ARTICLE
7 August 2024

Cybersecurity Comparative Guide

IL
ICT Legal Consulting

Contributor

ICT Legal Consulting logo
Explore
Cybersecurity Comparative Guide for the jurisdiction of Italy, check out our comparative guides section to compare across multiple countries
Italy Technology
Photo of Paolo Balboni
Photo of Luca Bolognini
Photo of Francesco Capparelli
Photo of Giulio Monga
Photo of Maria Rosaria De Ligio
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

1 Legal framework

1.1 Does the law in your jurisdiction distinguish between 'cybersecurity', 'data protection' and 'cybercrime' (jointly referred to as 'cyber')? If so, how are they distinguished or defined?

In Italy, the distinction between cybersecurity, data protection, and cybercrime is embedded within specific legal frameworks and national strategies.

Cybersecurity in Italy is addressed primarily through national security policies and the cybersecurity framework that aims to protect critical infrastructure and ensure the security of information systems of public and private entities. The Italian government has established the National Cybersecurity Agency (ACN), which plays a crucial role in coordinating and implementing Italy's cybersecurity strategies. The agency ensures the resilience and security of national cyber and information and communication technologies systems against cyber threats.

Data protection in Italy is governed by the Regulation EU 2016/679 (General Data Protection Regulation – "GDPR") at the European Union level, supplemented by national legislation such as the Legislative Decree n. 196/2003 ("Italian Data Protection Code"). This regulatory framework focuses on protecting the personal data of individuals and grants data subjects various rights to control their personal information. It imposes stringent requirements on data controllers and processors regarding the collection, processing, and management of personal data.

Cybercrime is addressed through specific provisions in the Italian Criminal Code (Royal Decree n. 1398 of 19 October 1930), which include crimes such as unauthorized access to computer systems, the illegal interception of information communications, and the spread of viruses. Italy has also implemented broader European Union directives aimed at combating cybercrime, enhancing cooperation and coordination between EU states in responding to cyber offenses.

1.2 What are the key statutory and regulatory provisions that address cyber in your jurisdiction?

In Italy, the regulatory landscape addressing cyber issues encompasses several key statutory and regulatory provisions that focus on cybersecurity, data protection, and cybercrime. Here's an overview of these provisions:

Cybersecurity in Italy is underpinned by the National Cybersecurity Framework which is designed to protect critical national infrastructure and increase the overall resilience of IT systems across public and private sectors. The National Cybersecurity Agency (Agenzia per la Cybersicurezza Nazionale) coordinates all cybersecurity activities at the national level.

Data Protection is primarily regulated under GDPR. Moreover, Italy has its own national legislative provisions, such as the Legislative Decree n. 196/2003 (Personal Data Protection Code), which has been recently amended by the Legislative Decree n. 101/2018, to align it with the GDPR.

Cybercrime is specifically addressed within the Italian Criminal Code, which includes provisions against unauthorized access to computer systems, possession and dissemination of hacking tools, and damage to information, data, and programs. Moreover, Italy adheres to international standards and agreements such as the Budapest Convention on Cybercrime, which facilitates international cooperation in investigating and prosecuting cybercrime.

Additionally, Italy has regulations that address the security of networks and information systems. The mentioned legislations are part of the implementation, in Italy, of the Directive EU 2016/1148 (Directive on security of network and information systems - "NIS1 Directive"), which requires Member States to boost their national IT security capabilities and cooperate on a European level. The NIS1 Directive will be repealed as of 17 October 2024 by the Directive EU 2022/2555 ("NIS2 Directive").

1.3 Do special cyber statutes or regulations apply to: (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)? (b) Certain types of information (personal data, health information, financial information, classified information)?

In Italy, specific cyber statutes and regulations apply to certain sectors and types of information, reflecting the varied sensitivity and critical nature of these areas.

An overview of those sector-specific regulations is shown below:

  • Critical Infrastructure and National Security: Italy has designated frameworks that specifically address cybersecurity for critical infrastructures, including energy, transport, finance, health, and water supply. These sectors are covered under the EU NIS 1 Directive, which has been transposed into Italian law. This directive mandates operators of essential services to take appropriate security measures and to notify serious cyber incidents to the relevant national authorities.
  • Financial Services: cybersecurity requirements to ensure the resilience of financial services have been established by the competent supervisory authorities, such as the Bank of Italy or the Consob. The guidelines focus on risk management, reporting of cyber incidents, and the security of transactions and data. Moreover, specific cybersecurity requirements have been established by the new Regulation EU 2022/2554 on digital operational resilience for the financial sector ("DORA").
  • Healthcare: The healthcare sector is regulated under specific provisions related to the protection of health data, which is considered particularly sensitive. Compliance with both the GDPR and national health data protection regulations is required, which mandates strong cybersecurity practices to safeguard patient information.

With regard to information-specific regulations, please find the summary below:

  • Personal Data: The protection of personal data across all sectors is governed by the GDPR, which provides a robust framework for the security of personal data.
  • Financial Information: The protection of financial information is overseen by financial regulators and falls under the scope of both national laws and EU directives such as the Directive 2015/2366 (Payment Services Directive - "PSD2"), which enhances security requirements for electronic payments and the protection of financial data.
  • State Secrets: Special protection is accorded by Law 124/2007 to information protected by state secrets. In particular, pursuant to Article 39 of Law 124/2007, this protection applies to acts, documents, news, activities and anything else whose dissemination is likely to damage the integrity of the Italian state, including in relation to:
    • international agreements;
    • the defence of the fundamental constitutional order;
    • the independence of the state and its relations with other states; and
    • the preparation and military defence of the state.

1.4 Do any cyber statutes or regulations have extraterritorial reach? If so, how do they apply extraterritorially and what are the factors or criteria for such application?

In Italy, as in other European Union countries, certain cyber statutes and regulations have extraterritorial reach. First of all, it should be mentioned the GDPR, which does not only apply to organizations based within the EU but also extends to entities outside the EU under specific conditions. In particular, the GDPR applies to organizations that are not established in the EU if they offer goods or services to individuals in the EU or monitor the behavior of individuals located within the EU. This means that any company, regardless of its location, must comply with GDPR if it processes personal data of individuals located in the EU in connection with the offering of goods or services to them or monitoring their behavior (such as through tracking and profiling activities on the internet).

Apart from GDPR, other Italian or EU-wide cyber-related regulations typically apply within the territorial confines of Italy or the EU, except in specific cases involving international cooperation against cybercrime or protecting critical infrastructures that span across borders.

Cybercrime and Cooperation:

  • Criminal Code: In the context of cybercrime in general, for the Criminal Code to apply, it is sufficient if at least part of the harmful action or event has occurred in Italy, regardless of where the criminal actor is located. The public prosecutor is responsible for the investigation, and in doing so will make use of judicial police officers who specialise in computer crimes.
  • Budapest Convention on Cybercrime: Italy, as a party to this international treaty, cooperates with other countries to combat cybercrime. This convention has provisions that have extraterritorial implications, as it facilitates cross-border cooperation and extradition between signatory states, helping in investigating and prosecuting cybercrime that has cross-national elements.

1.5 Do any bilateral or multilateral instruments related to cyber have effect in your jurisdiction?

Italy is a party to several bilateral and multilateral instruments that have significant implications for cyber-related activities within its jurisdiction. Here are some of the key instruments:

1) Council of Europe Convention on Cybercrime (Budapest Convention)

As mentioned, Italy is a signatory to the Budapest Convention, which is the first international treaty seeking to address Internet and computer crime by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. It provides the legal framework for the prevention, investigation, and prosecution of computer and network-based offenses, facilitating extradition and mutual assistance among signatory countries.

2) EU Directives and Regulations

As a member state of the European Union, various EU directives and regulations that have a direct impact on cybersecurity, cybercrime, and data protection apply in Italy. These include:

  • Regulation EU 2016/679 (General Data Protection Regulation - "GDPR")
  • Directive EU 2016/1148 (Directive on security of network and information systems – "NIS1 Directive"): Aims to raise national capabilities, improve cooperation, and establish security requirements for operators of essential services and digital service providers. As of 17 October 2024, the NIS1 Directive will be repealed by the Directive EU 2022/2555 ("NIS2 Directive");
  • Directive 2011/93/EU - Directive on combating the sexual abuse and sexual exploitation of children and child pornography. It harmonizes the definition of criminal offenses and sanctions in the area of cyber exploitation and abuse of children.
  • Directive 2013/40/EU - Directive on attacks against information systems (replacing the Framework Decision 2005/222/JHA. It focuses on illegal access to information systems, illegal system interference, and illegal data interference.
  • Regulation EU 2019/881 (Cybersecurity Act).
  • Regulation EU 2022/2554 on digital operational resilience for the financial sector ("DORA").

3) NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)

Although not a formal treaty, Italy participates in cooperative efforts under NATO's CCDCOE, which involves collaborative defense and response to cyber threats against NATO members.

4) European Union Agency for Cybersecurity (ENISA):

Italy collaborates with ENISA, which assists EU Member States in implementing and maintaining high cybersecurity standards, providing expertise, and disseminating knowledge on cybersecurity.

1.6 What are the criminal penalties for cybercrime (eg, hacking, theft of trade secrets)?

In Italy, the criminal penalties for cybercrimes such as hacking and the theft of trade secrets are defined under specific provisions in the Italian Criminal Code and are complemented by specific laws that address the broader context of unauthorized access to computer systems and data breaches. An overview is provided below:

  1. Hacking
    1. Unauthorized Access to Computer Systems or Data (Article 615-ter of the Criminal Code):
      • This crime involves accessing a computer or electronic system without authorization, or against the will of those authorized to grant access.
      • Penalties: Imprisonment from six months to three years. If the perpetrator obtains information or data or installs equipment to intercept electronic communications, the penalty may be increased.
  2. Theft of Trade Secrets
    1. Dissemination of Information Derived from Information or Computer Systems and Installation of Equipment Designed to Intercept Electronic Communications (Article 617-quater of the Criminal Code):
      • This involves the unlawful dissemination, delivery, or publication of data, information, or programs contained in an information or telecommunication system.
      • Penalties: Imprisonment from one to four years. The penalties increase if the offense involves data or information processed or stored to provide or enhance a public or essential service.
    2. Dissemination of scientific or trade secrets (Article 623 of the Criminal Code)
      • This involves the dissemination or the use of trade secrets and confidential information from a person that has known them because of office, job or art.
      • Penalties: imprisonment of up to two years.
  3. Phishing
    1. IT fraud (Article 640-ter of the Criminal Code)
      • This involves the commission of a fraud by stealing or using a third party's digital identity without authorisation.
      • Penalties: imprisonment from two to six years and fine from €600 to €3.000

Additional Considerations

  1. Aggravating Circumstances:
    • The penalties for both hacking and the theft of trade secrets can be aggravated by circumstances such as causing significant harm, targeting critical infrastructure, or using sophisticated methods.
    • If the actions lead to damage or destruction of the system, additional charges related to damage (Article 635 of the Criminal Code) can apply, which can result in higher penalties.
  2. Preventive Measures and Corporate Liability:
    • Italian law also includes provisions for preventive measures against entities that might be involved in such cyber activities. Companies can be held accountable for cybercrimes committed in their interest or to their advantage if they have not adequately supervised or controlled their systems or employees.

2 Enforcement

2.1 Which governmental entities are responsible for enforcing cyber statutes and regulations? What powers do they have? Can they impose civil and criminal penalties? On whom can penalties be imposed (eg, companies, directors, officers, employees)? Do those entities have extraterritorial reach, and if so what?

1) Key governmental entities and their powers

  1. National Cybersecurity Agency (Agenzia per la Cybersicurezza Nazionale - ACN)
    • Powers: The ACN coordinates national cybersecurity efforts, manages national cyber incident responses, and ensures the security of critical information infrastructure.
    • Penalties: While the ACN itself does not impose criminal penalties, it can enforce compliance through directives and cooperation with law enforcement agencies.
  2. Italian Data Protection Authority (Garante per la protezione dei dati personali)
    • Powers: This authority is responsible for ensuring compliance with data protection laws, particularly the GDPR. It can conduct audits, issue warnings, order compliance measures, and ban processing activities.
    • Penalties: Can impose administrative fines and penalties for violations of data protection laws, in particular under the GDPR.
  3. Postal and Communications Police (Polizia Postale e delle Comunicazioni)
    • Powers: Handles the investigation of cybercrimes and internet fraud..
    • Penalties: Can initiate criminal proceedings that lead to prosecution under the Italian Criminal Code. The penalties are imposed by competent judicial courts and can include imprisonment and/or fines.

2) Scope of penalties

  • Penalties can be imposed on individuals (such as directors, officers, employees) and on legal entities (companies). Under Italian law, companies can be held liable for crimes committed in their interest or to their advantage by their representatives.
  • The Italian Data Protection Authority can impose administrative sanctions. Criminal penalties are imposed by competent judicial courts.

3) Extraterritorial reach

  • Data Protection: as mentioned, the GDPR has significant extraterritorial reach. Therefore, the Italian Data Protection Authority may impose administrative fines or inhibitory provisions that might have extraterritorial effects, even indirectly.
  • Cybercrimes: the extraterritorial reach in terms of cybercrime is generally limited but can extend under international cooperation frameworks such as the Budapest Convention.

2.2 Do private parties have a right of action? If so, what type of relief or remedy is available? Is any relief or remedy available against individuals (eg, directors, officers, employees)?

1) Right of action relating to data protection

  1. Individual Claims Under GDPR: Individuals whose data protection rights have been violated can file complaints with the Italian Data Protection Authority (the Garante per la protezione dei dati personali).
  2. Civil Litigation: Private parties can seek compensation before a civil competent court if they suffer damages due to unlawful processing of their personal data or non-compliance with data protection laws.

2) Right of action in cybersecurity violations

  1. Suits for breach of cybersecurity duties. If a company fails to adequately protect data as required by applicable cybersecurity regulations, and this failure leads to damages, affected parties can seek civil remedies before competent courts.
  2. Relief against individuals (directors, officers, employees):
    • Directors and officers: if there is evidence that directors or officers have failed in their duties to ensure compliance with cybersecurity and data protection laws, they can be held personally liable in civil courts. The affected parties can claim damages directly from these individuals, especially if their actions or inactions have directly led to the breach or damage.
    • Employees: similarly, if an employee's negligent or malicious actions result in a cybersecurity incident or data breach, they can also be sued personally.

3) Criminal Actions

While private parties cannot initiate criminal proceedings directly (this is the remit of public prosecutors), they can file a criminal complaint with law enforcement agencies, which can lead to an investigation and subsequent prosecution. In cases where the cybercrime involves personal damage, the affected individuals might also join the criminal proceedings as a civil party to claim for the compensation of damages.

4) Remedies Available

  • Compensatory damages. The most common form of relief sought in these cases is compensatory damages, intended to cover both actual financial losses and any emotional distress caused.
  • Injunctive relief. Courts, as well as the Data Protection Authority, may also grant injunctive relief to prevent further misuse or disclosure of data.
  • Restitution. In some cases, courts may order the restitution of data or the implementation of specific measures to restore data privacy and security to the status quo ante.

2.3 What defences are available to companies in response to governmental or private enforcement?

In response to governmental or private enforcement actions in Italy, companies have several defensive strategies available. These defenses are shaped by the interplay between Italian legal frameworks, European Union regulations, and specific standards such as the ISO/IEC 27002:2022, which deals with information security measures.

  1. Regulatory compliance. Demonstrating compliance with relevant regulations, such as the GDPR for data protection or the NIS Directive for network and information security, is a primary defense. Compliance can mitigate or negate claims of legal non-compliance.
  2. Adherence to standards. Companies can defend themselves by showing adherence to international and national standards, like ISO/IEC 27002:2022. This standard provides guidelines on organizational security standards and management practices that ensure data security, aiming to protect the confidentiality, integrity, and availability of information.
  3. Legal arguments. Defending against enforcement can also involve legal arguments that challenge the interpretation of laws or the appropriateness of the enforcement action. This might include questioning the legality of the action itself, the jurisdiction of the enforcing body, or the sufficiency of the evidence presented.
  4. Negotiation and settlement. In some cases, engaging in negotiations to reach a settlement before the matter escalates to court or a regulatory finding can be effective. This might involve agreeing to make certain operational changes or paying a settlement fee without admitting wrongdoing.
  5. Procedural defenses. These involve questioning the procedure followed by the enforcement agency. A company might argue that it was not given enough notice about the enforcement action, that the actions were disproportionate, or that there were errors in the legal or factual basis presented by the authorities.
  6. Implementation of corrective actions. When violations are identified, promptly taking corrective action can serve as a mitigating factor in reducing potential penalties. Demonstrating that the company has taken serious steps to rectify the issues can be used as part of the defense strategy.
  7. Technical and forensic evidence. Utilizing technical evidence to demonstrate that the company has maintained appropriate security measures or that alleged breaches did not occur as claimed by the enforcing agency.

3 Landmark matters

3.1 Have there been any landmark cyber enforcement actions or judicial decisions in your jurisdiction? If so, what were they?

In Italy, several landmark enforcement actions and judicial decisions have significantly impacted the landscape of cybersecurity and data protection. Here are a few notable examples:

1) Garante per la protezione dei dati personali (Italian Data Protection Authority) Enforcement on Cookies Usage (2021)

The Italian Data Protection Authority, often referred to as the Garante, has taken strict measures regarding the use of cookies by websites. In 2021, it fined several companies, including large multinational corporations, for violating cookies regulations. These companies were found to be non-compliant in obtaining prior consent from users before installing cookies, particularly those used for marketing purposes.

2) Enforcement action against Telecom Italia (2020)

Telecom Italia (TIM) was fined €27.8 million by the Garante for multiple GDPR violations over unsolicited marketing. The violations included excessive data retention periods and inadequate consent mechanisms for marketing communications. This case is significant as it showcases the Garante's readiness to impose substantial fines for data protection violations and stresses the need for companies to maintain robust consent management processes.

3) Judicial decisions on right to be forgotten

Italian courts have also contributed to shaping data protection practices through decisions on the "right to be forgotten". One such case, dated 2016, involved Google, where the Italian Supreme Court ruled that Google must take down information from its search engine upon a user's request if the information is outdated or otherwise irrelevant.

4) Data Breach Notification and Penalty (2018)

The Italian Garante imposed a fine on a company for failing to notify a data breach in a timely manner, as required by the GDPR. This enforcement action highlighted the critical importance of rapid response and transparency in the event of a data breach, as well as the potential legal consequences for failing to comply with notification obligations.

3.2 Have there been any pivotal cyber incidents or events (eg, major data breaches, major cyber-related legislative activity, major cyber-related innovation or technology development) in your jurisdiction?

Yes, Italy has experienced several pivotal cyber incidents and significant developments in cyber-related legislative activities and technology innovations. Some notable events and trends include:

1) Major data breaches

  1. Telecom Italia (TIM) Data Breach (2020). Telecom Italia, one of Italy's largest telecommunications providers, suffered a data breach affecting around 2.5 million customers. The breach exposed personal data including emails and phone numbers. This incident highlighted the vulnerabilities even in large, well-established networks and pushed for stronger regulatory scrutiny and data protection measures.
  2. Unicredit Bank Data Breach (2016-2017). Unicredit, one of the largest banks in Italy, reported that the data of approximately 400,000 customers was compromised over two separate incidents. The breached data included personal information and loan account details. This incident was significant in the financial sector and led to increased cybersecurity measures within the industry.

2) Major Cyber-Related Legislative Activity

  1. Implementation of the GDPR (Legislative Decree n. 101/2018): with this decree, the Italian Data Protection Code (Legislative Decree n. 196/2003) has been amended to be aligned with the GDPR
  2. National Cybersecurity Strategy Update: Italy has been updating its national cybersecurity strategy to address the evolving cyber threats. The strategy outlines the framework for protecting national critical infrastructures, improving the cybersecurity of public sector bodies, and enhancing the overall resilience of cyber spaces.

3) Major Cyber-Related Innovation or Technology Development

  1. Establishment of the National Cybersecurity Agency (2021): Italy established a new National Cybersecurity Agency tasked with defending national critical IT infrastructure from cyber attacks and managing cybersecurity threats. The agency is also involved in advancing cybersecurity technologies and capabilities.
  2. 5G network development and security: Italy has been actively involved in the development and deployment of 5G technology, which includes significant considerations for cybersecurity. The Italian government has taken steps to ensure the security of 5G networks, including stipulating conditions and requirements for suppliers and technology used in infrastructure.

4) Major Cyber-Related International Collaboration

  1. Participation in EU cybersecurity initiatives: Italy actively participates in European Union initiatives aimed at enhancing cybersecurity across the member states. This includes collaboration on network and information security, and participation in EU-wide cybersecurity exercises.
  2. Budapest Convention on Cybercrime: Italy's alignment with international standards such as the Budapest Convention has been pivotal in shaping its legislative and enforcement frameworks for combating cybercrime.

4 Proactive cyber compliance

4.1 Have any industry best practices or industry standards in proactive cyber compliance developed over time in your jurisdiction? If so, please briefly describe.

In Italy, several industry best practices and standards for proactive cyber compliance have evolved, influenced by both national legislation and international guidelines. Here's an overview:

  1. ISO/IEC 27001 and 27002: These are internationally recognized standards that provide a framework for information security management.
  2. General Data Protection Regulation (GDPR): Pursuant to the GDPR, organizations are required to implement technical and organizational measures to ensure data protection, from encryption to regular cybersecurity training for staff.
  3. Network Information Security (NIS) Directive and NIS2 Directive: The NIS Directive was the first piece of EU-wide legislation on cybersecurity, which Italy transposed into national law. It requires operators of essential services and digital service providers to take appropriate security measures and notify serious cyber incidents. The upcoming NIS2 Directive broadens the scope of sectors and increases the cybersecurity measures required.
  4. Italian Cybersecurity National Framework (CSNF): Developed by Italy's National Cybersecurity Agency (ACN), this framework provides guidance for public administrations and operators of essential services on managing cyber risks, aligning with international standards and providing a structured approach to cybersecurity.
  5. Digital Administration Code (CAD): This legislative framework governs the digitalization of the Italian public sector, including provisions for cybersecurity and data protection. It mandates the use of specific standards and protocols to secure public administration networks and systems.
  6. Bank of Italy's Provisions for Cybersecurity: The Bank of Italy has issued specific cybersecurity regulations for banks and financial institutions, focusing on the resilience of financial services against cyber threats. These provisions include requirements for incident reporting, risk assessment, and the implementation of adequate information security measures.
  7. Italian Data Protection Authority Guidelines: The Garante frequently issues guidelines and recommendations on various aspects of data protection, including measures for securing personal data against cyber risks.

4.2 Have any governmental entities issued voluntary guidance or similar documentation on the issue of proactive cyber compliance? If so, please briefly describe.

Yes, several governmental entities in Italy have issued voluntary guidance and documentation to aid organizations in achieving proactive cyber compliance. Here are a few key examples:

  1. Italian Data Protection Authority (Garante per la protezione dei dati personali): The Garante regularly publishes guidelines and recommendations related to the GDPR. These guidelines often cover aspects such as data breach notifications, data protection impact assessments, and the proper handling of personal data.
  2. Italian National Cybersecurity Agency (ACN): Established recently to strengthen Italy's cybersecurity infrastructure, the ACN issues various forms of guidance aimed at both public and private sector entities. This includes best practices for securing networks and information systems, risk management strategies, and compliance with national and European regulations. The ACN also coordinates with other national and EU bodies to ensure a unified approach to cybersecurity.

Italian Digital Agency (AgID): AgID issues guidelines and frameworks to support the digital transformation of the public administration in Italy, including cybersecurity measures. AgID's guidance covers aspects such as the secure design and development of digital services, the use of public digital identities (SPID), and cloud computing services in compliance with national cybersecurity standards.

These documents are not legally binding but serve as a valuable resource for organizations looking to enhance their cybersecurity measures and ensure compliance with Italian and EU regulations. They typically outline both technical and administrative steps that organizations can take to mitigate risks and protect themselves against cyber threats.

4.3 What legal duties, if any, do corporate officers and directors have with respect to proactive cyber compliance? Under what circumstances might they be considered in breach?

In Italy, corporate officers and directors are subject to several legal duties regarding proactive cyber compliance, primarily rooted in the general principles of diligent and prudent management, as outlined in the Italian Civil Code. Specific regulations also define their responsibilities in the context of data protection and cybersecurity.

A) Legal Framework

1) Duties under corporate governance

Under the Italian Civil Code, directors and officers are required to act with the diligence of a good father of a family, which degree is qualified with respect to their professional role (diligence duty). For corporate governance, this includes the duty to implement and maintain adequate administrative and accounting systems, which can be interpreted to include cybersecurity measures necessary to protect corporate data and assets. Furthermore, directors or officers might be considered responsible indirectly for failing to exercise their duties of vigilance in supervising persons or events subject to their supervision ('culpa in vigilando').

2) Data protection legislation (GDPR and national laws)

The GDPR mandates that organizations implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes protecting personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Directors and officers must ensure that the company complies with the GDPR's principles, notably the principle of accountability, which holds them responsible for demonstrating compliance.

3) Legislative Decree 231/2001

This decree introduces the concept of administrative liability for entities (including corporations) due to certain offenses committed by directors or employees in the interest of or to the advantage of the company. With regard to cybersecurity, this could include crimes such as unauthorized access to computer systems or data breaches. Entities can mitigate liability by adopting and effectively implementing Organizational, Management, and Control Models that include cybersecurity measures.

B) Circumstances for Breach

  • Directors and officers might be considered in breach of their duties under circumstances such as:
  • Failure to adequately assess risks
  • Neglecting to implement adequate cybersecurity measures
  • Inadequate response to cyber incidents
  • Non-compliance with legal obligations
  • Lack of oversight on third-party service providers

4.4 Are there special rules, regulations or guidance in the proactive cyber compliance area that apply to public (eg, exchange-listed) entities?

Public entities are subject to rules on cybersecurity which apply to any other entity in the same operational field.

Furthermore, public entities that are considered operators of essential services (OESs) under the NIS1 Directive and the implementing Legislative Decree 65/2018 are bound by the provisions of these instruments on OESs. The list of OES identified in Italy has been established by the Ministry of Economic Development. According to Legislative Decree 65/2018, OESs includes entities in the following sectors:

  • energy;
  • transport;
  • banking;
  • financial markets and infrastructure;
  • health;
  • drinking water supply; and
  • distributions.

As mentioned, as of 17 October 2024 the NIS1 Directive will be repealed by the NIS2 Directive.

If we consider 'public' in the traditional sense of government agencies/public administration bodies, Circular 2/2017 of the Agency for Digital Italy (AgID) should also be mentioned. This sets out minimum information and communications technology security measures for public administrations (click here for further details). These measures serve as a tool to evaluate and improve the cybersecurity of Italian public administrations.

From a strategic perspective, the Italian government has launched a Cloud Strategy aimed at incentivising Italian public administrations to adopt solutions based on cloud computing to store and protect their data. Within the framework of this strategy, on 15 December 2021 AgID adopted a regulation (click here for further details) on:

  • the minimum levels of security, processing capacity, energy savings and reliability of digital infrastructure for public administrations;
  • the quality, security, performance, scalability and portability of cloud services for public administrations;
  • the modalities of migration; and
  • the modalities of qualification of cloud services for public administrations.

Moreover, it should be noted that the National Commission for Companies and the Stock Exchange (CONSOB) can issue regulations and guidelines including requirements for the management and reporting of financial and operational risks, which encompass cyber risks.

4.5 Is there scope for companies to share details of actual or potential cybersecurity threats, or other cyber-intelligence information, with industry or other stakeholders?

Yes, there is scope for companies in Italy to share details of actual or potential cybersecurity threats, as well as other cyber-intelligence information, with industry or other stakeholders. This sharing is considered a key component of proactive cybersecurity management and is encouraged under various frameworks and regulations.

In general, there are no statutory restrictions preventing companies from sharing details of actual or potential cybersecurity threats. However, companies should be cautious before disclosing any cyber-incidents, in order to avoid exposing their organisation to further exploitation of any vulnerabilities that are revealed.

Below there some examples of possible mechanisms and contexts that can facilitate such sharing:

  1. Italian National Cybersecurity Agency (ACN): ACN facilitates the exchange of information between government entities and critical infrastructure sectors. Companies can share and receive cyber-intelligence through this agency to improve their security posture.
  2. Computer Security Incident Response Teams (CSIRTs): Italy has sector-specific CSIRTs that serve as platforms for sharing information about cybersecurity incidents, vulnerabilities, and threats among stakeholders within particular sectors (e.g., banking, healthcare, utilities). These teams play a critical role in the national cybersecurity ecosystem by fostering a collaborative approach to incident management and response.
  3. Industry Associations and Informal Networks: Companies often participate in industry associations or informal networks where they can share cyber threat intelligence with peers. Such exchanges are typically governed by mutual agreements that respect confidentiality and the sensitive nature of the information shared.

For details of the notification mandatory requirements in case of cybersecurity incidents, please see question 5.

5 Cyber-incident response

5.1 In your jurisdiction, do certain types of cyber incidents (eg, data breaches, unauthorised destruction, data leakage) trigger mandatory or voluntary notification requirements? How are such incidents defined? Are notification requirements dependent on the type of information affected? If so, what types?

In Italy, the cyber-incident notification requirements are the following:

1) General Data Protection Regulation (GDPR)

The most common notification requirement is that of notification of data breaches set forth in Articles 33 and 34 of the General Data Protection Regulation (GDPR), concerning the notification of a data breach:

  • to the supervisory authority if it entails a risk to the rights and freedoms of natural persons; and
  • to the data subjects if the risk qualifies as high.

Notifications of data breaches under the GDPR shall be performed only if personal data are involved.

2) NIS1 Directive

Article 12 of Legislative Decree 65/2018, implementing the NIS1 Directive, requires operators of essential services (OESs) to notify, without undue delay, security incidents with a relevant impact on the continuity of the services provided by them to the Italian Computer Security Incident Response Team (CSIRT), part of the National Agency for Cybersecurity.

Similarly, Article 14 of Legislative Decree 65/2018 requires providers of digital services (i.e, online marketplaces, online search engines, cloud computing services) to notify CSRIT of security incidents with a relevant impact on the provision of their services.

As mentioned above, as of 17 October 2024 the NIS1 Directive will be repealed by the NIS2 Directive.

3) National Cybersecurity Perimeter

Specific obligations apply to entities included within the National Cybersecurity Perimeter under Law Decree 105/2019 and subsequent implementing decrees (see following question 5.2 for details).

5.2 What are the mandatory or voluntary cyber-incident notification requirements? For example, to whom must notification be sent (eg, individuals, regulators, public filings)? Is there a required form or format? What is the timeframe for notification? Is the organisation that suffered the cyber-incident obliged to provide services, compensation or specific information to individuals who were affected? What are the exceptions/safe harbours that would allow organisations to avoid or not make notifications (eg, no risk of harm; information accessed was encrypted)?

The notification requirements applicable in Italy, that apply in the cases referred to in the precedent question, are listed below:

1) Notification requirements under the GDPR

  1. To whom the notification must be sent:
    • Supervisory authority: Data breaches shall be reported to the competent data protection authority (in Italy, the Garante per la protezione dei dati personali) unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
    • Individuals: If the data breach is likely to result in a high risk to the rights and freedoms of natural persons, the affected individuals must also be notified.
  2. Required form or format:
    Notifications to the Garante must include the nature of the personal data breach, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned, among other details. Notifications shall be performed through a specific channel, and using a specific form, which are publicly accessible on the Garante's website.
  3. Timeframe for notification:
    The GDPR requires that data breaches shall be notified to the Supervisory Authority within 72 hours of becoming aware of it.
  4. Obligations towards the affected individuals:
    • Organizations are required to communicate the personal data breach to the affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
    • The communication should describe in clear and plain language the nature of the personal data breach and recommendations for the individual concerned to mitigate potential adverse effects.
  5. Exceptions/Safe Harbours:
    • Notifications are not required if the breaches (or the security accidents) are unlikely to result in a risk to the rights and freedoms of natural persons.
    • If it would involve disproportionate effort to inform each data subject directly, an alternative form of public communication or similar measure may be used.

2) Notification requirements under the NIS1 Directive

  1. To whom the notification must be sent:
    Notifications must be sent to the national CSIRT (Computer Security Incident Response Team), established within the National Agency for Cybersecurity
  2. Required form or format:
    Notifications should provide enough information to assess the impact of the incident.
  3. Timeframe for notification:
    Notifications should be made without undue delay.
  4. Obligations towards the affected individuals:
    The NIS Directive focuses more on maintaining service continuity and integrity rather than on individual rights. However, affected entities might still need to communicate with stakeholders to manage service expectations and mitigate the impact.
  5. Exceptions/Safe Harbours:
    If the impact of the incident is minimal or has been effectively contained, notification may not be necessary.

3) Notification requirements under the National Cybersecurity Perimeter

Pursuant to Prime Ministerial Decree 81/2021, entities included in the Perimeter must notify to the Italian CSIRT incidents that have affected their information and communication technology (ICT) systems within six hours or one hour of becoming aware of them, depending on the level of gravity as classified pursuant to the decree.

Furthermore, pursuant to Article 1(3-bis) of Law Decree 105/2019, as amended, the same entities must notify CSIRT of incidents that have affected ICT systems that are outside the perimeter within 72 hours. In a decision of 3 January 2023, the National Cybersecurity Authority published the taxonomy of security incidents to which these obligations to notify apply.

5.3 What steps are companies legally required to take in response to cyber incidents?

In Italy, companies are legally required to follow specific steps in response to cyber incidents, particularly if they involve potential breaches of personal data or impact critical infrastructure. These requirements are primarily outlined under the General Data Protection Regulation (GDPR), Italian national laws, and the NIS1 Directive. Here are the key legal steps that companies must take:

  1. Incident detection and assessment: Companies need to have mechanisms in place to detect and assess the impact of cyber incidents promptly.
  2. Immediate containment and mitigation: Once a cyber incident is detected, companies must act swiftly to contain the breach and mitigate any potential damage. This includes deploying emergency procedures and technologies to isolate affected systems, prevent further unauthorized access, and secure data.
  3. Notifications to the authorities (or the Data Subjects): See question above for details
  4. Documentation: Companies are required to document any personal data breaches, regardless of whether they were notified to the supervisory authority or not. This documentation should include the facts relating to the breach, its effects, and the remedial actions taken.
  5. Review and update security measures: Post-incident, companies must review the effectiveness of their existing security measures and make necessary adjustments to address any identified vulnerabilities.
  6. Legal compliance and forensic investigation: Depending on the severity and nature of the incident, legal compliance might require conducting a forensic investigation to understand how the breach occurred and who was responsible. This can be crucial for future legal proceedings and for claiming insurance.
  7. Communication: Effective communication strategies must be employed to manage the situation both internally and externally. This includes informing stakeholders, managing public relations to control damage to reputation, and maintaining transparent communication with customers or clients.
  8. Ongoing monitoring and reporting: Following the initial response, continuous monitoring and reporting are essential to ensure the stability of the remediated systems and to detect any further anomalies or breaches.

5.4 What legal duties, if any, do corporate officers and directors have with respect to cyber-incident response? Under what circumstances might they be considered in breach?

In Italy, corporate officers and directors do not have specific legal duties or direct responsibilities relating to cyber incident responses. However, they have general obligations of diligence and to safeguard the assets and interests of the company. These duties are generally derived from corporate governance laws, data protection regulations, and cybersecurity requirements. Here's how these responsibilities are structured:

1) Duties of Corporate officers and directors

  • Duty of care and diligence: Corporate officers and directors are required to act with the care and diligence that can reasonably be expected given the nature of their duties and the company's interests. This includes implementing and maintaining adequate cybersecurity measures to protect company assets and data
  • Compliance with laws: Directors are obliged to ensure that the company complies with all relevant laws and regulations, including those related to cybersecurity and data protection.
  • Cyber-incident response obligations directors must ensure that the company has effective systems and controls in place to detect, prevent, and respond to cyber threats. This includes regular risk assessments, employee training, and the establishment of incident response plans.

Following the occurrence of a cyber incident, directors are responsible for ensuring that the incident is managed properly in accordance with internal procedures and legal requirements.

2) Circumstances under which directors might be considered in breach

  • Negligence in cybersecurity oversight: If a cyber incident occurs and it is determined that the directors failed to implement adequate cybersecurity measures reflective of the known risks, they could be deemed responsible.
  • Failure to comply with notification requirements: Directors could be held liable if they fail to ensure that mandatory notifications abovementioned.
  • Inadequate incident response: If an incident is not properly managed due to the absence of a response plan or the directors' failure to act during a cyber incident, this could be seen as a breach of their duties.

3) Legal Consequences

  • Civil liability: Directors can face civil liabilities for damages incurred by the company, its employees, shareholder or other subjects damaged due to their negligent actions or inactions.
  • Administrative and criminal sanctions. Depending on the nature of the cyber incident and the specific regulatory violations involved, directors might also be subject to administrative fines or criminal charges.

5.5 Do companies maintain cyber-incident insurance policies in your jurisdiction?

While not mandatory, in Italy, it is increasingly common for companies to maintain cyber-incident insurance policies. The specific characteristics a cybersecurity insurance depend on many factors, such as the size of the company and the economic sector in which it operates.

Below there is a list of the key aspects of cyber-incident insurance in Italy:

1) Coverage scope:

  • Data breach costs: Insurance can cover the costs associated with the management of a data breach, such as legal fees, notification costs, and costs associated with managing the breach's impact on affected parties.
  • Business interruption: This covers losses due to business operations being disrupted by a cyber incident.
  • Extortion: Some policies cover the costs associated with cyber extortion, such as ransomware attacks.
  • Forensic Support: Coverage for the costs of services to investigate a cyber incident, including the hiring of external experts.

2) Regulatory fines and penalties

  • Some aspects of cybersecurity-related fines might be covered under certain conditions, depending on the policy details and the nature of the violation.

3) Reputation damage

  • Some cyber-insurance policies offer coverage to mitigate damage to reputation following a cyber incident.

4) Legal requirements and recommendations

  • While not legally required, regulatory bodies and industry experts highly recommend that organizations operating in sectors vulnerable to cyber risks, such as finance, healthcare, and public services, obtain cyber-insurance to manage their risk exposure effectively.

5) Market trends

  • The Italian cyber-insurance market has been growing as companies become more aware of cyber risks.

6) Challenges

  • Despite the availability of cyber-insurance, small and medium-sized enterprises (SMEs) in Italy may face challenges in obtaining adequate coverage due to cost considerations or a lack of understanding of the risks and the insurance products available.

6 Trends and predictions

6.1 How would you describe the current cyber landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The cyber landscape in Italy is characterized by a rapidly evolving threat environment and an increasing dependence on digital technologies across all sectors of the economy. This dependency has highlighted vulnerabilities, making robust cybersecurity measures and regulatory compliance key priorities for both private entities and public authorities.

Among the anticipated developments, the following can be mentioned:

1. Implementation of NIS2 Directive

The NIS2 Directive seeks to broaden the range of sectors classified as critical infrastructure and impose more stringent cybersecurity requirements. NIS2 expands the scope to include more digital services, such as social media platforms, and enhances the security and incident reporting obligations of essential and important entities. As mentioned, by 17 October 2024, Italy will need to transpose NIS2 into national law.

2. Introduction of DORA

The Digital Operational Resilience Act (DORA) is designed to ensure that all participants in the financial system have the necessary safeguards to mitigate cyber attacks and other risks. DORA will require financial entities, including banks, insurance companies, and investment firms, as well as their critical ICT third-party service providers, to ensure that they can withstand, respond to, and recover from all types of ICT-related disruptions and threats. This act will necessitate enhancements in digital operational resilience for many Italian financial institutions.

3. PNRR

Digitalization in both the private and public sectors is one of the central pillars of the Piano nazionale di ripresa e resilienza (PNRR), the national plan drawn up in 2021 within the framework of the EU Recovery Plan.

Among the goals of digitalisation pursued by the PNRR, there is a specific cybersecurity programme, for which the National Agency for Cybersecurity and the Department of the Digital Transition of the Presidency of the Council of Ministers are responsible.

Completion of the project is expected in 2024 (click here for further information). The PNRR is part of the general National Cybersecurity Strategy, which aims to promote the adoption of 82 measures by 2026.

7 Tips and traps

7.1 What are the top three cyber-related problems or challenges that companies face in trying to secure their networks and data assets, and what are the best ways to address them?

1) Human factors

Human error remains one of the largest vulnerabilities in cybersecurity. This can include poor password management, falling prey to phishing attacks, or improper handling of sensitive data. Employees often inadvertently become the weakest link in the security chain.

Regular, engaging, and up-to-date training programs can significantly reduce risks associated with human error. These programs should educate employees on the importance of strong, unique passwords, recognizing phishing attempts, and safely handling personal and company data. Furthermore, conducting simulated phishing and other cyber attack exercises can prepare employees for real-world scenarios and teach them how to react appropriately.

2) Rapid technological changes

As technology evolves, so do cyber threats. Keeping up with both the latest security technologies and emerging threats (like ransomware or AI-driven attacks) can be challenging for any organization.

Ensuring that all systems are up-to-date with the latest security patches can reduce cyber-threats relating to technological changes. Delay in updating systems can leave them vulnerable to known exploits.

Utilizing sophisticated cybersecurity solutions, including intrusion detection systems, advanced firewalls, and endpoint protection platforms, can help mitigate the risk of new and evolving threats.

Investments in new technologies, such as machine learning and artificial intelligence, can also enhance threat detection and response capabilities.

3) Regulatory Compliance

Compliance with a myriad of evolving local and international cybersecurity regulations and standards (e.g., GDPR, NIS Directive, ISO standards) can be complex and resource-intensive.

Developing a compliance strategy that aligns with a company's data handling practices and business goals helps understanding which regulations affect your business and the specific requirements of each.

The establishment of a dedicated team or the designation of a compliance officer, that should work closely with IT, legal, and other relevant departments, is crucial to oversee all regulatory requirements.

Conducting regular audits of cybersecurity practices and compliance measures helps in identifying gaps in compliance and areas for improvement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Paolo Balboni
Paolo Balboni
Photo of Luca Bolognini
Luca Bolognini
Photo of Francesco Capparelli
Francesco Capparelli
Photo of Giulio Monga
Giulio Monga
Photo of Maria Rosaria De Ligio
Maria Rosaria De Ligio
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More