Cybersecurity 2025

ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting

tant entities (postal services, manufactur - ing, food, waste management and research sectors); • applies to medium and large enterprises with - in these sectors but allows member states to include smaller entities if their cybersecurity risk profile is significant; and • introduces supply chain obligations, mean - ing ICT service providers that support critical infrastructure operations are now directly regulated under the Directive. Key obligations: • requires implementation of cybersecurity risk management measures, including network security controls, access management and business continuity planning; • mandates incident reporting within 24 hours of detection for significant cyber events; and • establishes supervisory and enforcement mechanisms, with severe penalties for non- compliance (up to 2% of an entity’s global turnover). Scope of Application Under the U.S. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA, 2022) The Cyber Incident Reporting for Critical Infra - structure Act (CIRCIA, 2022), enacted in the United States, establishes mandatory cyberse - curity incident-reporting obligations for critical infrastructure operators under the oversight of the Cybersecurity and Infrastructure Security Agency (CISA). Entities covered: • covers critical infrastructure sectors desig - nated under Presidential Policy Directive 21 (PPD-21), including communications, financial

services, healthcare, energy, defence, trans - portation and government facilities; • applies to any organisation providing essen - tial services to national security, the economy or public safety; and • unlike NIS2, it does not use size-based crite - ria, meaning small and medium-sized enter - prises (SMEs) can be covered if they support critical infrastructure. Key obligations: • requires reporting of cyber incidents within 72 hours and ransomware payments within 24 hours; • mandates compliance with information-shar - ing provisions, allowing CISA to disseminate threat intelligence to affected industries; and • grants legal protections to reporting entities, reducing liability risks associated with dis - closing cyber incidents. Uncertainties in the Interpretation of the Scope Despite the clear intent to improve cybersecurity resilience, both NIS2 and CIRCIA face interpre - tational uncertainties that could impact on their practical enforcement. Defining “Significant” Incidents NIS2 requires entities to report “significant incidents” but leaves room for interpretation in defining what qualifies as significant. The regula - tion considers impact on operations, users and the economy, but lacks precise thresholds. CIRCIA mandates reporting for “substantial” cyber incidents but does not clearly define how severity and material impact should be assessed, leading to potential underreporting or overreporting.

134 CHAMBERS.COM

Powered by