ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
Non-compliance with cybersecurity obligations can result in severe penalties, including fines of up to 2% of global turnover. Authorities have the power to impose remedia - tion measures or restrict ICT operations if secu - rity risks are not properly managed. Conclusion Italy’s cybersecurity regulations establish a robust legal framework to protect critical infra - structure from cyberthreats. These requirements focus on risk management, incident reporting, resilience planning, supply chain security and regulatory supervision. Organisations operating in critical sectors must adhere to strict security standards to ensure national security, economic stability and public safety. 2.3 Incident Response and Notification Obligations Italy imposes strict cybersecurity incident notifi - cation obligations on critical infrastructure own - ers and operators under the NIS2 Implementa - tion Law, the National Cybersecurity Perimeter Law and DORA. These laws establish mandatory reporting frameworks to ensure rapid response to cyber incidents, minimise disruptions and enhance national cybersecurity resilience. Notification Requirements Under NIS2 (Legislative Decree No 138/2024) The NIS2 Directive introduces a harmonised cyber incident reporting framework for critical and essential service providers operating in sec - tors such as energy, transport, banking, health - care and public administration. Entities covered: • essential and important entities defined under NIS2, including critical infrastructure opera -
tors, ICT service providers and public sector entities; and • third-party ICT service providers that support critical infrastructure operations. Incident reporting timeline: • within 24 hours – operators must submit an early warning notification to ACN if they detect a potentially significant cybersecurity incident; • within 72 hours – a formal incident report must be submitted, including details on the attack vector, impact assessment and imme - diate mitigation measures; and • within one month – a final report must be provided, outlining post-incident forensic analysis and lessons learned. Criteria for Reporting An incident must be reported if it: • significantly disrupts the availability, integrity or confidentiality of essential services; • causes substantial economic or operational damage to the affected entity; and • has cross-border implications, affecting other EU member states. Penalties for Non-Compliance Failure to report cyber incidents may result in fines of up to 2% of an entity’s global turnover. The ACN can impose corrective measures, audits or operational restrictions if an organisa - tion fails to comply. Notification Requirements Under the National Cybersecurity Perimeter Law (Legislative Decree No 105/2019) This law applies to operators of critical infra - structure and strategic national entities, such as
137 CHAMBERS.COM
Powered by FlippingBook