ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
NIS2: • essential and important entities in critical sectors (eg, energy, telecoms, healthcare, finance) must conduct risk assessments before transferring security-related data out - side the EU; • cross-border cybersecurity incident reporting – entities must report cyber incidents involv - ing non-EU data processing to the ACN; and • national security exception – if an ICT service provider transfers critical infrastructure data to high-risk jurisdictions, Italian authorities can restrict or block such transfers. The National Cybersecurity Perimeter Law: • State and critical infrastructure operators must store and process security-sensitive data within the EU or trusted jurisdictions; • foreign ICT providers handling Italian gov - ernment or critical infrastructure data must comply with supply chain security assess - ments; and • transfers to non-EU vendors (eg, cloud ser - vices) require government approval if involv - ing national security data. Indirect Provisions Affecting International Data Transfers Cloud service and ICT provider oversight: • cloud service providers hosting financial or critical infrastructure data outside the EU are subject to heightened regulatory scrutiny under DORA and NIS2; • if a cloud provider fails EU compliance tests, financial institutions must discontinue ser - vices; and • DORA’s Oversight Framework for Critical ICT Providers applies extraterritorially, meaning
non-EU cloud vendors must comply with EU security rules. Supply chain cybersecurity and data flow restric - tions: • financial institutions and critical infrastructure operators must vet third-party suppliers that process security-related data abroad; • regulators may ban or restrict contracts with ICT vendors if cross-border data flows pre - sent an unacceptable security risk; and • NIS2 and the National Cybersecurity Perim - eter Law require security audits for non-EU third-party service providers. Cyber incident notification and international data flows: • companies reporting a cybersecurity inci - dent under NIS2 must disclose if the breach involves data stored or processed outside the EU; • financial entities under DORA must report ICT incidents affecting non-EU cloud or ser - vice providers to national regulators and EU authorities; and • failure to properly assess the risks of non-EU data transfers can result in fines, compliance orders or contract termination requirements. Conclusion Italy’s regulatory framework restricts and regu - lates international data transfers through the GDPR, DORA, NIS2 and national cybersecurity laws: • the GDPR strictly limits personal data trans - fers to non-EU jurisdictions, allowing them only under specific safeguards; • DORA and NIS2 impose cybersecurity and operational resilience restrictions on ICT
148 CHAMBERS.COM
Powered by FlippingBook