Cybersecurity 2025

ITALY Trends and Developments Contributed by: Paolo Balboni, Luca Bolognini, Francesco Capparelli and Giulia Finocchiaro, ICT Legal Consulting

DORA and financial sector digital resilience The Digital Operational Resilience Act (DORA – Regulation (EU) 2022/2554) directly applies to Italy’s financial sector, introducing strict cyber- resilience and ICT risk management standards: • banks, insurers and investment firms must implement continuous security monitor - ing, penetration testing and cyber incident response plans; • financial entities must report major cyber incidents within 72 hours, ensuring regula - tory oversight and co-ordinated incident response; and • third-party ICT providers (cloud services, cybersecurity vendors) supporting financial institutions must comply with contractual security obligations, ensuring full regulatory supervision. These regulations signal a shift from reactive cybersecurity measures to proactive resilience strategies, requiring financial institutions and ICT vendors to enhance cyber defences. Emerging Cyberthreats and Risk Landscape Rise in ransomware and cyber-extortion attacks Italy has seen a surge in ransomware incidents, targeting public institutions, healthcare providers and large corporations. Cybercriminals exploit vulnerabilities in outdated IT systems and third- party supply chains, demanding ransom pay - ments in cryptocurrency to avoid data leaks. Businesses must implement advanced endpoint protection, secure back-up solutions and real- time threat intelligence-monitoring to mitigate ransomware risks.

Cybersecurity and digital resilience are critical priorities in Italy, shaped by new EU Regula - tions, evolving cyberthreats and increasing digi - tal transformation across industries. Businesses operating in Italy must adapt to a rapidly chang - ing regulatory and risk landscape, ensuring com - pliance with stringent cybersecurity obligations

while mitigating emerging cyber-risks. Regulatory Evolution: Strengthening Cybersecurity Laws Implementation of NIS2 and national cybersecurity reforms

Italy has adopted Legislative Decree No 138/2024, implementing the NIS2 Directive (Directive (EU) 2022/2555) and significantly expanding cybersecurity compliance obligations for essential and important entities. Key regula - tory shifts include: • broader industry coverage – NIS2 applies to energy, healthcare, banking, digital infrastruc - ture and transport, imposing mandatory risk management and incident-reporting obliga - tions; • tighter incident reporting rules – businesses must report cyber incidents within 24 hours to the Agency for National Cybersecurity (ACN), reinforcing real-time cyberthreat monitoring; and • stronger supply chain security – companies must assess and monitor third-party ICT providers, ensuring compliance with cyberse - curity standards. Italy’s National Cybersecurity Perimeter Law (Legislative Decree No 105/2019) also enforces data localisation requirements, requiring critical infrastructure operators to store and process security-sensitive data within the EU or in trust - ed jurisdictions.

160 CHAMBERS.COM

Powered by