Cybersecurity 2025

ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting

Cyber-Resilience Act (Draft – Proposed by the European Commission): • cybersecurity certification for ICT products – manufacturers of hardware, software and cloud services must obtain EU-wide cyberse - curity certification; • mandatory security updates and patch man - agement – companies must provide continu - ous security updates to address vulnerabili - ties; and • penalties for non-compliance – firms failing to meet cyber-resilience requirements may face severe regulatory sanctions. Strengthened supply chain cybersecurity rules (upcoming national reforms): • increased scrutiny of foreign ICT vendors – Italy plans to impose additional restrictions on non-EU cloud and telecommunications providers; and • expanded cybersecurity requirements for SMEs – more SMEs may be included under mandatory NIS2 compliance. Key enforcement mechanisms and penalties are as follows. • Regulatory audits and compliance inspec - tions – the ACN, Bank of Italy, IVASS and Consob enforce cyber-resilience measures through periodic audits. • Financial penalties: (a) up to EUR10 million or 2% of global turnover for NIS2 non-compliance; (b) up to 4% of global turnover for GDPR violations; and (c) operational restrictions or contract termi - nation orders under DORA for non-com - pliant ICT providers.

• Incident response enforcement – regulatory authorities can impose remediation measures if cyber incidents expose vulnerabilities in financial or critical infrastructure systems. Conclusion Italy’s cyber-resilience obligations are among the most stringent in the EU, covering critical infra - structure, financial institutions and digital service providers: • existing laws (NIS2, DORA, GDPR) mandate cybersecurity risk management, threat moni - toring and supply chain security; • future regulations (the Cyber-Resilience Act, the AI Act) will expand cybersecurity require - ments to cover AI and ICT products; and • regulatory enforcement ensures compliance, with severe penalties for security failures. These measures fortify national cybersecu - rity resilience, protect critical services from cyberthreats and ensure compliance with evolv - ing EU Regulations. 5. Security Certification for ICT Products, Services and Processes 5.1 Key Cybersecurity Certification Legislation Italy’s cybersecurity and cyber-resilience legal framework is shaped by EU Regulations, national laws and sector-specific rules that govern data protection, critical infrastructure security, finan - cial sector resilience and cybercrime prevention. The GDPR: • applies to all organisations processing per - sonal data in Italy;

153 CHAMBERS.COM

Powered by