Cybersecurity 2025

ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting

Conclusion Italy’s cybersecurity regulatory framework is based on a multi-agency approach, ensuring comprehensive oversight of cybersecurity risks across different sectors: • the ACN regulates national cybersecurity poli - cies and critical infrastructure protection; • CSIRT Italia handles incident response and cyberthreat intelligence; • the Bank of Italy and financial regulators enforce financial sector cybersecurity under DORA; and • the GPDP ensures cybersecurity compliance for data protection under the GDPR. Together, these regulatory bodies ensure that Italy’s digital infrastructure remains resilient, cyber-risks are effectively mitigated and organi - sations comply with strict security standards. 2. Critical Infrastructure Cybersecurity 2.1 Scope of Critical Infrastructure Cybersecurity Regulation Scope of Application Under the NIS2 Directive The NIS2 Directive establishes a harmonised cybersecurity framework across the EU, impos - ing strict security and incident reporting require - ments on a broad set of critical and essential entities. Entities covered: • expands beyond the original NIS1 Directive (EU 2016/1148) to cover a wider range of sectors, including essential entities (energy, transport, banking, healthcare, public admin - istration and digital infrastructure) and impor -

Scope of authority: • applies to all regulated financial entities, including banks, insurance companies and payment service providers; • regulates outsourcing of ICT services, ensur - ing compliance with third-party cybersecurity standards; and • works with the European Central Bank (ECB), European Banking Authority (EBA) and European Securities and Markets Authority (ESMA) on financial cybersecurity policies. GPDP Role and functions: • enforces GDPR compliance in Italy; • investigates personal data breaches, unau - thorised access and cybersecurity failures affecting personal information; • imposes fines and sanctions for non-compli - ance with data protection and cybersecurity regulations; and • provides guidance on privacy-enhancing cybersecurity measures, including encryption, secure authentication and access control frameworks. Scope of authority: • covers all entities processing personal data, including public institutions, businesses and online service providers; • mandates data breach reporting within 72 hours, ensuring rapid response to cybersecu - rity incidents affecting personal data; and • works with the EU Data Protection Board (EDPB) and other European regulators on cross-border cybersecurity investigations.

133 CHAMBERS.COM

Powered by