Cybersecurity 2025

ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting

legal instruments governing cybersecurity for critical infrastructure include: • Legislative Decree No 138/2024 (the “NIS2 Implementation Law”); • Legislative Decree No 105/2019 (the “Nation - al Cybersecurity Perimeter Law”); and • Regulation (EU) 2022/2554 (DORA) for finan - cial infrastructure. These laws impose strict cybersecurity obliga - tions on critical infrastructure operators across energy, telecommunications, financial services, healthcare, transportation and public adminis - tration. Key Cybersecurity Requirements Risk management and security measures are as follows. • Critical infrastructure operators must imple - ment risk management frameworks to iden - tify, assess and mitigate cyber-risks. • Companies must apply technical and organi - sational security measures, including: (a) network and information system security controls; (b) multi-factor authentication and access control policies; (c) regular vulnerability assessments and penetration testing; and (d) data encryption and secure communica - tion protocols. Cyber Incident Reporting Obligations Entities covered under the NIS2 Directive must report significant cybersecurity incidents to the Agency for National Cybersecurity (ACN) within 24 hours of detection.

Financial institutions regulated under DORA must report major ICT disruptions or cyber inci - dents to supervisory authorities within 72 hours. Organisations must provide a detailed incident analysis, including the impact, response meas - ures and mitigation strategies. Business Continuity and Resilience Planning Operators must maintain cyber-resilience plans, ensuring their ability to continue operations dur - ing cyber disruptions. Companies must conduct regular stress tests and resilience exercises to evaluate their pre - paredness against cyber-attacks. The use of back-up systems, redundancy mech - anisms and disaster recovery protocols is man - datory for ensuring operational continuity. Supply Chain Security and Third-Party Risk Management Organisations must assess and monitor cyber - security risks posed by third-party ICT service providers. Under DORA, financial entities must implement contractual cybersecurity requirements for ICT suppliers, including incident-reporting clauses and security audit rights. Critical infrastructure operators are required to verify the security posture of external vendors

before integrating their services. Compliance and Supervision

The ACN conducts regular inspections and audits to verify compliance with cybersecurity laws.

136 CHAMBERS.COM

Powered by