ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
1. General Overview of Laws and Regulators 1.1 Cybersecurity Regulation Strategy National Cybersecurity Strategy Italy has developed a structured cybersecurity strategy aimed at strengthening national resil - ience against cyberthreats, protecting critical infrastructures and ensuring the security of digi - tal services. The strategy aligns with Directive (EU) 2022/2555, known as the NIS2 Directive, and is implemented through Legislative Decree Number 138 of 2024, which transposes the Directive into Italian law. The Agency for National Cybersecurity, or ACN, is the principal authority overseeing cybersecu - rity at the national level. Established in 2021, it co-ordinates national and European cybersecu - rity policies, enhances co-operation between public and private entities, and ensures compli - ance with regulatory requirements. The objectives of cybersecurity regulation are as follows: • enhancing national security by strengthening the resilience of digital and network infra - structures against cyber-attacks, particularly in critical sectors such as energy, telecommu - nications and finance; • protecting critical infrastructure by ensuring that essential service providers implement robust security measures in line with the NIS2 Directive and the implementing Regulation (EU) 2024/2690; • regulating digital resilience through the Digital Operational Resilience Act (DORA), which sets strict requirements for financial sector entities regarding information and communi - cation technology (ICT) risk management;
• ensuring incident reporting and response by mandating timely notification of significant cybersecurity incidents to national authori - ties and fostering a co-ordinated response to mitigate risks; and • promoting cybersecurity standards by requir - ing organisations to adopt internationally recognised security frameworks such as ISO/ IEC 27001 and ISO/IEC 27002, which are referenced in Italian cybersecurity regulations. Cybersecurity regulation in Italy is continuously evolving to address emerging threats and align with EU and international best practices. It is paramount to consider that Italy has imple - mented the Perimetro di Sicurezza Cibernetica (PSNC), which includes all the above-mentioned principles. The legal framework reinforces pro - active risk management, fosters digital trust, and ensures the resilience of national infrastruc - tures in the face of increasingly sophisticated cyberthreats. 1.2 Cybersecurity Laws Italy’s cybersecurity legal framework is based on a combination of EU regulations and national laws that govern critical infrastructure protection, digital resilience, data protection, and cyberse - curity obligations for public and private entities. The primary legislative instruments include: • the National Cybersecurity Perimeter Law; • DORA; • the NIS2 Directive; and • the General Data Protection Regulation (GDPR). The National Cybersecurity Perimeter Law (Leg - islative Decree No 105/2019): • establishes a national cybersecurity perimeter to protect critical infrastructures, including
130 CHAMBERS.COM
Powered by FlippingBook