Cybersecurity 2025

ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting

Material Scope of Application DORA applies to a broad range of financial enti - ties and their third-party ICT service providers, ensuring that digital resilience measures extend throughout the financial supply chain. Financial entities covered: • banks and credit institutions; • investment firms and asset managers; • isurance and reinsurance companies; • payment institutions and e-money firms; • crypto-asset service providers (CASPs) under MiCA; and • central securities depositories and financial market infrastructures. Third-party ICT providers covered: • cloud service providers, data centres and cybersecurity firms that support financial operations; and • managed service providers (MSPs) offering IT, software or infrastructure services to financial institutions. Key regulatory requirements: • mandatory ICT risk management framework, including business continuity planning and cyber incident response; • obligatory cyber incident reporting within 72 hours to national financial regulators; • regular penetration testing and digital opera - tional resilience testing to ensure financial stability; and • oversight of third-party ICT service provid - ers, requiring contractual risk management measures.

Territorial Scope of Application DORA applies to all financial entities operating within the EU, including: • entities headquartered in Italy – all financial institutions and ICT service providers based in Italy fall directly under DORA’s jurisdiction; • EU branches of foreign financial institutions – non-EU firms operating in Italy through sub - sidiaries must comply with DORA’s ICT risk management and reporting obligations; and • third-country ICT providers servicing EU financial firms – non-EU technology firms that offer ICT services to European financial institutions are subject to DORA’s Oversight Framework for Critical ICT Providers, requir - ing them to adhere to EU cybersecurity standards. The Bank of Italy, Consob and IVASS are respon - sible for DORA’s enforcement in Italy, ensuring that financial institutions meet digital resilience obligations and remain operationally secure against cyberthreats. 3.2 ICT Service Provider Contractual Requirements Under DORA, Italy enforces strict contractual obligations for ICT service providers that support financial sector operations. These requirements aim to ensure resilience, security and account - ability in the supply chain of banks, investment firms, insurance companies and other financial entities. Definition of ICT Service Providers in Italy DORA defines ICT service providers as third- party entities offering digital, information tech - nology or cybersecurity services to financial institutions. This includes: • cloud service providers (IaaS, PaaS, SaaS);

141 CHAMBERS.COM

Powered by