ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
• data centres and hosting providers; • cybersecurity firms (managed security ser - vices, threat intelligence, incident response); • software vendors and fintech providers; • telecommunications providers supporting financial transactions; and • artificial intelligence and automation service providers used in financial risk management. If an ICT provider delivers essential digital ser - vices to financial entities, it falls under DORA’s oversight framework, requiring compliance with contractual and risk management obligations. Contractual Requirements for ICT Service Providers Under DORA Financial institutions in Italy must ensure that contracts with ICT service providers include specific provisions on risk management, secu - rity and resilience. Mandatory Contractual Clauses Security and risk management standards: • ICT providers must implement strong cyber - security measures, including encryption, access control and data protection mecha - nisms; and • compliance with ISO/IEC 27001, NIST frame - works and other EU cybersecurity standards is required. Business continuity and incident response obli - gations: • contracts must include service-level agree - ments (SLAs) for disaster recovery, back-up availability and cybersecurity incident han - dling; and • ICT providers must conduct regular resilience testing and provide results to financial regula - tors.
Incident reporting and notification requirements: • ICT providers must report cyber incidents and disruptions to financial institutions within 24 hours; and • financial institutions must then notify the Bank of Italy, IVASS or Consob under DORA’s 72-hour reporting obligation. Audit rights and compliance monitoring: • financial institutions must have the right to audit ICT providers to assess compliance with operational resilience requirements; and • regulatory authorities may conduct independ - ent supervisory assessments of critical ICT providers. Exit and termination strategy: • contracts must outline clear termination clauses and transition plans to prevent opera - tional disruptions if the ICT provider fails to meet security obligations. Classification of Critical ICT Services Under DORA DORA mandates additional oversight for “critical ICT service providers”, which are entities indis - pensable for the stability of financial markets. Critical ICT services include: • cloud computing services used for banking transactions, payment processing and data storage; • cybersecurity and managed security services (MSSPs) protecting financial networks from cyberthreats; • AI-driven fraud detection and risk manage - ment platforms used in credit scoring and market analysis; and
142 CHAMBERS.COM
Powered by FlippingBook