ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
public administration, telecommunications, energy, finance and health sectors; • requires entities operating in strategic sectors to implement risk management measures, conduct security assessments and report cybersecurity incidents to the Agency for National Cybersecurity (ACN); and • introduces strict vendor requirements, limit - ing the use of foreign technology suppliers in critical ICT systems. DORA (Regulation (EU) 2022/2554): • applies to financial sector entities, including banks, investment firms, insurance compa - nies and ICT service providers; • establishes harmonised cybersecurity and risk management requirements, mandat - ing that firms implement robust ICT security measures and ensure resilience against cyberthreats; • imposes mandatory testing and incident- reporting obligations, requiring financial entities to assess their operational resilience through cybersecurity stress tests; and • introduces third-party risk-management rules, ensuring financial institutions properly assess and monitor risks arising from outsourced ICT services. The NIS2 Directive (Directive (EU) 2022/2555 and Legislative Decree No 138/2024): • expands the scope of cybersecurity obli - gations to a broader range of critical and essential sectors, including energy, transport, banking, health and digital infrastructure; • requires enhanced security measures, such as risk management policies, network secu - rity controls and business continuity planning; • strengthens incident-reporting obligations, requiring companies to notify cybersecurity
authorities of significant incidents within 24 hours of detection; and • introduces stricter enforcement mechanisms, including fines and sanctions for non-compli - ance. The GDPR (Regulation (EU) 2016/679): • establishes a comprehensive framework for data protection and cybersecurity across the EU; • imposes strict security obligations on organi - sations processing personal data, including encryption, access controls and data breach notification requirements; • mandates privacy by design and by default, ensuring cybersecurity measures are integrat - ed into ICT systems from the outset; and • requires organisations to report personal data breaches to the Italian Data Protection Authority ( Garante per la Protezione dei Dati Personali ) within 72 hours. Italy’s cybersecurity regulatory framework is designed to ensure digital resilience, protect national security and safeguard personal data. The combined effect of NIS2, DORA, the Cyber - security Perimeter Law and the GDPR establish - es strict obligations for organisations across mul - tiple sectors, reinforcing the country’s defence against cyberthreats and data breaches. 1.3 Cybersecurity Regulators Main Cybersecurity Regulators in Italy Italy’s cybersecurity regulatory landscape is structured around several key authorities responsible for cybersecurity governance, criti - cal infrastructure protection, financial sector resilience and data protection. The main regula - tory bodies are: • the ACN;
131 CHAMBERS.COM
Powered by FlippingBook