Cybersecurity 2025

ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting

Inclusion of SMEs and Supply Chain Entities NIS2 explicitly covers only medium and large enterprises, but allows member states to extend regulations to smaller entities based on risk. This could lead to fragmentation across EU jurisdic - tions, where some countries impose stricter obli - gations than others. CIRCIA applies to all entities supporting critical infrastructure, regardless of size, but does not clarify the thresholds for third-party ICT provid - ers, leaving uncertainty for vendors and subcon - tractors. Cross-Border Enforcement and Jurisdictional Overlaps NIS2 faces challenges in cross-border enforce - ment, especially for multinational companies operating in multiple EU member states. National cybersecurity authorities may interpret enforce - ment differently, leading to inconsistent compli - ance burdens. CIRCIA’s reporting obligations may conflict with state-level cybersecurity laws, particularly in California and New York, which have separate breach notification requirements. This creates regulatory duplication and compliance com - plexity. Interaction with Other Regulations (GDPR, DORA and National Laws) In the EU, NIS2 overlaps with GDPR and DORA, raising questions about regulatory precedence. If a cyber incident involves both personal data breaches and operational disruptions, organisa - tions must report separately to the Data Protec - tion Authority and the Cybersecurity Authority, increasing compliance complexity.

In the USA, CIRCIA intersects with sector-spe - cific regulations, such as: • HIPAA (for healthcare cybersecurity); • FISMA (for government agencies); • SEC cybersecurity rules (for public compa - nies); and • companies subject to multiple regimes may face conflicting reporting timelines and obli - gations. Conclusion While NIS2 and CIRCIA mark significant steps in enhancing critical infrastructure cybersecurity, interpretational uncertainties remain, particularly in defining reportable incidents, scope of cov - ered entities and enforcement across jurisdic - tions: • the EU’s NIS2 Directive focuses on harmoni - sation but allows flexibility, leading to poten - tial national divergences in scope and appli - cation; and • the USA’s CIRCIA law prioritises rapid inci - dent response but lacks clear criteria for inclusion, creating compliance uncertainties for smaller entities and third-party service providers. Future regulatory clarifications, sector-specific guidance and international co-operation will be critical to ensuring uniform enforcement and effective cybersecurity protections. 2.2 Critical Infrastructure Cybersecurity Requirements Italy has adopted a comprehensive regulatory framework to ensure the cybersecurity resilience of critical infrastructure, aligning with EU legisla - tion such as the NIS2 Directive and DORA, as well as national cybersecurity laws. The main

135 CHAMBERS.COM

Powered by