ITALY Law and Practice Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting
AI Supply Chain and Third-Party Security Obligations Cloud AI services and external AI vendors must meet cybersecurity certification standards before integration. Financial and critical sectors using AI for fraud detection or automated decision-making must comply with DORA and NIS2 security controls. AI Cybersecurity Enforcement and Compliance The GPDP enforces AI security compliance under the GDPR. The ACN will oversee AI-related cyber-risks under NIS2. Violations of AI cybersecurity standards could lead to penalties similar to GDPR fines (up to 4% of global turnover). Conclusion Italy’s AI cybersecurity obligations focus on risk management, data security and adversarial resil - ience. Future EU AI Act regulations will further tighten cybersecurity requirements for high-risk AI systems, ensuring robust security frameworks and regulatory enforcement. 6.3 Cybersecurity in the Healthcare Sector Italy enforces strict cybersecurity obligations for the healthcare sector under GDPR, NIS2, and national health data protection laws. These regu - lations ensure secure processing, storage, and transmission of sensitive health data, protect - ing medical institutions from cyberthreats, data breaches, and unauthorised access.
the importance of robust cybersecurity practices in data-processing activities. 6.2 Cybersecurity and AI Italy follows EU-wide regulations on AI security and cybersecurity obligations, with upcoming AI-specific laws under the Artificial Intelligence Act (AI Act – EU Draft). Currently, AI systems must comply with GDPR, NIS2, and cyberse - curity best practices, ensuring data protec - tion, algorithmic security, and resilience against cyberthreats. AI Security and Risk Management Obligations General cybersecurity requirements (the GDPR and NIS2): • AI systems handling personal data must integrate privacy-by-design principles, ensur - ing secure data storage, access controls and encryption; • organisations using AI in critical infrastructure (eg, finance, healthcare, defence) must imple - ment cybersecurity risk assessments; and • regular penetration testing and AI model security audits are required to prevent data poisoning, adversarial attacks and unauthor - ised access. Upcoming AI Act cybersecurity obligations (EU Draft): • high-risk AI systems (used in finance, biomet - ric identification, law enforcement, etc) must meet strict cybersecurity standards; • mandatory AI security testing, logging and real-time monitoring to detect cyberthreats and unauthorised modifications; and • AI developers must conduct adversarial test - ing to prevent exploitation of machine-learn - ing vulnerabilities.
156 CHAMBERS.COM
Powered by FlippingBook