ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
CSIRT Italia Role and functions:
• the National Cybersecurity Incident Response Team (CSIRT Italia); • the Bank of Italy ( Banca d’Italia ) and financial supervisory authorities; and • the Italian Data Protection Authority ( Garante per la Protezione dei Dati Personali – GPDP). ACN Role and functions: • established in 2021, the ACN is Italy’s central authority for cybersecurity governance, risk management and national defence against cyberthreats; • implements Legislative Decree No 138/2024, which transposes the NIS2 Directive, and oversees the National Cybersecurity Perim - eter Law (Decree No 105/2019); • develops the National Cybersecurity Strategy and ensures compliance with risk manage - ment frameworks and security protocols; • conducts security audits, vulnerability assess - ments and cyber-resilience exercises for criti - cal infrastructure operators; and • collaborates with EU cybersecurity agen - cies, NATO and international organisations on cybersecurity policies and threat intelligence sharing. Scope of authority: • enforces NIS2 and National Cybersecurity Perimeter obligations on public entities, essential service providers and high-risk industries; • regulates security standards for ICT supply chains, including vendor approval processes for critical infrastructures; and • oversees cyber incident reporting and response for regulated sectors, ensuring real- time co-ordination during cyber crises.
• operates as Italy’s national Computer Security Incident Response Team (CSIRT) under the ACN’s authority; • provides early warning and response co- ordination for cyber incidents affecting critical infrastructures and public entities; • develops threat intelligence and cybersecurity advisories, informing organisations of emerg - ing cyberthreats and vulnerabilities; and • assists in incident containment, mitigation and forensic analysis following major cyber- attacks. Scope of authority: • covers government agencies, national critical infrastructures and private entities subject to NIS2 regulations; and • co-ordinates with EU CSIRT Network, ENISA and international cybersecurity agencies for cross-border cyberthreats. Bank of Italy and Financial Supervisory Authorities Role and functions: • enforces cyber-resilience requirements for financial institutions under DORA; • oversees ICT risk management in banks, insurance companies, investment firms and financial service providers; • conducts digital resilience testing, ICT audits and third-party risk assessments for financial entities; and • implements financial sector cybersecurity stress tests and cyber incident reporting frameworks.
132 CHAMBERS.COM
Powered by FlippingBook