ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
Financial penalties for non-compliance ICT service providers failing to meet regulatory obligations may face severe financial penalties: • up to 2% of global turnover for non-compli - ance with cybersecurity and risk management standards; and • additional daily fines until corrective actions are fully implemented. Termination of ICT service contracts If a critical ICT provider poses an unacceptable risk to financial stability, regulators can order financial institutions to terminate service con - tracts with the non-compliant provider. The ESAs maintain a register of high-risk ICT service providers, restricting their access to EU financial markets. Regulatory intervention in ICT service operations In extreme cases, regulators may impose opera - tional restrictions, requiring ICT providers to sus - pend or restructure critical services that threaten financial stability. National authorities can mandate emergency cybersecurity measures if a major cyber event impacts on financial institutions. Cross-Border Enforcement and Co-ordination Because many critical ICT service providers operate across multiple jurisdictions, enforce - ment requires EU-wide co-ordination: • joint supervisory teams (JSTs) – national regu - lators collaborate with the ECB and ESAs to conduct cross-border compliance reviews of ICT providers servicing multiple EU financial institutions;
• incident response and reporting – provid - ers must notify financial institutions of cyber incidents within 24 hours, enabling banks and insurers to report to regulators within 72 hours; • business continuity and recovery plans – providers must maintain back-up systems, failover strategies and rapid disaster-recovery capabilities; and • regulatory audit rights – national and EU financial regulators have full authority to con - duct audits, on-site inspections and security evaluations of critical ICT service providers. Enforcement Measures and Sanctions Regulatory bodies enforce compliance through audits, inspections and corrective actions. If a critical ICT provider fails to meet operational resilience standards, the following enforcement measures apply. Supervisory audits and on-site inspections Regulatory authorities audit ICT providers to verify compliance with DORA and cybersecurity best practices. On-site inspections and forensic reviews are conducted if vulnerabilities or past incidents indicate a high cyber risk. Corrective measures and compliance orders If deficiencies are found, regulators can issue binding corrective measures, including: • security upgrades and process improve - ments; • additional penetration-testing requirements; and • stronger supply chain risk assessments.
146 CHAMBERS.COM
Powered by FlippingBook