Cybersecurity 2025

ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting

• establishes security measures for critical infrastructure and public sector IT systems; • requires government entities and strategic industries (defence, telecommunications, finance, energy) to store sensitive data within the EU and to use trusted ICT providers; and • enforces mandatory risk assessments and cybersecurity incident response plans. Cybercrime and national security regulations: • the Italian Penal Code Articles 615-ter to 640- ter criminalise unauthorised system access, data breaches, and cyberfraud; • Decree Law No 82/2021 created the ACN, centralising cybersecurity enforcement; and • the National Cybersecurity Strategy 2022– 2026 outlines investment priorities and strate - gic cybersecurity initiatives. Enforcement and Supervision of Cyber- Resilience The ACN enforces NIS2, supervises critical infra - structure security, and co-ordinates cyber crisis response. The Bank of Italy, IVASS and Consob regulate financial sector cyber-resilience under DORA, ensuring compliance with ICT risk management and testing requirements. The Italian Data Protection Authority ( Garante per la Protezione dei Dati Personali – GPDP) ensures GDPR compliance, personal data secu - rity and breach-reporting enforcement. Future Legislative Developments in Cyber- Resilience National AI and cybersecurity regulations The EU AI Act and upcoming EU cybersecurity certification schemes will impose new compli -

ance obligations for AI-driven cybersecurity solutions and critical infrastructure technologies. Strengthened supply chain security rules Italy is expected to introduce additional controls on ICT vendors and foreign technology provid - ers, especially in critical sectors such as tele - communications and defence. Expanded cybercrime enforcement New measures will increase penalties for cyber- attacks targeting government systems and essential services. Conclusion Italy’s cyber-resilience legal framework is one of the most robust in the EU, incorporating the GDPR, NIS2, DORA and national cybersecurity laws; • regulations apply to a broad range of sectors, ensuring cyber-resilience in critical infrastruc - ture, financial services and data protection; • national and EU regulators enforce cyberse - curity standards, with significant penalties for non-compliance; and • future legislative developments will strength - en supply chain security, AI governance and cybercrime enforcement. These measures ensure that Italy’s digital infra - structure remains resilient against cyberthreats, safeguarding economic stability and national security. 4.2 Key Obligations Under Legislation Italy enforces strict cyber-resilience obligations across critical infrastructure, financial institutions and data-driven enterprises under EU Regula - tions (DORA, NIS2, GDPR) and national cyber - security laws. These obligations ensure ICT risk management, incident reporting, business

151 CHAMBERS.COM

Powered by