National Cybersecurity Strategy

Italy has developed a structured cybersecurity strategy aimed at strengthening national resilience against cyberthreats, protecting critical infrastructures and ensuring the security of digital services. The strategy aligns with Directive (EU) 2022/2555, known as the NIS2 Directive, and is implemented through Legislative Decree Number 138 of 2024, which transposes the Directive into Italian law.

The Agency for National Cybersecurity, or ACN, is the principal authority overseeing cybersecurity at the national level. Established in 2021, it co-ordinates national and European cybersecurity policies, enhances co-operation between public and private entities, and ensures compliance with regulatory requirements.

The objectives of cybersecurity regulation are as follows:

• enhancing national security by strengthening the resilience of digital and network infrastructures against cyber-attacks, particularly in critical sectors such as energy, telecommunications and finance;
• protecting critical infrastructure by ensuring that essential service providers implement robust security measures in line with the NIS2 Directive and the implementing Regulation (EU) 2024/2690;
• regulating digital resilience through the Digital Operational Resilience Act (DORA), which sets strict requirements for financial sector entities regarding information and communication technology (ICT) risk management;
• ensuring incident reporting and response by mandating timely notification of significant cybersecurity incidents to national authorities and fostering a co-ordinated response to mitigate risks; and
• promoting cybersecurity standards by requiring organisations to adopt internationally recognised security frameworks such as ISO/IEC 27001 and ISO/IEC 27002, which are referenced in Italian cybersecurity regulations.

Cybersecurity regulation in Italy is continuously evolving to address emerging threats and align with EU and international best practices. It is paramount to consider that Italy has implemented the Perimetro di Sicurezza Cibernetica (PSNC), which includes all the above-mentioned principles. The legal framework reinforces proactive risk management, fosters digital trust, and ensures the resilience of national infrastructures in the face of increasingly sophisticated cyberthreats.

Italy’s cybersecurity legal framework is based on a combination of EU regulations and national laws that govern critical infrastructure protection, digital resilience, data protection, and cybersecurity obligations for public and private entities. The primary legislative instruments include:

• the National Cybersecurity Perimeter Law;
• DORA;
• the NIS2 Directive; and
• the General Data Protection Regulation (GDPR).

The National Cybersecurity Perimeter Law (Legislative Decree No 105/2019):

• establishes a national cybersecurity perimeter to protect critical infrastructures, including public administration, telecommunications, energy, finance and health sectors;
• requires entities operating in strategic sectors to implement risk management measures, conduct security assessments and report cybersecurity incidents to the Agency for National Cybersecurity (ACN); and
• introduces strict vendor requirements, limiting the use of foreign technology suppliers in critical ICT systems.

DORA (Regulation (EU) 2022/2554):

• applies to financial sector entities, including banks, investment firms, insurance companies and ICT service providers;
• establishes harmonised cybersecurity and risk management requirements, mandating that firms implement robust ICT security measures and ensure resilience against cyberthreats;
• imposes mandatory testing and incident-reporting obligations, requiring financial entities to assess their operational resilience through cybersecurity stress tests; and
• introduces third-party risk-management rules, ensuring financial institutions properly assess and monitor risks arising from outsourced ICT services.

The NIS2 Directive (Directive (EU) 2022/2555 and Legislative Decree No 138/2024):

• expands the scope of cybersecurity obligations to a broader range of critical and essential sectors, including energy, transport, banking, health and digital infrastructure;
• requires enhanced security measures, such as risk management policies, network security controls and business continuity planning;
• strengthens incident-reporting obligations, requiring companies to notify cybersecurity authorities of significant incidents within 24 hours of detection; and
• introduces stricter enforcement mechanisms, including fines and sanctions for non-compliance.

The GDPR (Regulation (EU) 2016/679):

• establishes a comprehensive framework for data protection and cybersecurity across the EU;
• imposes strict security obligations on organisations processing personal data, including encryption, access controls and data breach notification requirements;
• mandates privacy by design and by default, ensuring cybersecurity measures are integrated into ICT systems from the outset; and
• requires organisations to report personal data breaches to the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) within 72 hours.

Italy’s cybersecurity regulatory framework is designed to ensure digital resilience, protect national security and safeguard personal data. The combined effect of NIS2, DORA, the Cybersecurity Perimeter Law and the GDPR establishes strict obligations for organisations across multiple sectors, reinforcing the country’s defence against cyberthreats and data breaches.

Main Cybersecurity Regulators in Italy

Italy’s cybersecurity regulatory landscape is structured around several key authorities responsible for cybersecurity governance, critical infrastructure protection, financial sector resilience and data protection. The main regulatory bodies are:

• the ACN;
• the National Cybersecurity Incident Response Team (CSIRT Italia);
• the Bank of Italy (Banca d’Italia) and financial supervisory authorities; and
• the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali – GPDP).

ACN

Role and functions:

• established in 2021, the ACN is Italy’s central authority for cybersecurity governance, risk management and national defence against cyberthreats;
• implements Legislative Decree No 138/2024, which transposes the NIS2 Directive, and oversees the National Cybersecurity Perimeter Law (Decree No 105/2019);
• develops the National Cybersecurity Strategy and ensures compliance with risk management frameworks and security protocols;
• conducts security audits, vulnerability assessments and cyber-resilience exercises for critical infrastructure operators; and
• collaborates with EU cybersecurity agencies, NATO and international organisations on cybersecurity policies and threat intelligence sharing.

Scope of authority:

• enforces NIS2 and National Cybersecurity Perimeter obligations on public entities, essential service providers and high-risk industries;
• regulates security standards for ICT supply chains, including vendor approval processes for critical infrastructures; and
• oversees cyber incident reporting and response for regulated sectors, ensuring real-time co-ordination during cyber crises.

CSIRT Italia

Role and functions:

• operates as Italy’s national Computer Security Incident Response Team (CSIRT) under the ACN’s authority;
• provides early warning and response co-ordination for cyber incidents affecting critical infrastructures and public entities;
• develops threat intelligence and cybersecurity advisories, informing organisations of emerging cyberthreats and vulnerabilities; and
• assists in incident containment, mitigation and forensic analysis following major cyber-attacks.

Scope of authority:

• covers government agencies, national critical infrastructures and private entities subject to NIS2 regulations; and
• co-ordinates with EU CSIRT Network, ENISA and international cybersecurity agencies for cross-border cyberthreats.

Bank of Italy and Financial Supervisory Authorities

Role and functions:

• enforces cyber-resilience requirements for financial institutions under DORA;
• oversees ICT risk management in banks, insurance companies, investment firms and financial service providers;
• conducts digital resilience testing, ICT audits and third-party risk assessments for financial entities; and
• implements financial sector cybersecurity stress tests and cyber incident reporting frameworks.

Scope of authority:

• applies to all regulated financial entities, including banks, insurance companies and payment service providers;
• regulates outsourcing of ICT services, ensuring compliance with third-party cybersecurity standards; and
• works with the European Central Bank (ECB), European Banking Authority (EBA) and European Securities and Markets Authority (ESMA) on financial cybersecurity policies.

GPDP

Role and functions:

• enforces GDPR compliance in Italy;
• investigates personal data breaches, unauthorised access and cybersecurity failures affecting personal information;
• imposes fines and sanctions for non-compliance with data protection and cybersecurity regulations; and
• provides guidance on privacy-enhancing cybersecurity measures, including encryption, secure authentication and access control frameworks.

Scope of authority:

• covers all entities processing personal data, including public institutions, businesses and online service providers;
• mandates data breach reporting within 72 hours, ensuring rapid response to cybersecurity incidents affecting personal data; and
• works with the EU Data Protection Board (EDPB) and other European regulators on cross-border cybersecurity investigations.

Conclusion

Italy’s cybersecurity regulatory framework is based on a multi-agency approach, ensuring comprehensive oversight of cybersecurity risks across different sectors:

• the ACN regulates national cybersecurity policies and critical infrastructure protection;
• CSIRT Italia handles incident response and cyberthreat intelligence;
• the Bank of Italy and financial regulators enforce financial sector cybersecurity under DORA; and
• the GPDP ensures cybersecurity compliance for data protection under the GDPR.

Together, these regulatory bodies ensure that Italy’s digital infrastructure remains resilient, cyber-risks are effectively mitigated and organisations comply with strict security standards.

Scope of Application Under the NIS2 Directive

The NIS2 Directive establishes a harmonised cybersecurity framework across the EU, imposing strict security and incident reporting requirements on a broad set of critical and essential entities.

Entities covered:

• expands beyond the original NIS1 Directive (EU 2016/1148) to cover a wider range of sectors, including essential entities (energy, transport, banking, healthcare, public administration and digital infrastructure) and important entities (postal services, manufacturing, food, waste management and research sectors);
• applies to medium and large enterprises within these sectors but allows member states to include smaller entities if their cybersecurity risk profile is significant; and
• introduces supply chain obligations, meaning ICT service providers that support critical infrastructure operations are now directly regulated under the Directive.

Key obligations:

• requires implementation of cybersecurity risk management measures, including network security controls, access management and business continuity planning;
• mandates incident reporting within 24 hours of detection for significant cyber events; and
• establishes supervisory and enforcement mechanisms, with severe penalties for non-compliance (up to 2% of an entity’s global turnover).

Scope of Application Under the U.S. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA, 2022)

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA, 2022), enacted in the United States, establishes mandatory cybersecurity incident-reporting obligations for critical infrastructure operators under the oversight of the Cybersecurity and Infrastructure Security Agency (CISA).

Entities covered:

• covers critical infrastructure sectors designated under Presidential Policy Directive 21 (PPD-21), including communications, financial services, healthcare, energy, defence, transportation and government facilities;
• applies to any organisation providing essential services to national security, the economy or public safety; and
• unlike NIS2, it does not use size-based criteria, meaning small and medium-sized enterprises (SMEs) can be covered if they support critical infrastructure.

Key obligations:

• requires reporting of cyber incidents within 72 hours and ransomware payments within 24 hours;
• mandates compliance with information-sharing provisions, allowing CISA to disseminate threat intelligence to affected industries; and
• grants legal protections to reporting entities, reducing liability risks associated with disclosing cyber incidents.

Uncertainties in the Interpretation of the Scope

Despite the clear intent to improve cybersecurity resilience, both NIS2 and CIRCIA face interpretational uncertainties that could impact on their practical enforcement.

Defining “Significant” Incidents

NIS2 requires entities to report “significant incidents” but leaves room for interpretation in defining what qualifies as significant. The regulation considers impact on operations, users and the economy, but lacks precise thresholds.

CIRCIA mandates reporting for “substantial” cyber incidents but does not clearly define how severity and material impact should be assessed, leading to potential underreporting or overreporting.

Inclusion of SMEs and Supply Chain Entities

NIS2 explicitly covers only medium and large enterprises, but allows member states to extend regulations to smaller entities based on risk. This could lead to fragmentation across EU jurisdictions, where some countries impose stricter obligations than others.

CIRCIA applies to all entities supporting critical infrastructure, regardless of size, but does not clarify the thresholds for third-party ICT providers, leaving uncertainty for vendors and subcontractors.

Cross-Border Enforcement and Jurisdictional Overlaps

NIS2 faces challenges in cross-border enforcement, especially for multinational companies operating in multiple EU member states. National cybersecurity authorities may interpret enforcement differently, leading to inconsistent compliance burdens.

CIRCIA’s reporting obligations may conflict with state-level cybersecurity laws, particularly in California and New York, which have separate breach notification requirements. This creates regulatory duplication and compliance complexity.

Interaction with Other Regulations (GDPR, DORA and National Laws)

In the EU, NIS2 overlaps with GDPR and DORA, raising questions about regulatory precedence.

If a cyber incident involves both personal data breaches and operational disruptions, organisations must report separately to the Data Protection Authority and the Cybersecurity Authority, increasing compliance complexity.

In the USA, CIRCIA intersects with sector-specific regulations, such as:

• HIPAA (for healthcare cybersecurity);
• FISMA (for government agencies);
• SEC cybersecurity rules (for public companies); and
• companies subject to multiple regimes may face conflicting reporting timelines and obligations.

Conclusion

While NIS2 and CIRCIA mark significant steps in enhancing critical infrastructure cybersecurity, interpretational uncertainties remain, particularly in defining reportable incidents, scope of covered entities and enforcement across jurisdictions:

• the EU’s NIS2 Directive focuses on harmonisation but allows flexibility, leading to potential national divergences in scope and application; and
• the USA’s CIRCIA law prioritises rapid incident response but lacks clear criteria for inclusion, creating compliance uncertainties for smaller entities and third-party service providers.

Future regulatory clarifications, sector-specific guidance and international co-operation will be critical to ensuring uniform enforcement and effective cybersecurity protections.

Italy has adopted a comprehensive regulatory framework to ensure the cybersecurity resilience of critical infrastructure, aligning with EU legislation such as the NIS2 Directive and DORA, as well as national cybersecurity laws. The main legal instruments governing cybersecurity for critical infrastructure include:

• Legislative Decree No 138/2024 (the “NIS2 Implementation Law”);
• Legislative Decree No 105/2019 (the “National Cybersecurity Perimeter Law”); and
• Regulation (EU) 2022/2554 (DORA) for financial infrastructure.

These laws impose strict cybersecurity obligations on critical infrastructure operators across energy, telecommunications, financial services, healthcare, transportation and public administration.

Key Cybersecurity Requirements

Risk management and security measures are as follows.

• Critical infrastructure operators must implement risk management frameworks to identify, assess and mitigate cyber-risks.
• Companies must apply technical and organisational security measures, including:
1. network and information system security controls;
2. multi-factor authentication and access control policies;
3. regular vulnerability assessments and penetration testing; and
4. data encryption and secure communication protocols.

Cyber Incident Reporting Obligations

Entities covered under the NIS2 Directive must report significant cybersecurity incidents to the Agency for National Cybersecurity (ACN) within 24 hours of detection.

Financial institutions regulated under DORA must report major ICT disruptions or cyber incidents to supervisory authorities within 72 hours.

Organisations must provide a detailed incident analysis, including the impact, response measures and mitigation strategies.

Business Continuity and Resilience Planning

Operators must maintain cyber-resilience plans, ensuring their ability to continue operations during cyber disruptions.

Companies must conduct regular stress tests and resilience exercises to evaluate their preparedness against cyber-attacks.

The use of back-up systems, redundancy mechanisms and disaster recovery protocols is mandatory for ensuring operational continuity.

Supply Chain Security and Third-Party Risk Management

Organisations must assess and monitor cybersecurity risks posed by third-party ICT service providers.

Under DORA, financial entities must implement contractual cybersecurity requirements for ICT suppliers, including incident-reporting clauses and security audit rights.

Critical infrastructure operators are required to verify the security posture of external vendors before integrating their services.

Compliance and Supervision

The ACN conducts regular inspections and audits to verify compliance with cybersecurity laws.

Non-compliance with cybersecurity obligations can result in severe penalties, including fines of up to 2% of global turnover.

Authorities have the power to impose remediation measures or restrict ICT operations if security risks are not properly managed.

Conclusion

Italy’s cybersecurity regulations establish a robust legal framework to protect critical infrastructure from cyberthreats. These requirements focus on risk management, incident reporting, resilience planning, supply chain security and regulatory supervision. Organisations operating in critical sectors must adhere to strict security standards to ensure national security, economic stability and public safety.

Italy imposes strict cybersecurity incident notification obligations on critical infrastructure owners and operators under the NIS2 Implementation Law, the National Cybersecurity Perimeter Law and DORA. These laws establish mandatory reporting frameworks to ensure rapid response to cyber incidents, minimise disruptions and enhance national cybersecurity resilience.

Notification Requirements Under NIS2 (Legislative Decree No 138/2024)

The NIS2 Directive introduces a harmonised cyber incident reporting framework for critical and essential service providers operating in sectors such as energy, transport, banking, healthcare and public administration.

Entities covered:

• essential and important entities defined under NIS2, including critical infrastructure operators, ICT service providers and public sector entities; and
• third-party ICT service providers that support critical infrastructure operations.

Incident reporting timeline:

• within 24 hours – operators must submit an early warning notification to ACN if they detect a potentially significant cybersecurity incident;
• within 72 hours – a formal incident report must be submitted, including details on the attack vector, impact assessment and immediate mitigation measures; and
• within one month – a final report must be provided, outlining post-incident forensic analysis and lessons learned.

Criteria for Reporting

An incident must be reported if it:

• significantly disrupts the availability, integrity or confidentiality of essential services;
• causes substantial economic or operational damage to the affected entity; and
• has cross-border implications, affecting other EU member states.

Penalties for Non-Compliance

Failure to report cyber incidents may result in fines of up to 2% of an entity’s global turnover.

The ACN can impose corrective measures, audits or operational restrictions if an organisation fails to comply.

Notification Requirements Under the National Cybersecurity Perimeter Law (Legislative Decree No 105/2019)

This law applies to operators of critical infrastructure and strategic national entities, such as those in defence, telecommunications, energy and public administration.

Incident reporting timeline:

• immediate notification – entities must immediately report any suspected cybersecurity breach affecting national security to the ACN and the National Cybersecurity Incident Response Team (CSIRT Italia);
• 48-hour follow-up report – a more detailed report must be provided, specifying affected systems, attack vectors and initial containment measures; and
• final remediation report – organisations must submit a comprehensive incident analysis, including recovery steps taken.

Key obligations:

• operators must establish real-time monitoring and detection mechanisms to identify cybersecurity threats; and
• they must co-operate with government agencies during national cybersecurity emergencies.

Enforcement and penalties:

• non-compliance with notification obligations may result in severe financial penalties and operational restrictions; and
• the ACN has the authority to audit and enforce cybersecurity resilience measures in critical sectors.

Notification Requirements Under DORA for Financial Entities

DORA imposes specific cybersecurity reporting requirements on banks, insurance companies, investment firms and financial service providers.

Incident reporting timeline:

• within four hours – financial institutions must notify their national supervisory authority if an incident is deemed severe;
• within 24 hours – a preliminary impact assessment must be submitted, detailing the scale of the disruption and affected systems; and
• within 72 hours – a detailed incident report must be provided, including technical analysis, forensic findings and recovery strategies.

Criteria for Reporting

Incidents must be reported if they:

• disrupt financial transactions, banking operations or stock market activities;
• affect payment processing, fund transfers or critical ICT infrastructure; and
• have cross-border implications within the EU financial sector.

Regulatory Oversight

The Bank of Italy, Consob and IVASS oversee DORA compliance in Italy.

Financial institutions failing to report incidents face regulatory sanctions and potential suspension of operations.

Conclusion

Italy’s cybersecurity notification framework is one of the most stringent in the EU, requiring rapid incident reporting, real-time threat monitoring and co-ordinated response mechanisms.

• NIS2 mandates a structured incident-reporting process for critical infrastructure operators, with severe penalties for non-compliance;
• the National Cybersecurity Perimeter Law imposes additional security obligations on entities deemed essential to national security and defence; and
• DORA establishes financial sector-specific reporting requirements to ensure cyber-resilience in banking, insurance and financial markets.

These laws ensure that Italy’s critical infrastructure remains resilient, cyberthreats are swiftly addressed and government agencies can co-ordinate effective cyber crisis responses.

Italy has established a national cybersecurity framework that assigns clear responsibilities to state authorities for resilience building and cyberthreat identification. These responsibilities are defined under the NIS2 Implementation Law, the National Cybersecurity Perimeter Law and DORA.

National Cyber-Resilience Responsibilities

The Italian state is responsible for strengthening the cybersecurity resilience of critical infrastructure, essential service providers and public sector entities. These responsibilities include the following.

Developing and enforcing cybersecurity policies

The ACN is tasked with defining and implementing the National Cybersecurity Strategy, aligning with EU Regulations and international best practices.

The government establishes sector-specific cybersecurity regulations, ensuring that energy, telecommunications, healthcare, finance and public administration sectors comply with risk management requirements.

Supervising critical infrastructure cybersecurity compliance

The ACN conducts regular cybersecurity audits and risk assessments for national critical infrastructure operators.

Operators of essential services must submit cyber-risk management plans to demonstrate resilience preparedness.

The ACN can impose corrective measures and penalties if an entity fails to implement required cybersecurity measures.

Establishing cyber incident response capabilities

CSIRT Italia (the National Cybersecurity Incident Response Team) co-ordinates real-time threat response and mitigation for national security threats.

The State facilitates public-private collaboration on cybersecurity best practices, ensuring that private sector entities share threat intelligence with national authorities.

Italy participates in EU-wide cybersecurity initiatives, including the EU Cyber Crisis Liaison Organisation Network (EU-CyCLONe) for rapid cyber crisis management.

National Cyberthreat Identification and Intelligence-Sharing Responsibilities

The Italian government plays a proactive role in identifying, analysing and mitigating cyberthreats at the national level.

Cyberthreat monitoring and detection

The ACN and CSIRT Italia continuously monitor cyberthreats, vulnerabilities and attack vectors targeting critical infrastructure.

The State mandates that essential service providers implement advanced threat-detection systems, including intrusion detection, behavioural analytics and automated monitoring tools.

The National Cyber Threat Intelligence Platform collects, analyses and distributes real-time cyberthreat intelligence to government agencies and private entities.

Cybersecurity incident reporting and analysis

Entities covered under NIS2 and the National Cybersecurity Perimeter Law must report significant cybersecurity incidents to the ACN within 24 hours.

The State analyses cyber incident reports to assess risk trends, identify attack patterns and develop national defence strategies.

Italy collaborates with EU cybersecurity agencies (ENISA, Europol and NATO cyber defence units) to exchange threat intelligence and co-ordinate international cyber response actions.

National defence against cyberthreats

The government strengthens national cyber defence capabilities by investing in cybersecurity research, innovation and workforce development.

Italy enforces strict cybersecurity standards for ICT suppliers, ensuring that critical infrastructure operators use secure, vetted technologies.

The Ministry of Defence and intelligence agencies monitor cyberthreats linked to foreign actors, cyber-espionage and State-sponsored attacks.

Conclusion

Italy’s State responsibilities on resilience and threat identification ensure a structured and proactive approach to national cybersecurity:

• the government enforces cybersecurity laws, supervises compliance and ensures that critical infrastructure remains resilient against cyberthreats;
• national cybersecurity agencies (the ACN and CSIRT Italia) identify, monitor and respond to cyberthreats, ensuring real-time protection of essential services; and
• the State collaborates with EU and international partners to strengthen cyber intelligence, prevent large-scale cyber incidents and secure the digital ecosystem.

Through policy enforcement, risk monitoring and cyber intelligence operations, Italy upholds a robust cybersecurity framework that safeguards national security, economic stability and public trust.

Italy’s financial sector’s operational resilience is regulated primarily under DORA, which establishes a harmonised cybersecurity framework for financial entities across the EU. DORA applies directly in Italy without requiring national transposition, ensuring uniform ICT risk management and cyber-resilience measures for financial institutions.

Material Scope of Application

DORA applies to a broad range of financial entities and their third-party ICT service providers, ensuring that digital resilience measures extend throughout the financial supply chain.

Financial entities covered:

• banks and credit institutions;
• investment firms and asset managers;
• isurance and reinsurance companies;
• payment institutions and e-money firms;
• crypto-asset service providers (CASPs) under MiCA; and
• central securities depositories and financial market infrastructures.

Third-party ICT providers covered:

• cloud service providers, data centres and cybersecurity firms that support financial operations; and
• managed service providers (MSPs) offering IT, software or infrastructure services to financial institutions.

Key regulatory requirements:

• mandatory ICT risk management framework, including business continuity planning and cyber incident response;
• obligatory cyber incident reporting within 72 hours to national financial regulators;
• regular penetration testing and digital operational resilience testing to ensure financial stability; and
• oversight of third-party ICT service providers, requiring contractual risk management measures.

Territorial Scope of Application

DORA applies to all financial entities operating within the EU, including:

• entities headquartered in Italy – all financial institutions and ICT service providers based in Italy fall directly under DORA’s jurisdiction;
• EU branches of foreign financial institutions – non-EU firms operating in Italy through subsidiaries must comply with DORA’s ICT risk management and reporting obligations; and
• third-country ICT providers servicing EU financial firms – non-EU technology firms that offer ICT services to European financial institutions are subject to DORA’s Oversight Framework for Critical ICT Providers, requiring them to adhere to EU cybersecurity standards.

The Bank of Italy, Consob and IVASS are responsible for DORA’s enforcement in Italy, ensuring that financial institutions meet digital resilience obligations and remain operationally secure against cyberthreats.

Under DORA, Italy enforces strict contractual obligations for ICT service providers that support financial sector operations. These requirements aim to ensure resilience, security and accountability in the supply chain of banks, investment firms, insurance companies and other financial entities.

Definition of ICT Service Providers in Italy

DORA defines ICT service providers as third-party entities offering digital, information technology or cybersecurity services to financial institutions. This includes:

• cloud service providers (IaaS, PaaS, SaaS);
• data centres and hosting providers;
• cybersecurity firms (managed security services, threat intelligence, incident response);
• software vendors and fintech providers;
• telecommunications providers supporting financial transactions; and
• artificial intelligence and automation service providers used in financial risk management.

If an ICT provider delivers essential digital services to financial entities, it falls under DORA’s oversight framework, requiring compliance with contractual and risk management obligations.

Contractual Requirements for ICT Service Providers Under DORA

Financial institutions in Italy must ensure that contracts with ICT service providers include specific provisions on risk management, security and resilience.

Mandatory Contractual Clauses

Security and risk management standards:

• ICT providers must implement strong cybersecurity measures, including encryption, access control and data protection mechanisms; and
• compliance with ISO/IEC 27001, NIST frameworks and other EU cybersecurity standards is required.

Business continuity and incident response obligations:

• contracts must include service-level agreements (SLAs) for disaster recovery, back-up availability and cybersecurity incident handling; and
• ICT providers must conduct regular resilience testing and provide results to financial regulators.

Incident reporting and notification requirements:

• ICT providers must report cyber incidents and disruptions to financial institutions within 24 hours; and
• financial institutions must then notify the Bank of Italy, IVASS or Consob under DORA’s 72-hour reporting obligation.

Audit rights and compliance monitoring:

• financial institutions must have the right to audit ICT providers to assess compliance with operational resilience requirements; and
• regulatory authorities may conduct independent supervisory assessments of critical ICT providers.

Exit and termination strategy:

• contracts must outline clear termination clauses and transition plans to prevent operational disruptions if the ICT provider fails to meet security obligations.

Classification of Critical ICT Services Under DORA

DORA mandates additional oversight for “critical ICT service providers”, which are entities indispensable for the stability of financial markets.

Critical ICT services include:

• cloud computing services used for banking transactions, payment processing and data storage;
• cybersecurity and managed security services (MSSPs) protecting financial networks from cyberthreats;
• AI-driven fraud detection and risk management platforms used in credit scoring and market analysis; and
• third-party digital infrastructure providers essential for financial services (eg, cross-border payment networks, digital identity verification systems).

These critical ICT providers are subject to direct regulatory oversight from the European Supervisory Authorities (ESAs), including:

• the European Banking Authority (EBA);
• the European Insurance and Occupational Pensions Authority (EIOPA); and
• the European Securities and Markets Authority (ESMA).

Will Every Cloud Service Provider Be Classified as Critical?

A cloud service provider will not necessarily be classified as critical. DORA applies additional scrutiny only to cloud providers whose services are fundamental to financial stability:

• large cloud service providers (AWS, Microsoft Azure, Google Cloud) that host banking operations will likely be classified as critical;
• small cloud vendors or niche SaaS providers that do not support essential financial operations may not fall under direct regulatory oversight; and
• ICT providers servicing multiple financial institutions are more likely to be designated as critical by the ESAs.

However, even non-critical cloud providers must comply with DORA’s contractual obligations, ensuring cybersecurity, resilience and transparency in financial ICT supply chains.

Conclusion

DORA imposes strict contractual requirements on ICT service providers, ensuring cybersecurity resilience, incident reporting and regulatory compliance for financial sector digital infrastructure:

• ICT service providers are broadly defined, covering cloud services, cybersecurity, fintech and digital infrastructure providers;
• critical ICT providers (eg, cloud computing firms supporting financial transactions) face enhanced regulatory oversight; and
• not all cloud service providers are automatically classified as critical, but those supporting essential financial functions will be directly supervised by EU regulators.

DORA establishes a uniform legal framework for digital operational resilience in the EU financial sector, applying directly to Italy. The Regulation ensures that financial institutions and their ICT service providers can withstand, respond to and recover from cyberthreats and ICT disruptions.

Objectives of DORA

The primary goals of DORA are to:

• strengthen ICT risk management across the financial sector, ensuring business continuity and financial stability;
• standardise incident response and reporting, allowing for timely detection, containment and notification of cyberthreats;
• ensure regulatory oversight of critical ICT service providers, reducing third-party risks in financial operations;
• enhance resilience testing by mandating cyber stress tests and penetration testing for financial firms; and
• promote threat intelligence-sharing, improving sector-wide cyberthreat detection and mitigation.

Key Obligations Under DORA

DORA applies to banks, insurance companies, investment firms, crypto-asset service providers and ICT vendors supporting financial institutions. Its requirements include the following.

ICT risk management:

• financial entities must adopt a risk management framework covering ICT security policies, network protection and access controls;
• continuous monitoring of ICT systems to detect vulnerabilities and threats; and
• implementation of business continuity and disaster recovery strategies.

ICT third-party risk management:

• financial firms must assess third-party ICT risks, ensuring that suppliers meet strict cybersecurity standards;
• contracts with ICT providers must include security, incident reporting and resilience-testing obligations; and
• regulatory oversight of critical ICT providers offering cloud services, managed security and data-processing.

Digital resilience testing:

• regular cyber-resilience testing, including penetration testing, vulnerability scans and risk assessments; and
• threat-led penetration testing (TLPT) required for systemically important financial entities.

Governance and compliance:

• senior management is responsible for ICT risk oversight and regulatory compliance;
• mandatory training and awareness programmes for employees handling financial IT systems; and
• financial regulators can audit compliance and impose penalties for non-compliance.

Incident and Reporting Obligations Under DORA

DORA introduces strict cybersecurity incident reporting requirements to prevent systemic financial risks.

Incident classification:

• major ICT-related incidents include cyber-attacks, ransomware, system failures and data breaches affecting financial services; and
• incidents are categorised based on impact on operations, data security and financial stability.

The reporting timeline and process is as follows.

• Within four hours – financial institutions must notify their national financial regulator (eg, Bank of Italy, Consob, IVASS) if a major cyber incident is detected.
• Within 24 hours – a preliminary incident report must be submitted, detailing affected systems, potential risks and immediate response actions.
• Within 72 hours – a detailed incident report must provide:
1. root cause analysis;
2. impact assessment;
3. steps taken to contain the attack; and
4. future prevention measures.
• Final post-mortem report – required if the incident had severe financial or systemic implications, ensuring regulatory follow-up and that industry-wide lessons were learned.

Cross-border co-ordination:

• if an ICT incident has cross-border impact, financial firms must notify the ESAs; and
• regulators collaborate with CSIRT Italia and ENISA to manage large-scale cyberthreats.

Conclusion

DORA sets out comprehensive digital resilience standards for Italy’s financial sector, ensuring strict cybersecurity measures, third-party risk controls and mandatory cyber incident reporting:

• financial institutions must implement robust ICT risk management policies and resilience testing;
• ICT service providers supporting financial firms must comply with cybersecurity and incident-reporting obligations; and
• strict incident-reporting requirements ensure rapid regulatory response to cyberthreats, preventing financial instability.

These measures enhance cyber-resilience, protect financial markets and ensure regulatory oversight in an increasingly digital financial ecosystem.

Under DORA, regulatory authorities in Italy and the EU enforce strict operational resilience obligations on critical ICT service providers that support the financial sector. These providers – such as cloud computing firms, cybersecurity vendors and data-processing centres – are subject to direct regulatory oversight due to their essential role in financial stability.

Regulatory Authorities Responsible for Enforcement

The enforcement of operational resilience obligations is managed by both national and EU-level regulators, including:

• the Bank of Italy (Banca d’Italia) – supervises banking and payment service ICT risk;
• IVASS (the Italian Insurance Supervisory Authority) – regulates ICT resilience in the insurance sector;
• Consob (the Italian Securities Commission) – oversees cybersecurity in investment firms and financial markets;
• European Supervisory Authorities (ESAs) – the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) conduct cross-border supervision; and
• the European Central Bank (ECB) – directly supervises significant banks under the Single Supervisory Mechanism (SSM).

For critical ICT providers, DORA establishes a direct regulatory oversight framework, allowing EU financial authorities to intervene in ICT service delivery, mandate corrective actions and impose sanctions.

Compliance Obligations for Critical ICT Service Providers

Critical ICT service providers must comply with specific operational resilience obligations, including:

• ICT risk management – providers must implement strict security controls, continuous monitoring and incident-detection mechanisms;
• cyber-resilience testing – regular penetration testing and risk assessments are mandatory, with financial regulators overseeing results;
• incident response and reporting – providers must notify financial institutions of cyber incidents within 24 hours, enabling banks and insurers to report to regulators within 72 hours;
• business continuity and recovery plans – providers must maintain back-up systems, failover strategies and rapid disaster-recovery capabilities; and
• regulatory audit rights – national and EU financial regulators have full authority to conduct audits, on-site inspections and security evaluations of critical ICT service providers.

Enforcement Measures and Sanctions

Regulatory bodies enforce compliance through audits, inspections and corrective actions. If a critical ICT provider fails to meet operational resilience standards, the following enforcement measures apply.

Supervisory audits and on-site inspections

Regulatory authorities audit ICT providers to verify compliance with DORA and cybersecurity best practices.

On-site inspections and forensic reviews are conducted if vulnerabilities or past incidents indicate a high cyber risk.

Corrective measures and compliance orders

If deficiencies are found, regulators can issue binding corrective measures, including:

• security upgrades and process improvements;
• additional penetration-testing requirements; and
• stronger supply chain risk assessments.

Financial penalties for non-compliance

ICT service providers failing to meet regulatory obligations may face severe financial penalties:

• up to 2% of global turnover for non-compliance with cybersecurity and risk management standards; and
• additional daily fines until corrective actions are fully implemented.

Termination of ICT service contracts

If a critical ICT provider poses an unacceptable risk to financial stability, regulators can order financial institutions to terminate service contracts with the non-compliant provider.

The ESAs maintain a register of high-risk ICT service providers, restricting their access to EU financial markets.

Regulatory intervention in ICT service operations

In extreme cases, regulators may impose operational restrictions, requiring ICT providers to suspend or restructure critical services that threaten financial stability.

National authorities can mandate emergency cybersecurity measures if a major cyber event impacts on financial institutions.

Cross-Border Enforcement and Co-ordination

Because many critical ICT service providers operate across multiple jurisdictions, enforcement requires EU-wide co-ordination:

• joint supervisory teams (JSTs) – national regulators collaborate with the ECB and ESAs to conduct cross-border compliance reviews of ICT providers servicing multiple EU financial institutions;
• EU cyber crisis response framework – regulators co-ordinate responses for large-scale cyber incidents affecting multiple financial firms and ICT providers; and
• information-sharing mandates – ICT service providers must participate in threat intelligence-sharing programmes with financial regulators to enhance industry-wide cyber-resilience.

Conclusion

Enforcement of operational resilience obligations for critical ICT providers under DORA is strict and proactive, ensuring financial market stability and cybersecurity resilience:

• regulatory authorities in Italy and the EU directly oversee critical ICT providers, conducting audits, compliance checks and on-site inspections;
• failure to meet resilience standards results in heavy penalties, service restrictions and contract termination orders; and
• cross-border collaboration ensures that multinational ICT providers comply with harmonised EU financial cybersecurity regulations.

Through these measures, Italy and the EU maintain a secure, resilient and stable financial digital infrastructure, protecting against cyberthreats and ICT disruptions.

Italy’s legal framework for cybersecurity and financial resilience includes multiple provisions that directly or indirectly regulate international data transfers. These rules stem from EU regulations such as the GDPR, DORA and NIS2, as well as national cybersecurity laws.

The impact on international data transfers arises through:

• data protection regulations imposing cross-border data transfer restrictions;
• cybersecurity laws requiring localisation or risk assessments for data transfers; and
• operational resilience regulations affecting third-party ICT providers outside the EU.

Direct Provisions Impacting on International Data Transfers

GDPR:

• Transfers of personal data outside the EU are strictly regulated under Chapter V of the GDPR.
• Transfers to non-EU countries are permitted only if:
1. the destination country has an EU adequacy decision (eg, Japan, UK, Canada);
2. the transfer is governed by Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs); and
3. derogations apply, such as explicit user consent or contractual necessity.
• Impact on cybersecurity – if an ICT provider stores financial or critical infrastructure data outside the EU, data protection authorities may restrict the transfer.

DORA:

• cross-border ICT risk assessment – financial entities must ensure that third-party ICT service providers processing financial data outside the EU comply with EU cybersecurity standards;
• critical ICT providers may be subject to EU regulatory oversight even if headquartered abroad; and
• enforcement of localisation requirements – if an ICT provider cannot ensure compliance with EU security requirements, financial institutions must terminate contracts.

NIS2:

• essential and important entities in critical sectors (eg, energy, telecoms, healthcare, finance) must conduct risk assessments before transferring security-related data outside the EU;
• cross-border cybersecurity incident reporting – entities must report cyber incidents involving non-EU data processing to the ACN; and
• national security exception – if an ICT service provider transfers critical infrastructure data to high-risk jurisdictions, Italian authorities can restrict or block such transfers.

The National Cybersecurity Perimeter Law:

• State and critical infrastructure operators must store and process security-sensitive data within the EU or trusted jurisdictions;
• foreign ICT providers handling Italian government or critical infrastructure data must comply with supply chain security assessments; and
• transfers to non-EU vendors (eg, cloud services) require government approval if involving national security data.

Indirect Provisions Affecting International Data Transfers

Cloud service and ICT provider oversight:

• cloud service providers hosting financial or critical infrastructure data outside the EU are subject to heightened regulatory scrutiny under DORA and NIS2;
• if a cloud provider fails EU compliance tests, financial institutions must discontinue services; and
• DORA’s Oversight Framework for Critical ICT Providers applies extraterritorially, meaning non-EU cloud vendors must comply with EU security rules.

Supply chain cybersecurity and data flow restrictions:

• financial institutions and critical infrastructure operators must vet third-party suppliers that process security-related data abroad;
• regulators may ban or restrict contracts with ICT vendors if cross-border data flows present an unacceptable security risk; and
• NIS2 and the National Cybersecurity Perimeter Law require security audits for non-EU third-party service providers.

Cyber incident notification and international data flows:

• companies reporting a cybersecurity incident under NIS2 must disclose if the breach involves data stored or processed outside the EU;
• financial entities under DORA must report ICT incidents affecting non-EU cloud or service providers to national regulators and EU authorities; and
• failure to properly assess the risks of non-EU data transfers can result in fines, compliance orders or contract termination requirements.

Conclusion

Italy’s regulatory framework restricts and regulates international data transfers through the GDPR, DORA, NIS2 and national cybersecurity laws:

• the GDPR strictly limits personal data transfers to non-EU jurisdictions, allowing them only under specific safeguards;
• DORA and NIS2 impose cybersecurity and operational resilience restrictions on ICT providers handling financial and critical infrastructure data outside the EU; and
• the National Cybersecurity Perimeter Law prevents security-sensitive data from being transferred to high-risk jurisdictions.

These legal provisions ensure that international data transfers do not expose Italy’s financial and critical sectors to cyberthreats, unauthorised access or geopolitical risks.

In Italy, threat-led penetration testing (TLPT) is mandated under DORA, which directly applies to banks, investment firms, insurance companies and other financial sector entities. The Bank of Italy, Consob and IVASS oversee TLPT compliance for financial institutions.

Scope of TLPT Requirements

TLPT is a high-level cybersecurity testing framework designed to simulate real-world cyber-attacks on financial institutions and their critical ICT infrastructure:

• it applies to systemically important financial institutions, including major banks, payment service providers, insurance firms and trading platforms;
• it focuses on high-risk ICT systems supporting essential financial services; and
• ICT third-party providers (eg, cloud computing firms and managed security service providers) may also be subject to TLPT if classified as critical.

Key TLPT Obligations Under DORA

Risk-based TLPT execution:

• financial institutions must conduct TLPT at least every three years on their most critical ICT systems;
• the tests must be tailored to the entity’s specific threat landscape, mimicking advanced persistent threats (APTs) and real-world cyber-attack scenarios; and
• TLPT must be performed by accredited and independent ethical hacking teams.

Regulatory oversight and reporting:

• financial firms must submit TLPT results to national regulators (Bank of Italy, IVASS or Consob);
• if vulnerabilities are discovered, firms must implement remediation measures and report follow-up actions; and
• regulators can mandate additional TLPT cycles if major cybersecurity weaknesses are detected.

Cross-border testing and EU co-ordination:

• financial institutions operating across multiple EU jurisdictions may be required to co-ordinate TLPT with the ESAs (EBA, ESMA, EIOPA); and
• TLPT methodologies must align with TIBER-EU (Threat Intelligence-Based Ethical Red Teaming), the EU-wide cybersecurity testing framework.

Enforcement and Non-Compliance Penalties

Failure to conduct TLPT or address identified vulnerabilities can lead to regulatory sanctions, including fines and operational restrictions.

Non-compliance with TLPT obligations may result in penalties up to 2% of global turnover under DORA.

Regulators may impose mandatory audits, security patches or temporary suspension of ICT services if critical risks are found.

Conclusion

Italy enforces strict TLPT requirements for major financial institutions and their critical ICT providers, ensuring proactive cybersecurity resilience:

• mandatory TLPT every three years for high-risk ICT systems;
• tests must simulate real-world cyber-attacks, aligning with TIBER-EU methodologies; and
• financial regulators oversee TLPT compliance, with penalties for non-compliance.

These measures strengthen digital operational resilience, protecting Italy’s financial sector from advanced cyberthreats and systemic disruptions.

Italy has established a comprehensive cybersecurity and cyber-resilience regulatory framework, aligning with EU Directives and Regulations. The country enforces strict cyber-resilience obligations for critical infrastructure, financial institutions, public administration and private entities handling sensitive data.

The legislative framework is built on:

• 1EU Regulations and Directives, including DORA, NIS2 and the GDPR, which apply directly or require national transposition; and
• 2national cybersecurity laws, such as the National Cybersecurity Perimeter Law (Legislative Decree No 105/2019) and the NIS2 Implementation Law (Legislative Decree No 138/2024).

Core Cyber-Resilience Laws in Italy

The GDPR:

• enforces strict cybersecurity and data protection requirements for organisations handling personal data;
• requires entities to implement technical and organisational security measures, such as encryption, access control and breach notification procedures; and
• imposes severe penalties for security failures, including fines of up to 4% of global turnover.

NIS2:

• strengthens cyber-resilience obligations for essential and important entities, including energy, transport, healthcare, financial services and digital infrastructure;
• mandates risk management frameworks, incident reporting within 24 hours and resilience testing; and
• expands regulatory enforcement and introduces fines for non-compliance of up to EUR10 million or 2% of global turnover.

DORA:

• applies directly to banks, insurance companies, investment firms and crypto-asset providers;
• mandates ICT risk management policies, cyber incident reporting within 72 hours, and TLPT (Threat-Led Penetration Testing) every three years; and
• introduces regulatory oversight for third-party ICT providers, ensuring financial entities only use compliant cloud, data-processing and cybersecurity services.

The National Cybersecurity Perimeter Law:

• establishes security measures for critical infrastructure and public sector IT systems;
• requires government entities and strategic industries (defence, telecommunications, finance, energy) to store sensitive data within the EU and to use trusted ICT providers; and
• enforces mandatory risk assessments and cybersecurity incident response plans.

Cybercrime and national security regulations:

• the Italian Penal Code Articles 615-ter to 640-ter criminalise unauthorised system access, data breaches, and cyberfraud;
• Decree Law No 82/2021 created the ACN, centralising cybersecurity enforcement; and
• the National Cybersecurity Strategy 2022–2026 outlines investment priorities and strategic cybersecurity initiatives.

Enforcement and Supervision of Cyber-Resilience

The ACN enforces NIS2, supervises critical infrastructure security, and co-ordinates cyber crisis response.

The Bank of Italy, IVASS and Consob regulate financial sector cyber-resilience under DORA, ensuring compliance with ICT risk management and testing requirements.

The Italian Data Protection Authority (Garante per la Protezione dei Dati Personali – GPDP) ensures GDPR compliance, personal data security and breach-reporting enforcement.

Future Legislative Developments in Cyber-Resilience

National AI and cybersecurity regulations

The EU AI Act and upcoming EU cybersecurity certification schemes will impose new compliance obligations for AI-driven cybersecurity solutions and critical infrastructure technologies.

Strengthened supply chain security rules

Italy is expected to introduce additional controls on ICT vendors and foreign technology providers, especially in critical sectors such as telecommunications and defence.

Expanded cybercrime enforcement

New measures will increase penalties for cyber-attacks targeting government systems and essential services.

Conclusion

Italy’s cyber-resilience legal framework is one of the most robust in the EU, incorporating the GDPR, NIS2, DORA and national cybersecurity laws;

• regulations apply to a broad range of sectors, ensuring cyber-resilience in critical infrastructure, financial services and data protection;
• national and EU regulators enforce cybersecurity standards, with significant penalties for non-compliance; and
• future legislative developments will strengthen supply chain security, AI governance and cybercrime enforcement.

These measures ensure that Italy’s digital infrastructure remains resilient against cyberthreats, safeguarding economic stability and national security.

Italy enforces strict cyber-resilience obligations across critical infrastructure, financial institutions and data-driven enterprises under EU Regulations (DORA, NIS2, GDPR) and national cybersecurity laws. These obligations ensure ICT risk management, incident reporting, business continuity and regulatory oversight to mitigate cyberthreats and enhance digital resilience.

Cyber-Resilience Obligations Under Existing Legislation

GDPR:

• technical and organisational security measures – organisations handling personal data must implement access controls, encryption and data breach-prevention systems;
• data breach notification – personal data breaches must be reported to GPDP within 72 hours; and
• risk-based security assessment – companies must conduct Data Protection Impact Assessments (DPIAs) for high-risk data-processing activities.

NIS2:

• mandatory cybersecurity measures – essential and important entities must implement risk management frameworks, network security protocols and security monitoring;
• cyber incident reporting – entities must notify the ACN within 24 hours of detecting a significant cybersecurity incident;
• business continuity and recovery planning – organisations must develop incident response and disaster recovery plans, conducting regular resilience testing; and
• third-party risk management – companies must assess ICT suppliers and outsourcing risks, ensuring vendor compliance with security standards.

DORA:

• ICT risk management for financial institutions – banks, insurers, investment firms and crypto-asset service providers must implement strict digital resilience policies;
• cyberthreat monitoring and testing – financial entities must conduct penetration testing, vulnerability assessments and red teaming exercises;
• third-party ICT oversight – ICT vendors supporting financial institutions must comply with DORA’s contractual and security obligations, including cyber incident reporting; and
• threat-led penetration testing (TLPT) – systemically important financial institutions must conduct real-world cyber-attack simulations every three years.

The National Cybersecurity Perimeter Law:

• data localisation requirements – strategic entities must store sensitive data within the EU or in trusted jurisdictions;
• cybersecurity risk assessments – organisations must conduct regular cyber-risk audits and compliance assessments; and
• supply chain security controls – companies must ensure that ICT providers meet national security and cybersecurity standards before engaging in service agreements.

Cyber-Resilience Obligations Under Draft Legislation and Future Regulations

EU AI Act (Draft):

• AI cybersecurity and risk management – AI-driven cybersecurity tools must meet strict risk classification, transparency and security measures; and
• cybersecurity auditing and testing for high-risk AI systems – AI models used in critical infrastructure or financial operations will require external validation and regulatory oversight.

Cyber-Resilience Act (Draft – Proposed by the European Commission):

• cybersecurity certification for ICT products – manufacturers of hardware, software and cloud services must obtain EU-wide cybersecurity certification;
• mandatory security updates and patch management – companies must provide continuous security updates to address vulnerabilities; and
• penalties for non-compliance – firms failing to meet cyber-resilience requirements may face severe regulatory sanctions.

Strengthened supply chain cybersecurity rules (upcoming national reforms):

• increased scrutiny of foreign ICT vendors – Italy plans to impose additional restrictions on non-EU cloud and telecommunications providers; and
• expanded cybersecurity requirements for SMEs – more SMEs may be included under mandatory NIS2 compliance.

Key enforcement mechanisms and penalties are as follows.

• Regulatory audits and compliance inspections – the ACN, Bank of Italy, IVASS and Consob enforce cyber-resilience measures through periodic audits.
• Financial penalties:
1. up to EUR10 million or 2% of global turnover for NIS2 non-compliance;
2. up to 4% of global turnover for GDPR violations; and
3. operational restrictions or contract termination orders under DORA for non-compliant ICT providers.
• Incident response enforcement – regulatory authorities can impose remediation measures if cyber incidents expose vulnerabilities in financial or critical infrastructure systems.

Conclusion

Italy’s cyber-resilience obligations are among the most stringent in the EU, covering critical infrastructure, financial institutions and digital service providers:

• existing laws (NIS2, DORA, GDPR) mandate cybersecurity risk management, threat monitoring and supply chain security;
• future regulations (the Cyber-Resilience Act, the AI Act) will expand cybersecurity requirements to cover AI and ICT products; and
• regulatory enforcement ensures compliance, with severe penalties for security failures.

These measures fortify national cybersecurity resilience, protect critical services from cyberthreats and ensure compliance with evolving EU Regulations.

Italy’s cybersecurity and cyber-resilience legal framework is shaped by EU Regulations, national laws and sector-specific rules that govern data protection, critical infrastructure security, financial sector resilience and cybercrime prevention.

The GDPR:

• applies to all organisations processing personal data in Italy;
• imposes strict security obligations, including encryption, access controls and breach reporting;
• requires notification of personal data breaches within 72 hours; and
• is enforced by the GPDP.

NIS2:

• expands cybersecurity obligations for essential and important entities in critical infrastructure sectors;
• mandates risk management frameworks, security monitoring and cyber incident reporting within 24 hours;
• establishes severe penalties for non-compliance (up to EUR10 million or 2% of global turnover); and
• is enforced by the Agency for National Cybersecurity (ACN).

DORA:

• applies to banks, investment firms, insurers, crypto-asset providers and third-party ICT service providers;
• requires ICT risk management, penetration testing (TLPT) and cyber incident reporting within 72 hours;
• introduces regulatory oversight for cloud providers and ICT vendors supporting financial firms; and
• is enforced by the Bank of Italy, Consob and IVASS.

The National Cybersecurity Perimeter Law:

• establishes cybersecurity obligations for government entities and national critical infrastructure operators;
• requires data localisation and supply chain security assessments for ICT providers;
• imposes mandatory risk assessments and cybersecurity compliance audits; and
• is enforced by the ACN and National Cybersecurity Incident Response Team (CSIRT Italia).

Cybercrime and digital security laws:

• the Italian Penal Code (Articles 615-ter to 640-ter) criminalises unauthorised access, data breaches and cyberfraud;
• Decree Law No 82/2021 created the ACN to centralise cybersecurity governance; and
• Legislative Decree No 231/2001 introduces corporate liability for cybersecurity failures.

Upcoming and draft legislation:

• the Cyber-Resilience Act (EU Draft) will impose mandatory security updates and cybersecurity certification for ICT products;
• the AI Act (EU Draft) will regulate AI-driven cybersecurity tools and risk management systems; and
• the National Supply Chain Security Rules (Upcoming Reforms) are expected to restrict high-risk foreign ICT providers in critical sectors.

Conclusion

Italy enforces a multi-layered cybersecurity legal framework, ensuring:

• strong data protection (GDPR);
• critical infrastructure resilience (NIS2, the National Cybersecurity Perimeter Law);
• financial sector cybersecurity (DORA); and
• cybercrime prevention and ICT vendor oversight.

Future laws will further enhance cyber-resilience, AI security and supply chain protection, reinforcing Italy’s national and EU-wide cybersecurity defences.

Italy enforces strict cybersecurity obligations under the GDPR and national data protection laws. These rules require organisations processing personal data to implement technical and organisational security measures to prevent data breaches, unauthorised access and cyberthreats.

Key Cybersecurity Obligations Under the GDPR

Risk-based security measures (Article 32, GDPR)

Organisations must implement appropriate technical and organisational security measures based on data sensitivity and processing risks.

Required measures include:

• data encryption and pseudonymisation to protect personal information;
• access controls and multi-factor authentication (MFA) to limit unauthorised access; and
• regular cybersecurity audits and vulnerability assessments.

Data breach notification (Articles 33 & 34, GDPR)

Organisations must report personal data breaches to the GPDP within 72 hours.

If the breach poses a high risk to individuals, the organisation must also notify affected data subjects without delay.

Security of processing (Article 25, GDPR – Privacy by Design and by Default)

Organisations must integrate cybersecurity protections from the outset of data-processing activities.

Systems must be configured to minimise data collection, restrict access and ensure secure storage.

Third-party risk management

Companies using cloud services, external data processors or ICT vendors must ensure contractual compliance with GDPR security requirements.

Data-processing agreements (DPAs) must include security guarantees, incident-reporting procedures and compliance obligations.

Enforcement and Penalties for Non-Compliance

Severe GDPR fines apply for cybersecurity failures:

• up to EUR20 million or 4% of global turnover for major violations; and
• additional penalties for failing to report data breaches or lack of adequate security measures.

The GPDP conducts security audits, issues compliance orders and enforces corrective measures.

Conclusion

Italy’s data protection cybersecurity obligations require organisations to implement strong security controls, monitor risks and report breaches. Failure to comply can result in significant financial penalties and regulatory actions, reinforcing the importance of robust cybersecurity practices in data-processing activities.

Italy follows EU-wide regulations on AI security and cybersecurity obligations, with upcoming AI-specific laws under the Artificial Intelligence Act (AI Act - EU Draft). Currently, AI systems must comply with GDPR, NIS2, and cybersecurity best practices, ensuring data protection, algorithmic security, and resilience against cyberthreats.

AI Security and Risk Management Obligations

General cybersecurity requirements (the GDPR and NIS2):

• AI systems handling personal data must integrate privacy-by-design principles, ensuring secure data storage, access controls and encryption;
• organisations using AI in critical infrastructure (eg, finance, healthcare, defence) must implement cybersecurity risk assessments; and
• regular penetration testing and AI model security audits are required to prevent data poisoning, adversarial attacks and unauthorised access.

Upcoming AI Act cybersecurity obligations (EU Draft):

• high-risk AI systems (used in finance, biometric identification, law enforcement, etc) must meet strict cybersecurity standards;
• mandatory AI security testing, logging and real-time monitoring to detect cyberthreats and unauthorised modifications; and
• AI developers must conduct adversarial testing to prevent exploitation of machine-learning vulnerabilities.

AI Supply Chain and Third-Party Security Obligations

Cloud AI services and external AI vendors must meet cybersecurity certification standards before integration.

Financial and critical sectors using AI for fraud detection or automated decision-making must comply with DORA and NIS2 security controls.

AI Cybersecurity Enforcement and Compliance

The GPDP enforces AI security compliance under the GDPR.

The ACN will oversee AI-related cyber-risks under NIS2.

Violations of AI cybersecurity standards could lead to penalties similar to GDPR fines (up to 4% of global turnover).

Conclusion

Italy’s AI cybersecurity obligations focus on risk management, data security and adversarial resilience. Future EU AI Act regulations will further tighten cybersecurity requirements for high-risk AI systems, ensuring robust security frameworks and regulatory enforcement.

Italy enforces strict cybersecurity obligations for the healthcare sector under GDPR, NIS2, and national health data protection laws. These regulations ensure secure processing, storage, and transmission of sensitive health data, protecting medical institutions from cyberthreats, data breaches, and unauthorised access.

Key Cybersecurity Obligations Under Healthcare Regulations

GDPR:

• healthcare providers and medical institutions must implement technical and organisational security measures to protect sensitive personal health data (special category data under the GDPR);
• mandatory encryption, access control and anonymisation for patient records; and
• breach notification within 72 hours to the GPDP if a medical data breach occurs.

NIS2:

• hospitals, laboratories and digital healthcare services are classified as “essential entities” and must implement robust cybersecurity risk management;
• 24-hour incident reporting requirement to ACN for cyber-attacks affecting healthcare operations; and
• regular cybersecurity audits, resilience testing and supply chain security assessments are mandatory.

Electronic Health Record (EHR) and telemedicine regulations:

• digital medical records and e-prescription systems must comply with secure data storage and transmission standards; and
• healthcare IoT devices and telemedicine platforms must include built-in cybersecurity protections to prevent remote hacking and patient data breaches.

Cybersecurity Compliance and Enforcement

The Italian Ministry of Health and GPDP oversee compliance with health data security regulations.

Non-compliance with healthcare cybersecurity laws can result in fines of up to EUR20 million or 4% of global turnover under the GDPR.

The ACN enforces cybersecurity resilience for hospitals and digital health providers under NIS2.

Conclusion

Italy’s healthcare cybersecurity laws impose strict data protection, network security and incident-reporting requirements. Hospitals, medical institutions and digital health services must comply with the GDPR and NIS2 to ensure patient data confidentiality, system resilience and regulatory compliance.