Cybersecurity 2025

ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting

• the National Cybersecurity Perimeter Law imposes additional security obligations on entities deemed essential to national security and defence; and • DORA establishes financial sector-specific reporting requirements to ensure cyber- resilience in banking, insurance and financial markets. These laws ensure that Italy’s critical infrastruc - ture remains resilient, cyberthreats are swiftly addressed and government agencies can co- ordinate effective cyber crisis responses. 2.4 State Responsibilities and Obligations Italy has established a national cybersecurity framework that assigns clear responsibilities to state authorities for resilience building and cyberthreat identification. These responsibilities are defined under the NIS2 Implementation Law, the National Cybersecurity Perimeter Law and DORA. National Cyber-Resilience Responsibilities The Italian state is responsible for strengthen - ing the cybersecurity resilience of critical infra - structure, essential service providers and public sector entities. These responsibilities include the following. Developing and enforcing cybersecurity policies The ACN is tasked with defining and implement - ing the National Cybersecurity Strategy, align - ing with EU Regulations and international best practices. The government establishes sector-specific cybersecurity regulations, ensuring that energy, telecommunications, healthcare, finance and

public administration sectors comply with risk management requirements. Supervising critical infrastructure cybersecurity compliance The ACN conducts regular cybersecurity audits and risk assessments for national critical infra - structure operators. Operators of essential services must submit cyber-risk management plans to demonstrate resilience preparedness. The ACN can impose corrective measures and penalties if an entity fails to implement required cybersecurity measures. Establishing cyber incident response capabilities CSIRT Italia (the National Cybersecurity Incident Response Team) co-ordinates real-time threat response and mitigation for national security threats. The State facilitates public-private collaboration on cybersecurity best practices, ensuring that private sector entities share threat intelligence with national authorities. Italy participates in EU-wide cybersecurity ini - tiatives, including the EU Cyber Crisis Liaison Organisation Network (EU-CyCLONe) for rapid cyber crisis management. National Cyberthreat Identification and Intelligence-Sharing Responsibilities The Italian government plays a proactive role in identifying, analysing and mitigating cyberthreats at the national level.

139 CHAMBERS.COM

Powered by