ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
those in defence, telecommunications, energy and public administration. Incident reporting timeline: • immediate notification – entities must imme - diately report any suspected cybersecurity breach affecting national security to the ACN and the National Cybersecurity Incident Response Team (CSIRT Italia); • 48-hour follow-up report – a more detailed report must be provided, specifying affected systems, attack vectors and initial contain - ment measures; and • final remediation report – organisations must submit a comprehensive incident analysis, including recovery steps taken. Key obligations: • operators must establish real-time monitoring and detection mechanisms to identify cyber - security threats; and • they must co-operate with government agen - cies during national cybersecurity emergen - cies. Enforcement and penalties: • non-compliance with notification obligations may result in severe financial penalties and operational restrictions; and • the ACN has the authority to audit and enforce cybersecurity resilience measures in critical sectors. Notification Requirements Under DORA for Financial Entities DORA imposes specific cybersecurity reporting requirements on banks, insurance companies, investment firms and financial service providers.
Incident reporting timeline: • within four hours – financial institutions must notify their national supervisory authority if an incident is deemed severe; • within 24 hours – a preliminary impact assessment must be submitted, detailing the scale of the disruption and affected systems; and • within 72 hours – a detailed incident report must be provided, including technical analy - sis, forensic findings and recovery strategies. Criteria for Reporting Incidents must be reported if they: • disrupt financial transactions, banking opera - tions or stock market activities; • affect payment processing, fund transfers or critical ICT infrastructure; and • have cross-border implications within the EU financial sector. Regulatory Oversight The Bank of Italy, Consob and IVASS oversee DORA compliance in Italy. Financial institutions failing to report incidents face regulatory sanctions and potential suspen - sion of operations. Conclusion Italy’s cybersecurity notification framework is one of the most stringent in the EU, requiring rapid incident reporting, real-time threat moni - toring and co-ordinated response mechanisms. • NIS2 mandates a structured incident-report - ing process for critical infrastructure opera - tors, with severe penalties for non-compli - ance;
138 CHAMBERS.COM
Powered by FlippingBook