ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
Key Obligations Under DORA DORA applies to banks, insurance companies, investment firms, crypto-asset service provid - ers and ICT vendors supporting financial insti - tutions. Its requirements include the following. ICT risk management: • financial entities must adopt a risk manage - ment framework covering ICT security poli - cies, network protection and access controls; • continuous monitoring of ICT systems to detect vulnerabilities and threats; and • implementation of business continuity and disaster recovery strategies. ICT third-party risk management: • financial firms must assess third-party ICT risks, ensuring that suppliers meet strict cybersecurity standards; • contracts with ICT providers must include security, incident reporting and resilience- testing obligations; and • regulatory oversight of critical ICT providers offering cloud services, managed security and data-processing. Digital resilience testing: • regular cyber-resilience testing, including penetration testing, vulnerability scans and risk assessments; and • threat-led penetration testing (TLPT) required for systemically important financial entities. Governance and compliance: • senior management is responsible for ICT risk oversight and regulatory compliance;
• mandatory training and awareness pro - grammes for employees handling financial IT systems; and • financial regulators can audit compliance and impose penalties for non-compliance. Incident and Reporting Obligations Under DORA DORA introduces strict cybersecurity incident reporting requirements to prevent systemic financial risks. Incident classification: • major ICT-related incidents include cyber- attacks, ransomware, system failures and data breaches affecting financial services; and • incidents are categorised based on impact on operations, data security and financial stabil - ity. The reporting timeline and process is as follows. • Within four hours – financial institutions must notify their national financial regulator (eg, Bank of Italy, Consob, IVASS) if a major cyber incident is detected. • Within 24 hours – a preliminary incident report must be submitted, detailing affected sys - tems, potential risks and immediate response actions. • Within 72 hours – a detailed incident report must provide: (a) root cause analysis; (b) impact assessment; (c) steps taken to contain the attack; and (d) future prevention measures. • Final post-mortem report – required if the inci - dent had severe financial or systemic implica - tions, ensuring regulatory follow-up and that industry-wide lessons were learned.
144 CHAMBERS.COM
Powered by FlippingBook