security measures to enhance the overall security of the development process.

In Italy, the obligation to report cybersecurity incidents is articulated through a variety of laws and regulations, such as the NIS Directive, the GDPR, and rules pertaining to entities within the National Cybersecurity Perimeter.

The GDPR, particularly Articles 33 and 34, mandates that data controllers report security breaches that could potentially harm the rights and freedoms of individuals to the DPA and to the affected data subjects within 72 hours of detection. Furthermore, Article 28 of the GDPR stipulates that processors must immediately inform controllers about any security incidents that have occurred.

Under Article 12 of the NIS Directive, operators of essential services are required to inform the Italian CSIRT and the relevant NIS authority about incidents that significantly disrupt the continuity of the essential services they offer.

Prime Minister’s Decree 81/2021 sets forth that entities within the national cybersecurity perimeter must alert the Supervisory Authority regarding any security incident affecting their ICT assets and/or services. Annex A of this decree specifies the timeframe for incident notification, categorised by the severity of the incident.

While there is no explicit legal requirement for individuals in Italy to report cybersecurity incidents, they are encouraged to report such incidents to law enforcement or consumer protection bodies, especially in instances of cybercrime victimisation.

In the context of cybersecurity incidents, the “risk of harm” thresholds dictate when an entity must notify government authorities, affected individuals, or other third parties about a security breach or cyber threat. These thresholds are essential for managing and mitigating the impact of such incidents on individuals’ privacy and financial security, as well as on the stability of the financial system, following the obligations of incident reporting included in the GDPR, DORA, NIS2 and PSNC.

Regarding cybersecurity defence measures, organisations are at liberty to select and implement the strategies they find most suitable, taking into account all relevant legal obligations, particularly when it involves monitoring network activities. Organisations may employ software solutions to oversee network traffic, pinpoint anomalies, and spot potential security threats. Nonetheless, the deployment of such software needs to be conducted in a transparent manner, ensuring full compliance with privacy regulations.

Network monitoring practices also fall under specific regulatory mandates related to the surveillance of employee activities, which encompass:

  • Legal basis and justification: Employers are required to have a valid reason for monitoring their employees’ activities on the internal network. Such monitoring should be essential for safeguarding the employer’s legitimate interests, which could include maintaining network security, deterring unlawful activities, or adhering to legal and regulatory obligations.
  • Notice and consent: Employers must notify their employees about the monitoring ahead of time, including the rationale behind it. Employees should receive comprehensive and straightforward details concerning the monitoring procedures, the nature of the data being collected, and the intended uses of that data. It is imperative that employees provide their explicit and informed consent to the monitoring, which should be secured prior to the commencement of any surveillance activities.
  • Proportionality: The surveillance of employees’ activities on the internal network must be measured and aligned with the intended purpose. Employers are obliged to employ the least invasive methods feasible to fulfil their legitimate objectives. The extent of monitoring should not be excessive and must be strictly confined to what is necessary for realising the employer’s legitimate interests.
  • Unions: Additionally, monitoring employees is permissible if it receives approval from trade unions or the Direzione Territoriale del Lavoro (Territorial Labour Directorate). This adds an extra layer of oversight and agreement, ensuring that the monitoring practices are not only legally compliant but also aligned with collective labour agreements and workers’ rights protections.

The overlap between cybersecurity and privacy legislation introduces potential conflicts and complexities. Cybersecurity laws are designed to defend computer systems, networks, and sensitive information against cyber threats. In contrast, privacy laws focus on protecting individuals’ personal information and their rights to privacy.

Conflicts can emerge when actions taken to bolster cybersecurity, such as monitoring or retaining data, clash with privacy regulations that restrict how personal data can be collected and stored. For instance, tracking employees’ internet usage or email communication to enhance cybersecurity might run afoul of privacy regulations that protect individuals’ private communications.

To effectively manage these challenges, organisations are encouraged to find a balance between implementing cybersecurity initiatives and upholding the privacy of personal data. Adopting a risk-based approach to both cybersecurity and privacy can help ensure that cybersecurity enhancements do not violate privacy rights, and that any disclosure of personal data is strictly limited to what is necessary for adherence to applicable laws and regulations.

At present, beyond the obligations to report security incidents and data breaches as dictated by the national regulatory framework, there are no compulsory directives for the dissemination of cybersecurity information to governmental bodies. Nonetheless, numerous initiatives are underway to engage organisations in the practice of sharing information about cyber threats, with the goal of enhancing national cybersecurity levels.

Within this framework, the significant contribution of the ACN merits attention. In its efforts to formulate and execute the national security strategy, the ACN has encouraged organisations to participate actively in fortifying the nation’s cybersecurity infrastructure. To this end, the ACN has forged multiple partnerships with private sector entities, facilitating the exchange of cybersecurity-related information, thereby contributing to a more secure cyber environment.

Within both the national and European frameworks, the voluntary exchange of information on cybersecurity and cyber threats is recognised as a valuable tool for preventing and swiftly reacting to emerging cyber-attacks.

Particularly in the context of security incidents, Legislative Decree 65/2018, through its Article 18, provides for the option of voluntary reporting by entities not classified as operators of essential services or digital service providers. Such voluntary notifications from organisations possessing IT systems and infrastructure akin to those required to report mandatorily can empower competent NIS authorities and the CSIRT to undertake preemptive measures. These measures aim to prevent incidents that might adversely affect services deemed essential, thereby enhancing overall cybersecurity resilience.

Azienda Ospedaliera Bianchi Melacrino Morelli

The DPA imposed a fine of EUR7,000 on Azienda Ospedaliera Bianchi Melacrino Morelli. The controller had mistakenly sent a document containing health data of the data subject to the wrong recipient. The DPA found that the healthcare facility had not taken sufficient technical and organisational measures to protect personal data.

Padua University Hospital

Padua University Hospital was fined EUR5,000 for unlawful disclosure of personal health data. The controller accidentally sent an email to all the people participating in a clinical trial by using carbon copy (Cc) instead of blind carbon copy (Bcc), thereby unintentionally making known the email addresses of all patients waiting for a heart transplant. The Padua University Hospital notified the Italian DPA of a personal data breach pursuant to Article 33 of the GDPR.

In order to remedy the violation and reduce its negative effects on the people involved, instructions were given to inform each individual concerned about the mistake, urging them to delete the email previously sent and not to use the email addresses of other recipients.

The DPA investigated whether the processing of personal data of the email recipients was in violation of the basic principles set out in Article 5 of the GDPR.

The hospital argued that the seriousness of the potential impact for the interested parties was average, considering that the health data – the existence of a scheduled heart transplant – was isolated and common to all the interested parties and not accompanied by any other sensitive data. Furthermore, out of 19 email addresses only seven were recognisable, while the other 12 were not immediately traceable to the account holder. The hospital further argued that the violation was partly due to the COVID-19 pandemic and the shortage of staff. Finally, the hospital stated that the author of the violation certainly did not benefit from the violation and no complaints were received from the data subjects following the breach notification to the data subjects.

The hospital also provided for the technical and organisational measures to be carried out in order to prevent data breaches in the future. These included staff training on the use of telematic tools in communications with patients.

The Italian DPA imposed a EUR80,000 fine on Commify Italia S.r.l., a messaging service company, for unlawfully storing the content of text messages sent by its customers (approximately 7,250 users), and other unlawful conduct relating in particular to the measures taken to ensure the security of the processing of traffic data and the absence of a legal basis for carrying out anti-fraud checks.

The DPA, in the course of inspections initiated as a result of a report and a complaint, found that the full contents of messages sent by customers (usually legal persons) were stored without their express consent. Among the contents of the messages, consisting mostly of service notices sent by users of the platform (banks, insurance companies, health care companies,) to their customers, were also passwords for operating banking services (OTPs – one-time passwords), authentication credentials, and special category data referring to health status or political party membership. The contents of the text messages could also be accessed by the company’s employees.

The company justified its activities by the mistaken belief that the contents of the text messages fell under traffic data, resulting in an obligation to retain them. In this regard, the DPA recalled that no legal regulation requires the retention of the content of communications, which, on the contrary, is expressly prohibited unless it is authorised by the user with specific and free consent for the provision of value-added services.

In addition, a number of other violations emerged in the course of the inspection activities, such as the retention of traffic data without a distinction being made between data retained for legal purposes and data retained for other purposes (such as billing or customer consultation), and a failure to distinguish retention durations based on the purpose of data retention. The company was also found to have carried out prior automated checks, with anti-fraud purposes, on the content of text messages sent by its customers to prevent possible phishing activities but without having a proper legal basis for doing so.

In Italy, the applicable legal standards for cybersecurity and data breach regulatory enforcement and litigation are primarily based on the Italian Data Protection Code (Legislative Decree No 196/2003) and the GDPR.

Moreover, if the violation is caused by a computer crime committed in the interests and to the advantage of the entity and this is the result of a lack of adequate security measures, such violation may entail, in addition to the administrative sanctions referred to above, criminal liability under Article 24-bis of Legislative Decree No 231/2001.

The DPA imposed a fine of EUR4,000 on Azienda socio-sanitaria locale n. 1 di Sassari. The controller had mistakenly sent a document containing health data of a data subject to the wrong recipient. The DPA found that the healthcare facility had not taken sufficient technical and organisational measures to protect personal data.

The DPA imposed a fine of EUR120,000 on Eurosanità S.P.A.. The controller operates various healthcare facilities. An individual had filed a complaint with the DPA for mistakenly receiving a document that contained medical records of another individual. The DPA found that the controller had not taken sufficient technical and organisational measures to protect personal data in order to avoid such incidents.

Within the Italian regulatory framework, class actions were initially defined and regulated within the Consumer Code (Article 140 bis). In 2019, the Parliament approved Law No 31 of 2019, aimed at reforming class action with the purpose of strengthening this institution by broadening its scope and placing it under the Code of Civil Procedure.

The rules for such actions are strict and require a large number of claimants to join the action before it can proceed. In general, collective actions are not common in Italy, and the courts have not yet dealt with many cybersecurity-related cases.

Organisations are increasingly expected to integrate cybersecurity into their corporate governance frameworks, treating it as a strategic risk that requires board-level attention and a proactive approach. This holistic view ensures that cybersecurity governance is not just about compliance but is also about protecting the organisation’s value and reputation in the long term and this obligation directly derives from the application of the DORA, NIS2 and PSNC frameworks.

When conducting due diligence in corporate transactions within the context of Italy’s cybersecurity legislative framework, it is crucial to address several key issues and considerations.

Initially, it is essential to ascertain if the target company has established an adequate cybersecurity programme that aligns with the applicable cybersecurity laws and regulations. The due diligence process should encompass an examination of the company’s information security policies, procedures, and protocols, as well as a review of any previous security incidents or data breaches it may have experienced.

Moreover, the examination should extend to the target company’s agreements and interactions with third-party vendors and service providers who have access to its systems and data. It is vital to evaluate whether these third parties implement robust security measures to safeguard the company’s systems and data effectively.

Additionally, a thorough assessment of the target company’s IT infrastructure, including its hardware, software, and cloud-based services, is necessary to uncover any vulnerabilities or weaknesses susceptible to cyber threats.

Finally, assessing the target company’s capacity to manage and respond to cybersecurity incidents or data breaches is imperative. This includes reviewing its incident response plan and evaluating its track record in handling such incidents.

Within the Italian legislative framework, there are no laws explicitly focused on non-cybersecurity that directly require organisations to disclose their cybersecurity risk profiles or experiences.

However, several laws and regulations, such as the GDPR and the Network and Information Security (NIS) Directive, mandate that organisations implement suitable measures to safeguard personal data and ensure the security of their network and information systems.

Furthermore, certain regulations, including the CONSOB Regulation for issuers and the Markets in Financial Instruments Directive II (MiFID II), compel publicly traded companies to disclose information pertinent to their investors. This requirement may encompass details concerning cybersecurity risks and incidents.

In summary, although there is no specific legislation demanding the disclosure of an organisation’s cybersecurity risk profile or incidents, various legal and regulatory provisions necessitate that organisations adopt adequate security measures to protect personal data and secure their network and information systems. These measures indirectly influence their cybersecurity risk profile and the potential requirement for disclosure.

The role of insurance is rapidly evolving, moving towards an insurtech approach that aims to address the risks associated with Business Email Compromise (BEC) and ransomware. However, in Italy, there is a challenge in comprehending the methods for accurately assessing the costs associated with individual policies. This shift signifies a dynamic change in the insurance landscape, aiming to encompass modern cybersecurity threats, yet the industry faces hurdles in precisely determining the financial implications of these policies.

ICT Legal Consulting

Via Borgonuovo 12
20121 Milan
Italy

+39 028 424 7194

info.legal@ictlc.com www.ictlegalconsulting.com
Author Business Card

Trends and Developments


Authors



ICT Legal Consulting (ICTLC) is an international law firm that offers strategic support in legal compliance (privacy, IP and TMT) and assists in drafting and developing governance, organisation, management, security and control models for data-driven organisations. The firm has successfully assembled a close-knit team of more than 80 qualified professionals specialising in the fields of ICT, privacy, data protection, cybersecurity, and IP law. ICTLC has offices in Italy (Milan, Bologna, and Rome), the Netherlands (Amsterdam), Greece (Athens), France (Paris), Spain (Madrid), Finland (Helsinki), Nigeria (Lagos), Kenya (Nairobi), Saudi Arabia (Riyadh) and Australia (Melbourne). It has also established partnerships with law firms and professionals in 54 other countries, giving clients access to the most qualified professionals who are most suited to their specific needs.

Navigating the Compliance Landscape: ISO 27001, ISO 22301, and DORA Regulations

Introduction

The convergence of international standards like ISO 27001 and ISO 22301 with the EU’s Digital Operational Resilience Act (DORA) marks a critical step forward in strengthening cybersecurity and operational resilience within the financial sector. In an era where digital threats are evolving rapidly, aligning industry practices with robust regulatory frameworks has become more crucial than ever. This article aims to dissect the synergy and compliance implications of ISO 27001 and ISO 22301, two pivotal standards in information security and business continuity management, in the context of DORA, a landmark EU regulation.

ISO 27001 focuses on establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS), providing a comprehensive set of requirements for protecting information assets. On the other hand, ISO 22301 emphasises the importance of a well-structured Business Continuity Management System (BCMS), ensuring that organisations can quickly recover and continue operations in the event of disruptions. The integration of these standards into the framework of DORA, which is designed to ensure the operational resilience of the financial sector against ICT (information and communication technology) risks, creates a multifaceted approach to risk management.

This alignment is particularly relevant in today’s interconnected digital ecosystem, where financial institutions are not only guardians of sensitive financial data but also pivotal players in the stability of broader economic systems. By exploring the intersecting requirements and objectives of ISO 27001, ISO 22301, and DORA, this article provides valuable insights for organisations striving to navigate this intricate regulatory landscape. The aim is to offer a comprehensive understanding of how these regulations interplay and the steps necessary for achieving compliance, thereby fostering a more resilient, secure, and trustworthy financial sector.

ISO 27001: a foundation for cybersecurity compliance

ISO 27001 is an international ISMS standard, designed to help organisations establish, implement, maintain, and continuously improve their information security management. The core of ISO 27001 is a comprehensive framework that assists in the identification and assessment of information security risks, the implementation of appropriate security controls, and the establishment of a culture of continuous improvement in information security practices.

At its heart, ISO 27001 emphasises the importance of identifying and managing risks to information security. It requires organisations to assess potential security threats systematically and to design and implement a coherent and comprehensive suite of information security controls or other risk treatment forms. These measures are intended to address those risks that are deemed unacceptable, and they must align with the organisation’s overall business and security strategy.

A critical aspect of ISO 27001 is its emphasis on a holistic, organisation-wide approach to information security. This includes the establishment of policies, procedures, and protocols to manage and mitigate risks. ISO 27001 also calls for the active involvement and commitment of top management, ensuring that information security is integrated into the organisation’s governance and becomes part of the everyday operational culture.

An important facet of ISO 27001 is its focus on continuous improvement. The standard encourages organisations to regularly review and refine their ISMS. This involves monitoring and reviewing the performance and effectiveness of the ISMS, conducting internal audits, and undertaking continual corrective and preventive actions based on internal audit findings, compliance reviews, and feedback from relevant interested parties.

In the context of legal and contractual compliance, ISO 27001 plays a pivotal role. As noted in the standard, compliance with legal, statutory, regulatory, and contractual requirements is crucial. This encompasses a broad spectrum of considerations, from the identification and adherence to applicable legislation and contractual obligations to the protection of records, privacy, and personally identifiable information, and the regulation of cryptographic controls.

In summary, ISO 27001 provides a robust foundation for cybersecurity compliance, offering a structured approach to managing and protecting information assets. By aligning with ISO 27001, organisations can demonstrate their commitment to cybersecurity and enhance their resilience against the ever-evolving landscape of digital threats.

ISO 22301: business continuity management systems

ISO 22301 provides a comprehensive framework for establishing, managing, and enhancing a Business Continuity Management System (BCMS). This standard plays a crucial role in enabling organisations to prepare for, respond to, and recover from disruptions effectively, thereby ensuring the continuity of critical business functions. It extends beyond the scope of information security, as outlined in ISO 27001, to encompass all aspects of business resilience.

Key components of ISO 22301 include:

  • Information security continuity: This involves integrating information security into the business continuity management process. It requires a proactive approach to maintaining and protecting information assets even in the face of disruptions.
  • Planning information security continuity: Organisations are required to develop plans that ensure the continuation of information security measures during an incident. This planning involves identifying critical information assets and ensuring they are protected under all circumstances.
  • Implementing information security continuity: The implementation phase involves putting the planned strategies into action. This may include establishing redundant systems, backup processes, and other mechanisms to ensure information security continuity.
  • Verify, review, and evaluate information security continuity: Regular testing and reviewing of the BCMS ensure its effectiveness. This step involves verifying that the controls are working as intended and making adjustments as necessary to address any gaps or weaknesses.
  • Redundancies: The standard emphasises the importance of having redundant resources, such as backup data centres or systems, to ensure that critical functions can continue without interruption in case of a primary system failure.
  • Availability of information processing facilities: Ensuring the availability of these facilities during a disruption is vital. This could involve strategies like cloud-based solutions, off-site data storage, or other forms of infrastructure redundancy.

By complementing ISO 27001, ISO 22301 enables organisations to have a more holistic approach to resilience. It ensures not only the security of information but also the continuity of operations under various conditions, thereby safeguarding the organisation’s ability to function and thrive in the face of unforeseen challenges. This comprehensive approach is essential in today’s dynamic business environment, where disruptions, whether natural or man-made, can have significant impacts on operational stability and security.

DORA: elevating digital resilience in the financial sector

DORA is an innovative regulatory framework established by the EU, designed to bolster the digital operational resilience of the financial sector. Aimed at mitigating and managing ICT risks, DORA creates a comprehensive set of requirements for financial entities. This regulation ensures that these entities are capable of withstanding, responding to, and recovering from a wide array of ICT-related disruptions, thereby safeguarding the integrity and stability of the financial system.

Key aspects of DORA include:

  • Competent authorities and compliance: DORA outlines specific competent authorities responsible for ensuring compliance with the regulation, tailored to various financial entities including credit institutions, payment institutions, investment firms, crypto-asset service providers, and others.
  • Co-operation and supervisory exchange: The act fosters co-operation and information exchange between competent authorities and various established structures, including the Cooperation Group and the CSIRTs (Computer Security Incident Response Teams), to effectively supervise and manage ICT risks.
  • Administrative penalties and remedial measures: DORA empowers competent authorities with supervisory, investigatory, and sanctioning capabilities, ensuring strict adherence to the regulation. This includes the authority to conduct on-site inspections, require remedial measures, and impose penalties for non-compliance.
  • Data protection compliance: In line with the EU’s stringent data protection standards, DORA mandates that personal data processing by the ESAs (European Supervisory Authorities) and competent authorities be carried out in accordance with relevant EU data protection regulations.
  • Review and adaptation: A review clause in DORA mandates that by 17 January 2028, a comprehensive review of its provisions will be conducted, ensuring that the regulation remains effective and relevant in the face of evolving digital threats and market developments.
  • Implementation timeline: DORA, binding in its entirety and directly applicable in all member states, entered into force 20 days after its publication in the Official Journal of the European Union, with its application starting from 17 January 2025.

DORA represents a significant stride in the EU’s efforts to enhance the resilience of its financial sector against digital threats. By setting out clear guidelines and requirements, it ensures that financial entities not only respond effectively to ICT-related disruptions but also proactively manage and mitigate potential risks. This regulatory approach highlights the importance of digital resilience in maintaining the stability and integrity of the financial system in an increasingly interconnected digital world.

Integrating ISO standards with DORA regulations

Compliance overlap and synergies

The integration of ISO 27001 and ISO 22301 standards with the DORA regulations offers a strategic advantage for organisations in the financial sector. The focus of ISO 27001 on information security management is well-aligned with DORA’s emphasis on ICT risk management, providing a solid foundation for compliance. Implementing the controls outlined in ISO 27001 not only enhances an organisation’s information security posture but also significantly contributes to meeting the stringent requirements set out by DORA.

Similarly, ISO 22301, which addresses business continuity, plays a pivotal role in achieving the operational resilience objectives of DORA. Organisations that are compliant with ISO 22301’s guidelines on business continuity management will find themselves well-prepared to meet DORA’s resilience requirements, ensuring that they can maintain critical functions and quickly recover in the event of ICT-related disruptions.

Addressing specific DORA requirements

DORA’s requirement for the identification and classification of all ICT-related risks echoes the risk assessment process outlined in ISO 27001. This similarity provides a streamlined approach for organisations to integrate their existing ISO 27001-based risk management processes with the requirements of DORA.

Moreover, DORA places significant emphasis on the importance of information sharing and co-operation among financial entities and competent authorities. This requirement resonates with ISO 27001’s emphasis on stakeholder communication and engagement, further underscoring the synergy between the two regulatory frameworks.

The aspect of data protection under DORA is also in harmony with ISO 27001’s control on information security incident management, ensuring that organisations have robust mechanisms in place to address and manage security incidents effectively.

Implementation strategies

  • Gap analysis: Organisations should conduct a comprehensive gap analysis to identify where their current compliance with ISO standards intersects with the requirements laid out by DORA. This analysis will help in pinpointing areas that require additional focus and resources.
  • Leveraging existing processes: Leveraging the existing processes and controls established for ISO 27001 and ISO 22301 compliance can significantly streamline the adaptation to DORA’s provisions. This approach can reduce the time and resources required for compliance, ensuring a more efficient integration.
  • Continuous monitoring and improvement: Both ISO standards and DORA emphasise the importance of continuous monitoring and improvement. Organisations must remain vigilant and proactive in updating their policies, processes, and controls in response to the evolving landscape of digital threats and regulatory changes. This ongoing commitment to improvement is crucial for maintaining long-term compliance and resilience.

By effectively integrating ISO 27001 and ISO 22301 with DORA regulations, organisations in the financial sector can achieve a robust and comprehensive approach to managing ICT risks, ensuring operational resilience, and maintaining compliance with critical regulatory requirements.

Conclusion

The integration of ISO 27001 and ISO 22301 with DORA regulations represents a significant advancement for organisations in the financial sector, particularly in enhancing their cybersecurity and operational resilience. Understanding the synergies and overlaps in compliance between these standards and regulations is crucial for effective navigation through this complex regulatory landscape.

ISO 27001’s comprehensive approach to information security management systems (ISMS) aligns seamlessly with DORA’s focus on managing ICT risks. This alignment ensures that implementing ISO 27001’s controls can significantly contribute to fulfilling the requirements set by DORA. Likewise, ISO 22301’s emphasis on business continuity management systems (BCMS) is integral to achieving DORA’s objective of operational resilience. Organisations already compliant with ISO 22301 will find themselves well-equipped to meet the resilience requirements of DORA.

DORA’s mandates, such as the identification and classification of ICT-related risks, resonate with the risk assessment processes of ISO 27001. Additionally, DORA’s emphasis on information sharing and co-operation among financial entities and competent authorities parallels ISO 27001’s focus on stakeholder communication, further demonstrating the complementary nature of these frameworks.

Moreover, the data protection aspects under DORA align with ISO 27001’s controls on information security incident management, ensuring that organisations have robust mechanisms in place to manage and mitigate security incidents effectively.

For organisations in the financial sector, it is essential to leverage the strengths of ISO 27001 and ISO 22301 to meet the stringent requirements of DORA. This integration not only ensures legal compliance but also fortifies defences against digital disruptions, enhancing the overall resilience and security posture of the organisation. Continuous monitoring and improvement, fundamental principles of the ISO standards, are crucial in adapting to the evolving landscape of digital threats and regulatory changes.

In summary, the harmonisation of ISO 27001 and ISO 22301 with DORA regulations provides a strategic framework for financial organisations to enhance their cybersecurity measures and operational resilience. By effectively navigating these combined regulations, organisations can ensure robust compliance, safeguard against digital disruptions, and maintain the integrity and stability of the financial system.

ICT Legal Consulting

Via Borgonuovo 12
20121 Milan
Italy

+39 028 424 7194

info.legal@ictlc.com www.ictlegalconsulting.com
Author Business Card

Law and Practice

Authors



ICT Legal Consulting (ICTLC) is an international law firm that offers strategic support in legal compliance (privacy, IP and TMT) and assists in drafting and developing governance, organisation, management, security and control models for data-driven organisations. The firm has successfully assembled a close-knit team of more than 80 qualified professionals specialising in the fields of ICT, privacy, data protection, cybersecurity, and IP law. ICTLC has offices in Italy (Milan, Bologna, and Rome), the Netherlands (Amsterdam), Greece (Athens), France (Paris), Spain (Madrid), Finland (Helsinki), Nigeria (Lagos), Kenya (Nairobi), Saudi Arabia (Riyadh) and Australia (Melbourne). It has also established partnerships with law firms and professionals in 54 other countries, giving clients access to the most qualified professionals who are most suited to their specific needs.

Trends and Developments

Authors



ICT Legal Consulting (ICTLC) is an international law firm that offers strategic support in legal compliance (privacy, IP and TMT) and assists in drafting and developing governance, organisation, management, security and control models for data-driven organisations. The firm has successfully assembled a close-knit team of more than 80 qualified professionals specialising in the fields of ICT, privacy, data protection, cybersecurity, and IP law. ICTLC has offices in Italy (Milan, Bologna, and Rome), the Netherlands (Amsterdam), Greece (Athens), France (Paris), Spain (Madrid), Finland (Helsinki), Nigeria (Lagos), Kenya (Nairobi), Saudi Arabia (Riyadh) and Australia (Melbourne). It has also established partnerships with law firms and professionals in 54 other countries, giving clients access to the most qualified professionals who are most suited to their specific needs.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.