Cybersecurity 2025

ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting

Regulatory Authorities Responsible for Enforcement The enforcement of operational resilience obli - gations is managed by both national and EU- level regulators, including: • the Bank of Italy ( Banca d’Italia ) – supervises banking and payment service ICT risk; • IVASS (the Italian Insurance Supervisory Authority) – regulates ICT resilience in the insurance sector; • Consob (the Italian Securities Commission) – oversees cybersecurity in investment firms and financial markets; • European Supervisory Authorities (ESAs) – the European Banking Authority (EBA), Euro - pean Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) conduct cross- border supervision; and • the European Central Bank (ECB) – directly supervises significant banks under the Single Supervisory Mechanism (SSM). For critical ICT providers, DORA establishes a direct regulatory oversight framework, allowing EU financial authorities to intervene in ICT ser - vice delivery, mandate corrective actions and impose sanctions. Compliance Obligations for Critical ICT Service Providers Critical ICT service providers must comply with specific operational resilience obligations, including: • ICT risk management – providers must imple - ment strict security controls, continuous mon - itoring and incident-detection mechanisms; • cyber-resilience testing – regular penetration testing and risk assessments are mandatory, with financial regulators overseeing results;

Cross-border co-ordination: • if an ICT incident has cross-border impact, financial firms must notify the ESAs; and • regulators collaborate with CSIRT Italia and ENISA to manage large-scale cyberthreats. Conclusion DORA sets out comprehensive digital resilience standards for Italy’s financial sector, ensuring strict cybersecurity measures, third-party risk controls and mandatory cyber incident report - ing: • financial institutions must implement robust ICT risk management policies and resilience testing; • ICT service providers supporting financial firms must comply with cybersecurity and incident-reporting obligations; and • strict incident-reporting requirements ensure rapid regulatory response to cyberthreats, preventing financial instability. These measures enhance cyber-resilience, pro - tect financial markets and ensure regulatory oversight in an increasingly digital financial eco - system. 3.4 Operational Resilience Enforcement Under DORA, regulatory authorities in Italy and the EU enforce strict operational resilience obli - gations on critical ICT service providers that support the financial sector. These providers – such as cloud computing firms, cybersecurity vendors and data-processing centres – are sub - ject to direct regulatory oversight due to their essential role in financial stability.

145 CHAMBERS.COM

Powered by