ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
continuity and regulatory oversight to mitigate cyberthreats and enhance digital resilience. Cyber-Resilience Obligations Under Existing Legislation GDPR: • technical and organisational security meas - ures – organisations handling personal data must implement access controls, encryption and data breach-prevention systems; • data breach notification – personal data breaches must be reported to GPDP within 72 hours; and • risk-based security assessment – compa - nies must conduct Data Protection Impact Assessments (DPIAs) for high-risk data-pro - cessing activities. NIS2: • mandatory cybersecurity measures – essen - tial and important entities must implement risk management frameworks, network secu - rity protocols and security monitoring; • cyber incident reporting – entities must notify the ACN within 24 hours of detecting a signifi - cant cybersecurity incident; • business continuity and recovery planning – organisations must develop incident response and disaster recovery plans, conducting regular resilience testing; and • third-party risk management – companies must assess ICT suppliers and outsourcing risks, ensuring vendor compliance with secu - rity standards. DORA: • ICT risk management for financial institu - tions – banks, insurers, investment firms and
crypto-asset service providers must imple - ment strict digital resilience policies; • cyberthreat monitoring and testing – financial entities must conduct penetration testing, vulnerability assessments and red teaming exercises; • third-party ICT oversight – ICT vendors sup - porting financial institutions must comply with DORA’s contractual and security obligations, including cyber incident reporting; and • threat-led penetration testing (TLPT) – sys - temically important financial institutions must conduct real-world cyber-attack simulations every three years. The National Cybersecurity Perimeter Law: • data localisation requirements – strategic entities must store sensitive data within the EU or in trusted jurisdictions; • cybersecurity risk assessments – organisa - tions must conduct regular cyber-risk audits and compliance assessments; and • supply chain security controls – companies must ensure that ICT providers meet national security and cybersecurity standards before engaging in service agreements. Cyber-Resilience Obligations Under Draft Legislation and Future Regulations EU AI Act (Draft): • AI cybersecurity and risk management – AI- driven cybersecurity tools must meet strict risk classification, transparency and security measures; and • cybersecurity auditing and testing for high- risk AI systems – AI models used in critical infrastructure or financial operations will require external validation and regulatory oversight.
152 CHAMBERS.COM
Powered by FlippingBook