ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
• EU cyber crisis response framework – regula - tors co-ordinate responses for large-scale cyber incidents affecting multiple financial firms and ICT providers; and • information-sharing mandates – ICT service providers must participate in threat intelli - gence-sharing programmes with financial regulators to enhance industry-wide cyber- resilience. Conclusion Enforcement of operational resilience obliga - tions for critical ICT providers under DORA is strict and proactive, ensuring financial market stability and cybersecurity resilience: • regulatory authorities in Italy and the EU directly oversee critical ICT providers, con - ducting audits, compliance checks and on- site inspections; • failure to meet resilience standards results in heavy penalties, service restrictions and contract termination orders; and • cross-border collaboration ensures that mul - tinational ICT providers comply with harmo - nised EU financial cybersecurity regulations. Through these measures, Italy and the EU main - tain a secure, resilient and stable financial digital infrastructure, protecting against cyberthreats and ICT disruptions. 3.5 International Data Transfers Italy’s legal framework for cybersecurity and financial resilience includes multiple provisions that directly or indirectly regulate international data transfers. These rules stem from EU regu - lations such as the GDPR, DORA and NIS2, as well as national cybersecurity laws. The impact on international data transfers arises through:
• data protection regulations imposing cross- border data transfer restrictions; • cybersecurity laws requiring localisation or risk assessments for data transfers; and • operational resilience regulations affecting third-party ICT providers outside the EU. Direct Provisions Impacting on International Data Transfers GDPR: • Transfers of personal data outside the EU are strictly regulated under Chapter V of the GDPR. • Transfers to non-EU countries are permitted only if: (a) the destination country has an EU ade - quacy decision (eg, Japan, UK, Canada); (b) the transfer is governed by Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs); and (c) derogations apply, such as explicit user consent or contractual necessity. • Impact on cybersecurity – if an ICT provider stores financial or critical infrastructure data outside the EU, data protection authorities may restrict the transfer. DORA: • cross-border ICT risk assessment – finan - cial entities must ensure that third-party ICT service providers processing financial data outside the EU comply with EU cybersecurity standards; • critical ICT providers may be subject to EU regulatory oversight even if headquartered abroad; and • enforcement of localisation requirements – if an ICT provider cannot ensure compliance with EU security requirements, financial insti - tutions must terminate contracts.
147 CHAMBERS.COM
Powered by FlippingBook