ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
providers handling financial and critical infra - structure data outside the EU; and • the National Cybersecurity Perimeter Law prevents security-sensitive data from being transferred to high-risk jurisdictions. These legal provisions ensure that international data transfers do not expose Italy’s financial and critical sectors to cyberthreats, unauthorised access or geopolitical risks. 3.6 Threat-Led Penetration Testing In Italy, threat-led penetration testing (TLPT) is mandated under DORA, which directly applies to banks, investment firms, insurance companies and other financial sector entities. The Bank of Italy, Consob and IVASS oversee TLPT compli - TLPT is a high-level cybersecurity testing frame - work designed to simulate real-world cyber- attacks on financial institutions and their critical ICT infrastructure: • it applies to systemically important financial institutions, including major banks, payment service providers, insurance firms and trading platforms; • it focuses on high-risk ICT systems support - ing essential financial services; and • ICT third-party providers (eg, cloud com - puting firms and managed security service providers) may also be subject to TLPT if classified as critical. Key TLPT Obligations Under DORA Risk-based TLPT execution: ance for financial institutions. Scope of TLPT Requirements • financial institutions must conduct TLPT at least every three years on their most critical ICT systems;
• the tests must be tailored to the entity’s spe - cific threat landscape, mimicking advanced persistent threats (APTs) and real-world cyber-attack scenarios; and • TLPT must be performed by accredited and independent ethical hacking teams. Regulatory oversight and reporting: • financial firms must submit TLPT results to national regulators (Bank of Italy, IVASS or Consob); • if vulnerabilities are discovered, firms must implement remediation measures and report follow-up actions; and • regulators can mandate additional TLPT cycles if major cybersecurity weaknesses are detected. Cross-border testing and EU co-ordination: • financial institutions operating across mul - tiple EU jurisdictions may be required to co-ordinate TLPT with the ESAs (EBA, ESMA, EIOPA); and • TLPT methodologies must align with TIBER- EU (Threat Intelligence-Based Ethical Red Teaming), the EU-wide cybersecurity testing framework. Enforcement and Non-Compliance Penalties Failure to conduct TLPT or address identified vulnerabilities can lead to regulatory sanctions, including fines and operational restrictions. Non-compliance with TLPT obligations may result in penalties up to 2% of global turnover under DORA. Regulators may impose mandatory audits, secu - rity patches or temporary suspension of ICT ser - vices if critical risks are found.
149 CHAMBERS.COM
Powered by FlippingBook