1 Legal framework

1.1 Does the law in your jurisdiction distinguish between 'cybersecurity', 'data protection' and 'cybercrime' (jointly referred to as 'cyber')? If so, how are they distinguished or defined?

There is no explicit distinction between 'cybersecurity', 'data protection' and 'cybercrime' in Italy; however, a distinction can be drawn based on the sectoral provisions that govern them. Please see question 1.2.

1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?

Italy has adopted several cyber provisions since 1993. The first cyber-related statute was Law 547/1993, which amended the Criminal Code and the Code of Criminal Procedure by providing for certain new specific cybercrimes – for example:

  • Article 615-ter of the Criminal Code, "Unauthorised access";
  • Article 635-quarter of the Criminal Code, "Denial-of-service attacks";
  • Article 640-ter of the Criminal Code, "Phishing"; and
  • Article 266-bis of the Code of Criminal Procedure, "Interception of computer or telematic communications".

Another source of cyber-related regulation is the Italian data protection framework. Following the entry into force of the EU General Data Protection Regulation (2016/679) (GDPR), Italy amended its main data protection law through Legislative Decree 101/2018, Provisions for the Adaptation of the National Legislation to the Provisions of the GDPR. In this regard, the legislature amended those sections of the Privacy Code (Legislative Decree 196/2003) that directly conflicted with the GDPR.

Further statutes that are relevant to cyber include:

  • Legislative Decree 65/ 2018, implementing the EU Network and Information Systems Directive (2016/1148);
  • Law Decree 105/2019, converted into Law 133/2019, defining the National Cybersecurity Perimeter and its implementing regulations (Ministerial Decree 131/2020, Presidential Decree 54/2021, Ministerial Decree 81/2021 and the Presidential Decree of 15 June 2021);
  • Legislative Decree 82/2021, which established the National Cybersecurity Agency, among other things; and
  • Legislative Decree 123/2022, containing provisions to adapt to EU Regulation 2019/881 on the European Union Agency for Cybersecurity (ENISA).

1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?

(a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?

Legislative Decree 65/2018 ('NIS Law') imposes specific obligations regarding security measures and notification of incidents on providers of certain critical services (operators of essential services (OESs) and digital service providers (DSPs), as identified under the same law).

Furthermore, Law 105/2019, with its implementing regulations, aims to guarantee the security of networks, information systems and information services of public administrations, public and private entities and operators headquartered in the national territory which are critical for the exercise of an essential function of the state or the provision of an essential service for the maintenance of civil, social or economic activities fundamental to the interests of the state. Law 105/2019 also applies to telecommunications, aerospace, transport and certain digital services, as identified pursuant to the law.

In the last few years, the Bank of Italy has adopted several initiatives in order to promote innovation and cyber resilience in the Italian financial sector. On 23 September 2020, the Bank of Italy updated Circular 285/2013 ("Regulatory Provisions for Banks") to ensure full alignment with the European Banking Authority Guidelines on internal governance under Directive 2013/36/EU. Another example is the adoption of the TIBER-IT National Guidance, which is the national transposition of the Threat Intelligence‑Based Ethical Red Teaming Framework issued by the European Central Bank, a reference model for conducting advanced cybersecurity tests harmonised at the European level.

Finally, the recently adopted EU Regulation 2022/2554 on digital operational resilience for the financial sector – the European Union's flagship initiative on digital operational and cyber resilience in the financial sector – will apply from 17 January 2025.

(b) Certain types of information (personal data, health information, financial information, classified information)?

The GDPR provides for heightened obligations in connection with 'special categories of personal data', which are defined, as per Article 9, as:

  • data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
  • genetic data;
  • biometric data;
  • data concerning health; or
  • data concerning a natural person's sex life or sexual orientation.

It provides for higher standards of protection for these types of data (eg, a prohibition on collection except in restricted cases – for instance, where personal data has been manifestly made public by the data subject).

Special protection is accorded by Law 124/2007 to information protected by state secrets. In particular, pursuant to Article 39 of Law 124/2007, this protection applies to acts, documents, news, activities and anything else whose dissemination is likely to damage the integrity of the Italian state, including in relation to:

  • international agreements;
  • the defence of the fundamental constitutional order;
  • the independence of the state and its relations with other states; and
  • the preparation and military defence of the state.

The protection of information protected by state secrets is primarily the responsibility of the prime minister, who must provide the Department of the Information for Security and the competent agencies (the External Agency for Information and Security and the Internal Agency for Information and Security) with the necessary directives to improve the protection of critical infrastructure, both material and immaterial, in particular with regard to national cyber and information security.

1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?

In the context of cybercrime in general, for the Criminal Code to apply, it is sufficient if at least part of the harmful action or event has occurred in Italy, regardless of where the criminal actor is located. The public prosecutor is responsible for the investigation, and in doing so will make use of judicial police officers who specialise in computer crimes. In this regard, the Budapest Convention on Cybercrime of the Council of Europe introduced general principles relating to international cooperation for the purpose of investigations and the collection of electronic evidence of criminal offences. For that purpose, on 12 May 2022 the Ministry of Justice signed the Second Additional Protocol to the Convention on Cybercrime.

Regarding the processing of personal data, the GDPR has some extraterritorial effects since, pursuant to Article 3, it applies to the processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union, where the processing activities relate to:

  • the offering of goods or services, irrespective of whether a payment by the data subject is required, to such data subjects in the European Union; or
  • the monitoring of their behaviour, insofar as this takes place within the European Union.

Furthermore, in Decision 34658/2022, the Court of Cassation affirmed the important principle of extraterritoriality of de-indexing orders issued by the Italian supervisory authority, which had already been established by the Court of Justice of the European Union in its Google France judgment (Case C-507/17 – 24 September 2019).

1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?

Italy adheres to a number of European and international instruments that directly or indirectly relate to cybersecurity

Italy is part of the Budapest Convention on Cybercrime of the Council of Europe of 23 November 2001 (ETS 185), which is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with copyright infringements, computer-related fraud, child pornography and violations of network security. It also introduced general principles relating to international cooperation for the investigation and collection of electronic evidence of criminal offences. Italy is also a signatory to the Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS 108), concluded on 28 January 1981 within the framework of the Council of Europe.

Furthermore, as an EU member state, Italy is bound by EU instruments relating to cybersecurity and data protection, which include:

  • the Network and Information Security (NIS) Directive (2016/1148), which was recently repealed by the NIS 2 Directive (2022/2555), to be implemented by member states by 17 October 2024;
  • the GDPR;
  • the Cybersecurity Act (EU Regulation 2019/881); and
  • the new EU Regulation 2022/2554 on digital operational resilience for the financial sector (see question 1.3(b)).

Moreover, the measures issued by ENISA and by the European Data Protection Board, which promotes cooperation between EU data protection authorities, must also be taken into account.

1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?

Article 615-ter of the Criminal Code provides that those who access computers and IT systems without authorisation ('hacking') will be criminally punished. Those who access such systems without authorisation or who fail to exit such systems after the original authorisation has elapsed may be sentenced to up to three years in prison. A more severe punishment (up to five years' imprisonment) will apply if:

  • the hacker acts violently to the detriment of assets or individuals or is armed; or
  • the conduct is carried out by a public officer or system administrator.

If computers or IT systems relevant or instrumental to public health or national security are targeted, the hacker may be sentenced to up to eight years' imprisonment.

Phishing is regarded as a type of IT fraud and, therefore, is punishable pursuant to Article 640-ter of the Criminal Code. When an IT fraud is carried out by stealing or using a third party's digital identity without authorisation, the perpetrator will be subject to imprisonment and a fine of between €600 and €3,000.

Under Article 494 of the Criminal Code, anyone who, in order to obtain an advantage for himself or herself or others, misleads someone by impersonating another person will be subject to imprisonment for up to one year (ie, identity theft in connection with an access device).

Trade secrets are protected by Article 623 of the Criminal Code. The disclosure of technical and commercial confidential information learned by reason of status, office, or profession is punishable by imprisonment for up to two years. Protection is also granted where a secret is revealed for the profit of third parties. The penalty is increased if the offence is committed through the use of any computer tool.

2 Enforcement

2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?

With respect to the processing of personal data, the Italian supervisory authority, Garante per la protezione dei dati personali ('Garante'), has extensive powers thanks to Article 58 of the General Data Protection Regulation (GDPR), such as the power to:

  • order data controllers and data processors to provide all useful information;
  • conduct investigations; and
  • obtain access to all personal data.

Furthermore, Law Decree 82/2021 provides for the establishment of the National Cybersecurity Agency (NCA), which is responsible for:

  • adopting and implementing the National Cybersecurity Strategy; and
  • helping to improve cybersecurity and digital capabilities in cooperation with national industrial, research and academic stakeholders.

Pursuant to Article 7 of the law decree, the NCA has been appointed as national cybersecurity certification authority within the meaning of Article 58 of the EU Cybersecurity Act (EU Regulation 2019/881). Moreover, the Computer Security Incident Response Team has been set up as a technical division within the NCA for the prevention, coordination and response to cyber events and incidents with an actual or potential impact on the state, with a specific focus on mandatory notification according to the National Cybersecurity Perimeter Law and the Network and Information Services Directive.

2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?

Under the data protection laws and regulations, individuals who are harmed by a breach of a controller's or processor's duties under the GDPR or the Privacy Code have actionable claims for compensation of damages against the controller or processor concerned, which can be brought before a competent court. Before the Garante, private parties may only file a complaint, which may give rise only to the imposition of administrative fines pursuant to Article 83 of the GDPR.

Private parties may take action when affected by cyber or security incidents by filing a claim for damages against the responsible subject under tort or contract law. If such cyber incidents were caused by a corporate entity's failure to adopt adequate security measures and/or to comply with other security obligations imposed by law, the directors/officers may be liable towards the corporate entity for the damage caused if:

  • they were not diligent when exercising their duty of care and vigilance; and/or
  • although aware of the risk of harm for the company, they did not do anything to prevent or mitigate the harmful consequences.

Likewise, they can be liable towards third parties for damages suffered by them as a consequence of negligent or fraudulent action of the directors.

Finally, in the case of criminal conduct (eg, fraud and theft of personal data or identity), the victim may submit claims to the competent judicial police or the prosecutor, who will carry out the necessary investigations and decide whether to archive the case or submit to the judge of preliminary investigations a request to commence a criminal trial.

2.3 What defences are available to companies in response to governmental or private enforcement?

The likelihood of success in court proceedings or investigations largely depends on:

  • the measures adopted by the company involved to prevent and manage the risks posed to the security of the network and information systems which they use in their operations; and
  • the company's ability to demonstrate its diligent behaviour and observance of the applicable legislation (ie, the accountability principle).

In particular, it is important:

  • to adopt internal procedures and documents on cybersecurity and data protection;
  • to regularly update them; and
  • to ensure that these are effectively implemented.

To this end, certification schemes – which are mentioned by different legal instrument, such as the GDPR and the EU Cybersecurity Act – issued by competent bodies or organisations might be helpful. Such certifications may help to demonstrate that a company affected by a cyber incident has done all in its reasonable powers to prevent the incident and may thus be released from liability, even in the event that an incident actually occurs.

With specific regard to cybersecurity certifications, Article 7 of Law Decree 82/2021 has appointed the National Cybersecurity Agency (NCA) as the national competent authority pursuant to Article 58 of the Cybersecurity Act. Moreover, pursuant to Article 6 of Legislative Decree 123/2022, the NCA will issue certifications with a high level of reliability through the Organismo di certificazione della Sicurezza Informatica (OCSI), the conformity assessment body appointed pursuant to Article 60 of the Cybersecurity Act by Law Decree 82/2021. The OCSI is a certification body originally established by the Prime Ministerial Decree of 30 October 2003 with the aim of:

  • overseeing the management of the national scheme – based on the structure indicated by the common criteria, which are the model for European cybersecurity certification – for the evaluation and certification of the security of systems and products in the information and communications technology (ICT) sector; and
  • drafting guidelines for the conduct of evaluation and certification processes.

After the entry into force of Legislative Decree 123/2022, the OCSI has now been incorporated into the NCA.

Likewise, through Law Decree 82/2021, the National Assessment and Certification Centre (CVCN) has been incorporated into the NCA. The CVCN is entrusted with evaluating ICT goods, systems and services implemented on ICT infrastructure that is included or used within the National Cybersecurity Perimeter.

Also, the proper management of incidents and the risks related thereto could save the company concerned from liability. To this end, it may be helpful if companies can demonstrate that they notified the competent authority without undue delay when required by the applicable law (see questions 5.1 and 5.2).

3 Landmark matters

3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?

No major enforcement actions have been taken thus far. Two relatively recent cases are highlighted below.

On 10 June 2020, the Italian supervisory authority, Garante per la protezione dei dati personali ('Garante'), issued Injunction Order 9429195, ordering banking institution UniCredit SpA to pay a penalty of €600,000 at the end of a complex investigation concerning a data breach caused by abusive access to the personal data of more than 700,000 customers, carried out between April 2016 and July 2017 through employee accounts of a business partner of the financial institution. In particular, the processing of personal data by UniCredit, as data controller, was conducted in breach of:

  • the security measures laid down in Articles 33 and following of the Privacy Code – repealed by Legislative Decree 101/2018;
  • the technical provisions set out in Annex B to the code itself; and
  • the measures prescribed in Order 192/2011 setting out "Provisions on the circulation of information in the banking sector and the tracing of banking transactions".

Furthermore, the Campania Regional Environmental Protection Agency was fined €8,000 by the Italian supervisory authority for not having sufficiently protected personal data and for not having adopted the security measures set forth by Article 32 of the General Data Protection Regulation (GDPR) (Injunction Order 9538748/2021). The violation concerned the theft of an external hard disk containing personal data such as:

  • identification, tax and salary documents;
  • reimbursement files; and
  • analytical data relating to judicial proceedings.

3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?

Among major data breaches, between 2019 and 2020 the virtual workers' desk managed by the National Institute for Insurance against Accidents at Work (INAIL) allowed a few users to access other workers' files relating to occupational incidents and diseases. The investigations found that:

  • INAIL was liable for allowing unauthorised accesses to third parties' personal data, including health data (Article 4.10 of the GDPR); and
  • no adequate technical and organisational measures had been put in place to ensure the appropriate security level in light of the risks arising from the given processing, which resulted in the personal data breaches at issue.

The Garante imposed a €50,000 administrative fine on INAIL.

One case that attracted significant public attention was a ransomware attack that hit the Lazio region on 30 July 2021, which temporarily compromised some essential services provided by the region, including the health system and the IT system dedicated to the COVID-19 vaccine. The attack was notified by the Lazio region to the Garante as a data breach pursuant to Article 33 of the GDPR.

One relevant and decisive step forward in addressing cybersecurity in Italy was the publication of the Regulations regarding the National Cybernetic Security Perimeter published in Official Gazette 261 on 21 October 2020. From a legal point of view, this is a clear signal of the government's cybersecurity strategy. It aims to guarantee the security of networks, information systems and information services of public administrations, public and private entities and operators with their headquarters in the national territory on which the exercise of an essential function of the state or the provision of an essential service for the maintenance of civil, social or economic activities fundamental to the interests of the state depends.

4 Proactive cyber compliance

4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.

There are no best practices or industry standards on cybersecurity that have been developed in Italy; however, please see question 4.2 for further details.

4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.

In recent years, a number of voluntary guidance instruments have been issued in Italy.

These include the National Framework for Cybersecurity and Data Protection (second edition, 2019), developed by the Cyber Intelligence and Information Security Centre of the University Sapienza of Rome and the National Interuniversity Consortium for Informatics Cyber Security National Lab, with the support of the Italian supervisory authority and the Department of Information for Security of the Council of Ministry. The framework is inspired by the Cybersecurity Framework of the US National Institute of Standards and Technology, and aims to support organisations with their compliance with applicable legislation on cybersecurity and data protection.

The framework has inspired the adoption of guidelines on the management of risks and the prevention and mitigation of incidents with a relevant impact on continuity and provision of essential services by the competent national authorities pursuant to Legislative Decree 65/2018, which implemented the EU Network and Information Systems (NIS) Directive (2016/1148) into Italian law. The guidelines have been shared with 465 operators of essential services (as defined by the NIS Directive) and have not been published. However, the information that is publicly available reveals that they are based on the abovementioned national framework.

4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?

Corporate officers and directors do not have specific legal duties or direct responsibilities relating to cybersecurity.

However, the chief executive officer, as legal representative of a company, might be considered responsible for damages arising from breaches of cybersecurity duties to the extent that he or she may be held to have acted fraudulently or negligently. The same applies for other directors or officers formally charged with cybersecurity matters through a power of attorney.

The other 'ordinary' directors or officers might be considered responsible indirectly for failing to exercise their duties of vigilance in supervising persons or events subject to their supervision ('culpa in vigilando').

4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?

Public entities are subject to all rules on cybersecurity which apply to any other entity in the same operational field.

Furthermore, public entities that are considered operators of essential services (OESs) under the EU Networks and Information Systems Directive (2016/1148) and the implementing Legislative Decree 65/2018 are bound by the provisions of these instruments on OESs. The list of OES identified in Italy has been established by the Ministry of Economic Development. According to Legislative Decree 65/2018, OESs includes entities in the following sectors:

  • energy;
  • transport;
  • banking;
  • financial markets and infrastructure;
  • health;
  • drinking water supply; and
  • distributions.

If we consider 'public' in the traditional sense of government agencies/public administration bodies, Circular 2/2017 of the Agency for Digital Italy (AgID) should also be mentioned. This sets out minimum information and communications technology security measures for public administrations (click here for further details). These measures serve as a tool to evaluate and improve the cybersecurity of Italian public administrations.

From a strategic perspective, the Italian government has launched a Cloud Strategy aimed at incentivising Italian public administrations to adopt solutions based on cloud computing to store and protect their data. Within the framework of this strategy, on 15 December 2021 AgID adopted a regulation (click here for further details) on:

  • the minimum levels of security, processing capacity, energy savings and reliability of digital infrastructure for public administrations;
  • the quality, security, performance, scalability and portability of cloud services for public administrations;
  • the modalities of migration; and
  • the modalities of qualification of cloud services for public administrations.

4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?

There are no statutory restrictions preventing companies from sharing details of actual or potential cybersecurity threats. However, companies should be cautious before disclosing any cyber-incidents, in order to avoid exposing their organisation to further exploitation of any vulnerabilities that are revealed.

For details of the notification requirements in case of cybersecurity incidents, please see question 5.

5 Cyber-incident response

5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?

The most common notification requirement is that of notification of data breaches set forth in Articles 33 and 34 of the General Data Protection Regulation (GDPR), concerning the notification of a data breach:

  • to the supervisory authority if it entails a risk to the rights and freedoms of natural persons; and
  • to the data subjects if the risk qualifies as high.

Article 12 of Legislative Decree 65/2018, implementing the EU Networks and Information Systems Directive, requires operators of essential services (OESs) to notify, without undue delay, security incidents with a relevant impact on the continuity of the services provided by them to the Italian Computer Security Incident Response Team (CSIRT), part of the National Agency for Cybersecurity. Notifications must be carried out in accordance with the guidelines on the management of risks and prevention and mitigation of incidents with a relevant impact on continuity and provision of essential services (see question 4.2). Similarly, Article 14 of Legislative Decree 65/2018 requires providers of digital services (ie, online marketplaces, online search engines, cloud computing services) to notify CSRIT of security incidents with a relevant impact on the provision of their services.

Specific obligations apply to entities included within the National Cybersecurity Perimeter under Law Decree 105/2019 and subsequent implementing decrees. In particular, pursuant to Prime Ministerial Decree 81/2021, these entities must notify to the Italian CSIRT incidents that have affected their information and communication technology (ICT) systems within six hours or one hour of becoming aware of them, depending on the level of gravity as classified pursuant to the decree. Furthermore, pursuant to Article 1(3-bis) of Law Decree 105/2019, as amended, the same entities must notify CSIRT of incidents that have affected ICT systems that are outside the perimeter within 72 hours. In a decision of 3 January 2023, the National Cybersecurity Authority published the taxonomy of security incidents to which these obligations to notify apply.

5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?

Personal data breaches pursuant to Article 33 of the GDPR (where mandatory according to the requirements discussed in question 5.1) must be addressed to the Italian supervisory authority, Garante per la protezione dei dati personali ('Garante'), without undue delay and, in any case, within 72 hours of becoming aware of them. Notifications must be submitted through an online form available on the Garante's website. Pursuant to Article 33(4) of the GDPR, information relating to the notified breaches may be provided in phases without undue further delay.

Article 34 of the GDPR requires the controller to notify data breaches to the data subjects without undue delay, but does not establish a fixed term or modality for this.

Operators of essential services must notify CSIRT of security accidents relevant under Article 12 of Legislative Decree 65/2018 without undue delay. Notifications must be carried out in accordance with the guidelines on the management of risks and prevention and mitigation of incidents with a relevant impact on continuity and provision of essential services mentioned in question 4.2. Similar obligations apply to providers of digital services pursuant to Article 14 of Legislative Decree 65/2018.

Pursuant to Prime Ministerial Decree 81/2021, entities included within the National Cybersecurity Perimeter must notify CSIRT of incidents that have affected their ICT systems within six hours or one hour after becoming aware of such incidents, depending on their level of gravity as classified by the decree. Furthermore, pursuant to Article 1(3-bis) of Law Decree 105/2019, as amended by Law Decree 115/2022, the same entities must notify CSIRT of accidents involving ICT systems that lie outside the perimeter within 72 hours.

5.3 What steps are companies legally required to take in response to cyber incidents?

Besides the notification obligations mentioned in question 5.1, Article 33(5) of the GDPR requires the controller to document any personal data breaches, providing details of the facts relating to the personal data breach, its effects and the remedial action taken, in order to allow the Garante to verify compliance with Article 33 of the GDPR. In general, the controller has a duty to cooperate with the Garante in all proceedings and investigations commenced by the Garante after notification.

Legislative Decree 65/2019 and the rules on the National Cybersecurity Perimeter do not set out any other obligations relating to cybersecurity incidents. However, all those instruments require the entities subjected to them (ie, data controllers, operators of essential services, providers of digital services, entities included within the National Cybersecurity Perimeter) to analyse risks of security breaches and adopt proper security measures aimed at mitigating those risks.

5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?

Corporate officers and directors do not have specific legal duties or direct responsibilities relating to cyber incident responses.

However, the chief executive officer, as the legal representative of a company, might be considered responsible for civil damages arising from cyber incident responses. The same applies to other directors or officers who are formally charged with cybersecurity matters through a power of attorney.

The other 'ordinary' directors or officers might be considered as responsible only indirectly for fault in supervising persons or events subject to their supervision (ie, 'culpa in vigilando') that have provoked the breach.

The responsibilities of officers and directors may arise also from negligent or otherwise insufficient responses to breaches.

5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?

Cyber-incident and data protection insurance is quite common in Italy, especially at big companies. The specific characteristics of this insurance depend on many factors, such as the size of the company and the economic sector in which it operates.

6 Trends and predictions

6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The landscape of digitalisation and cybersecurity in Italy is constantly evolving. Indeed, digitalization in both the private and public sectors is one of the central pillars of the Piano nazionale di ripresa e resilienza (PNRR), the national plan drawn up in 2021 within the framework of the EU Recovery Plan.

Among the goals of digitalisation pursued by the PNRR, there is a specific cybersecurity programme, for which the National Agency for Cybersecurity and the Department of the Digital Transition of the Presidency of the Council of Ministers are responsible. The three pillars of this cybersecurity strategy are:

  • the development of cyber resilience throughout the country;
  • the enhancement of national capacity scrutiny and technological certification; and
  • the strengthening of the cyber capacity of Italian public administrations.

Completion of the project is expected in 2024 (click here for further information). The PNRR is part of the general National Cybersecurity Strategy, which aims to promote the adoption of 82 measures by 2026.

The strategy for the digitalisation of public administrations is also based on the three-year Information and Communications Technology Plan drawn up and updated by the Agency for Digital Italy (the latest version is the 2021-23 plan, as updated in May 2022). The principles espoused in the plan include:

  • the 'cloud-first' principle;
  • the 'digital and mobile first' principle, according to which services should be accessed through digital identities;
  • accessibility;
  • the security and privacy by design of services;
  • the realisation of user-centric and data-driven services; and
  • open-source privilege for software chosen by public administrations.

Possible reforms in the pipeline include a proposal of the government to replace the SPID – the unique digital identity currently used by residents in Italy – with another identity associated with their identity cards.

Furthermore, by 17 October 2024, Italy must adopt and publish the measures necessary to comply with the Second EU Networks and Information Systems Directive (2022/2555).

7 Tips and traps

7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?

  • Awareness: In Italy, there is still limited awareness of cybersecurity, which is often perceived as a bureaucratic duty or a simple issue for IT professionals. This may heighten the risk of cybersecurity accidents caused by human factors such as negligence or lack of attention, including in relation to common threats such as phishing or the breach of very basic rules on the use of IT instruments (eg, the low protection of access credentials and passwords). Companies should thus invest in training activities relating to cybersecurity and data protection.
  • Digitalisation of the public administrations: Despite the launch of new strategies within the last year, the level of digitalisation of public administrations remains quite low and is not uniform across the national territory, especially in specific fields such as municipality services and civil motorisation. Arguably, things should improve in the next years as the Piano nazionale di ripresa e resilienza progresses (see question 6.1). At the moment, however, the situation among public administrations remains complicated from a digital perspective.
  • Remote working: Remote working was adopted in Italy as a kind of 'emergency measure' in response to the COVID-19 pandemic. To date, the practice, in both the public and private sectors, is regulated by Law 81/2017 – a very inadequate piece of legislation for a forced and, in some cases, improvised change in direction that hides considerable pitfalls. Many employees have been forced to work from home using personal devices that can easily be attacked; in fact, remote access to corporate networks has considerably increased the opportunity for attacks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.