ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
• imposes strict security obligations, includ - ing encryption, access controls and breach reporting; • requires notification of personal data breach - es within 72 hours; and • is enforced by the GPDP. NIS2: • expands cybersecurity obligations for essen - tial and important entities in critical infrastruc - ture sectors; • mandates risk management frameworks, security monitoring and cyber incident report - ing within 24 hours; • establishes severe penalties for non-compli - ance (up to EUR10 million or 2% of global turnover); and • is enforced by the Agency for National Cyber - security (ACN). DORA: • applies to banks, investment firms, insurers, crypto-asset providers and third-party ICT service providers; • requires ICT risk management, penetration testing (TLPT) and cyber incident reporting within 72 hours; • introduces regulatory oversight for cloud pro - viders and ICT vendors supporting financial firms; and • is enforced by the Bank of Italy, Consob and IVASS. The National Cybersecurity Perimeter Law: • establishes cybersecurity obligations for government entities and national critical infra - structure operators; • requires data localisation and supply chain security assessments for ICT providers;
• imposes mandatory risk assessments and cybersecurity compliance audits; and • is enforced by the ACN and National Cyber - security Incident Response Team (CSIRT Italia). Cybercrime and digital security laws: • the Italian Penal Code (Articles 615-ter to 640-ter) criminalises unauthorised access, data breaches and cyberfraud; • Decree Law No 82/2021 created the ACN to centralise cybersecurity governance; and • Legislative Decree No 231/2001 introduces corporate liability for cybersecurity failures. Upcoming and draft legislation: • the Cyber-Resilience Act (EU Draft) will impose mandatory security updates and cybersecurity certification for ICT products; • the AI Act (EU Draft) will regulate AI-driven cybersecurity tools and risk management systems; and • the National Supply Chain Security Rules (Upcoming Reforms) are expected to restrict high-risk foreign ICT providers in critical sec - tors. Conclusion Italy enforces a multi-layered cybersecurity legal framework, ensuring: • strong data protection (GDPR); • critical infrastructure resilience (NIS2, the National Cybersecurity Perimeter Law); • financial sector cybersecurity (DORA); and • cybercrime prevention and ICT vendor over - sight. Future laws will further enhance cyber-resilience, AI security and supply chain protection, reinforc -
154 CHAMBERS.COM
Powered by FlippingBook