Cybersecurity 2025

ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting

Conclusion Italy enforces strict TLPT requirements for major financial institutions and their critical ICT provid - ers, ensuring proactive cybersecurity resilience: • mandatory TLPT every three years for high- risk ICT systems; • tests must simulate real-world cyber-attacks, aligning with TIBER-EU methodologies; and • financial regulators oversee TLPT compliance, with penalties for non-compliance. These measures strengthen digital operational resilience, protecting Italy’s financial sector from advanced cyberthreats and systemic disrup - tions. Italy has established a comprehensive cyberse - curity and cyber-resilience regulatory framework, aligning with EU Directives and Regulations. The country enforces strict cyber-resilience obliga - tions for critical infrastructure, financial institu - tions, public administration and private entities handling sensitive data. The legislative framework is built on: • 1EU Regulations and Directives, including DORA, NIS2 and the GDPR, which apply directly or require national transposition; and • 2national cybersecurity laws, such as the National Cybersecurity Perimeter Law (Leg - islative Decree No 105/2019) and the NIS2 Implementation Law (Legislative Decree No 138/2024). 4. Cyber-Resilience 4.1 Cyber-Resilience Legislation

Core Cyber-Resilience Laws in Italy The GDPR:

• enforces strict cybersecurity and data protec - tion requirements for organisations handling personal data; • requires entities to implement technical and organisational security measures, such as encryption, access control and breach notifi - cation procedures; and • imposes severe penalties for security failures, including fines of up to 4% of global turnover. NIS2: • strengthens cyber-resilience obligations for essential and important entities, including energy, transport, healthcare, financial ser - vices and digital infrastructure; • mandates risk management frameworks, inci - dent reporting within 24 hours and resilience testing; and • expands regulatory enforcement and intro - duces fines for non-compliance of up to EUR10 million or 2% of global turnover. DORA: • applies directly to banks, insurance com - panies, investment firms and crypto-asset providers; • mandates ICT risk management policies, cyber incident reporting within 72 hours, and TLPT (Threat-Led Penetration Testing) every three years; and • introduces regulatory oversight for third-party ICT providers, ensuring financial entities only use compliant cloud, data-processing and cybersecurity services. The National Cybersecurity Perimeter Law:

150 CHAMBERS.COM

Powered by