ITALY Trends and Developments Contributed by: Giuseppe Fornari, Enrico Di Fiorino, Emanuele Angiuli and Lorena Morrone, Fornari e Associati
that these entities comply with the Directive’s requirements. • Scope of application: in addition to the sectors already covered by the NIS1 Direc - tive (such as energy, transport, healthcare, finance, water resource management and digital infrastructure), the NIS2 Directive intro - duces: (a) new sectors subject to cybersecurity obligations, classified as either “highly critical” or “critical” ; (b) new categories of entities, classified as “essential” or “important” , based on their significance within the sector or the type of services they provide; and (c) medium and large entities in critical sec - tors must adopt adequate cybersecurity risk management measures and report significant incidents to national compe - tent authorities (ie, incidents that may cause major disruptions or damage). • Supervisory measures: the NIS2 Directive introduces stricter oversight mechanisms and a more severe sanctioning regime, aiming to strengthen mutual trust and cybersecurity capacities across the EU. • Liability of senior management: the Direc - tive establishes senior management liability for non-compliance with cybersecurity risk management measures, thereby encouraging corporate governance bodies to actively and continuously engage in cybersecurity-related decision-making. • Cybersecurity response networks: the Direc - tive establishes a network of computer secu - rity incident response teams (CSIRTs), tasked with sharing information on cyber threats and managing cyber-incidents. Furthermore, it creates the European Cyber Crisis Liai - son Organisation Network (EU-CyCLONe) to facilitate the exchange of information among member states and EU institutions in
the event of large-scale cyber-incidents and crises. Corporate Vicarious Liability (Legislative Decree No 231/2001) Law No 90/2024 has added a new crime to the list of offences triggering company liability: “Cyber-extortion” (Section 629(3) of the Italian Criminal Code). The crime of “cyber-extortion” punishes “anyone who, through the conduct described in Sections 615-ter (“ Unauthorized access to a computer or telematic system ”), 617-quarter (“ Unlawful interception, obstruction or disruption of com - puter or telematic communications ”), 617-sex - ies (“ Forgery, alteration, or suppression of the content of computer or telematic communica - tions ”), 635-bis (“ Damage to information, data and computer programs ”), 635-quarter (“ Dam - age to computer or telematic systems ”) and 635-quinquies (“ Damage to computer or telem - atic systems of public interest ”), or through the threat of committing such acts, forces another person to act or refrain from acting, obtaining an unjust profit for themselves or others to the detriment of the victim” . The legislature, through the introduction of the crime of “cyber-extortion” among the offences triggering the liability of a company, aims to counter the concerning phenomenon of “ran- somware” , a type of virus that blocks user access to files and demands a sum of money in exchange, usually in cryptocurrencies. Entities convicted of “cyber-extortion” are sub- ject to disqualifying sanctions, including the possibility of being banned from conducting business for a period of no less than two years. This provision underscores the legislature’s focus on preventing these crimes, which pose
235 CHAMBERS.COM
Powered by FlippingBook