CYBERSECURITY

Italy

Consulting editor
Ropes & Gray LLP
Lexology GTDT - Cybersecurity

Cybersecurity
Consulting editors
Edward R. McNicholas, Fran Faircloth
Ropes & Gray LLP

Quick reference guide enabling side-by-side comparison of local insights, including into the applicable
legal and regulatory framework; best practices, including information sharing and insurance;
enforcement, including relevant regulatory authorities, notification obligations, penalties, and avenues of
private redress; threat detection and reporting; and recent trends.

Generated 16 February 2022

The information contained in this report is indicative only. Law Business Research is not responsible for any actions (or lack thereof) taken as a result of
relying on or in any way using information contained in this report and in no event shall be liable for any damages resulting from reliance on or use of
this information. © Copyright 2006 - 2022 Law Business Research

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 1/20

Lexology GTDT - Cybersecurity

Table of contents

LEGAL FRAMEWORK
Legislation
Scope and jurisdiction

BEST PRACTICE
Increased protection
Information sharing
Insurance

ENFORCEMENT
Regulation
Penalties

THREAT DETECTION AND REPORTING

Policies and procedures
Time frames
Reporting

UPDATE AND TRENDS

Key developments of the past year

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 2/20

Lexology GTDT - Cybersecurity

Contributors

Italy
Paolo Balboni
paolo.balboni@ictlc.com
ICT Legal Consulting

Luca Bolognini
luca.bolognini@ictlc.com
ICT Legal Consulting

Valerio De Feo
valerio.defeo@ictlc.com
ICT Legal Consulting

Francesca Tugnoli
Francesca.Tugnoli@ictlc.com
ICT Legal Consulting

Francesco Capparelli
franceso.capparelli@ictlc.com
ICT Legal Consulting

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 3/20

Lexology GTDT - Cybersecurity

LEGAL FRAMEWORK
Legislation
Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction
have dedicated cybersecurity laws?

In Italy, there are a number of regulations that guide the management of cybersecurity practices. Within the framework
of the regulations applicable in Italy, the following should be mentioned:

Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR) and Legislative Decree 196/2003,
(Italian Personal Data Protection Code, dated 30 June 2003) regulate specific aspects of personal data protection
in Italy. This legislation contains a number of rules, including article 32 GDPR and other specific provisions
regarding the security measures to be applied for the processing of health-related personal data (article 2-septies
Personal Data Protection Code), which require data controllers to adopt technical and organisational measures to
protect personal data on the basis of the risks underlying the processing operations carried out. To be able to
demonstrate that technical measures to protect data have been adopted, data controllers are required to identify
and map possible IT risks and strengthen their cybersecurity resilience.
Legislative Decree 51/2018, dated 18 May 2018, which transposed Directive (EU) 2016/680 in Italy. This
legislative decree contains a series of requirements to regulate the adoption of security measures with respect to
the protection of data processed by law enforcement agencies in the context of judicial police activities.
Legislative Decree 231/2001, dated 08 June 2001, which concerns the criminal liability of companies and
constitutes an indirect safeguard for the implementation of cybersecurity measures, as it requires companies to
adopt protocols aimed at preventing the commission of computer crimes.
Decree-Law No. 105/2019, dated 21 September 2019, on the ‘National Cybersecurity Perimeter’, which dictates a
set of measures aimed at ensuring a high level of security of the networks, information systems and IT services
of public administrations, as well as national, public and private entities and operators, through the establishment
of a National Cybersecurity Perimeter and the provision of appropriate measures to ensure the necessary security
standards aimed at minimising risks while allowing for the most extensive use of the most advanced tools
offered by information and communication technologies. This Decree-Law has been followed by Prime
Ministerial Decree No. 131/2020, dated 30 July 2020, which establishes the criteria to identify operators subject
to the obligations of the National Cybersecurity Perimeter. To implement and regulate specific processes within
the established framework, Presidential Decree No. 54 of 5 February 2021 was issued. In particular, the
Presidential Decree identifies procedures and methods to be followed to mitigate supply chain attacks. The
purpose of the assessments, carried out by entities providing essential services for the state, identified pursuant
to Prime Ministerial Decree 131/2020 and the established National Evaluation Centre, is to identify and mitigate
risks arising from the supplier of the subjects. Entities included in the ‘perimeter’ are required to notify the
National Evaluation Centre of their intention to initiate procurement procedures in relation to ICT goods, systems
and services. Presidential Decree No. 54/2021 also includes the procedures and methods by which the
competent authorities carry out verification and inspection activities for the purpose of assessing compliance
with the obligations set forth in Decree-Law 105/2019. In conclusion, Presidential Decree No. 54/2021 also
provides for the issuance of a subsequent Prime Ministerial Decree which, following the directive criteria set out
in article 13 of the same Presidential Decree, would identify in detail the categories of ICT goods, systems and
services in relation to which the entities included in the perimeter will be required to make the notification to the
CVCN. To set up a series of controls to assess the compliance of the supplier, audits and risk assessment must
be carried out by the entities that fall under the perimeter.
Legislative Decree 65/2018, dated 18 May 2018, which transposed Directive EU 2016/1148 (NIS Directive),
providing guidance on risk management and the prevention, mitigation and notification of cyber incidents and

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 4/20

Lexology GTDT - Cybersecurity

attacks.

With regard to the public sector, mention should be made of the Three-Year Plan for IT in Public Administration (2020–
2022), Chapter 6 of which is entirely dedicated to IT security.

Law stated - 31 January 2022

Which sectors of the economy are most affected by cybersecurity laws and regulations in your
jurisdiction?

Healthcare, banking and finance, together with sectors closely related to national security (defence, energy,
telecommunications, etc) are the most regulated sectors in Italy from a cybersecurity perspective.

However, the covid-19 pandemic has forced companies in almost all sectors to move to smart remote working. Due to
the nature of the emergency situation, however, in many cases adequate technical checks were not carried out to
ensure that IT security was sufficiently taken into consideration. On the contrary, the forced and impromptu use of
previously less-used tools and ways of working has created new opportunities for cyber criminals who, thanks to the
vulnerabilities inherent in the new tools, have multiplied their attacks over the past year, which is why many companies
in all sectors are making significant investments in IT security.

Law stated - 31 January 2022

Has your jurisdiction adopted any international standards related to cybersecurity?

In 2015, the National Cybersecurity Framework was presented, the result of collaboration between academia, public
bodies and private companies. The Framework, inspired by the Cybersecurity Framework devised by the National
Institute of Standards and Technology, provides an operational tool for organising cybersecurity processes suitable for
public and private organisations of all sizes. With the entry into force of EU Regulation 679/2016 and the change in
approach it has brought about, a new version of the National Framework for Cybersecurity and Data Protection has
been introduced, a tool to support organisations that need strategies and processes aimed at personal data protection
and cybersecurity.

Through the Italian standards agency (Ente Italiano di Normazione), Italy has adhered to the most important ISO
international security standards.

In addition, the Agency for Digital Italy (AgID) has accredited CSA STAR certification as the only alternative to ISO
27001 certification (integrated with ISO 27017 and 27018) to certify the security of software as a service cloud
services for the Italian Public Administration.

Law stated - 31 January 2022

What are the obligations of responsible personnel and directors to keep informed about the
adequacy of the organisation’s protection of networks and data, and how may they be held
responsible for inadequate cybersecurity?

A company may be liable both for failure to adopt adequate safeguards and for lack of controls. This may have an
impact from an administrative point of view, as the Italian Data Protection Authority (DPA) may impose a fine on the
company that has failed to adopt adequate security measures, and from a criminal point of view deriving from the

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 5/20

Lexology GTDT - Cybersecurity

failure to adopt suitable protocols to prevent the commission of computer crimes.

In the latter case, the liability of the responsible personnel and directors in the case of inadequate cybersecurity may be
recognised in the new criminal offence introduced by article 24-bis ‘Computer crimes and unlawful data processing’ of
Legislative Decree No. 231/2001.

The introduction of computer crimes and unlawful data processing in the list of offences set out in Italian Legislative
Decree No. 231/2001 makes it necessary to carry out an analysis in relation to the relevant risks associated with the
company’s operations. At the same time, it will be fundamental to identify the necessary safeguards and assess any
actions required for the appropriate updating of the Organisation and Management Model pursuant to the
aforementioned legislative decree.

In addition to forms of liability of the entity, however, there is also the liability of the individual employee who has acted
in breach of the rules of the company’s code of ethics and organisational and management model, which may lead to
the imposition of disciplinary sanctions provided for therein.

The proactive and risk-based approach also requires the provision of training plans that are suitable for disseminating
the measures adopted within the corporate structure.

Law stated - 31 January 2022

How does your jurisdiction define cybersecurity and cybercrime?

Article 3 of Legislative Decree 65/2018 defines cybersecurity, or ‘network and information system security’ as the
ability of a network and information systems to withstand, at a given level of confidentiality, any action that
compromises the authenticity, integrity or confidentiality of data stored or transmitted or processed and of the related
services offered or accessible through such network or information systems.

Cybercrimes are defined as any crime committed with an information system, enlisted under the provision of articles
615-ter to 615-quinquies, 635-bis to 635-quinquies, 640-ter and 491-bis et seq of the Italian Criminal Code.

Data Privacy is to be intended as the protection of natural persons in relation to the processing of personal data and is
a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the Charter) and article
16(1) of the Treaty on the Functioning of the European Union provide that everyone has the right to the protection of
personal data concerning him or her. Cybersecurity is an integral part of the protection of personal data, but it also
extends to information that is not related to an identified or identifiable natural person.

In any case, personal data privacy, cybersecurity and criminal provisions are strictly interconnected. Only if a company
has an adequate system of security measures can it prevent cybercrimes. In Italy, the same conducts that are punished
as cybercrimes could result in a liability for the companies themselves if they are committed to the advantage of the
legal entities (as provided for in Legislative Decree 231/2001).

Law stated - 31 January 2022

What are the minimum protective measures that organisations must implement to protect data
and information technology systems from cyberthreats?

While the Italian legislator adopted the risk-based approach as provided for in article 32 of the GDPR regarding
personal data security, specific provisions are included within the Italian Personal Data Protection Code. Further
provisions regarding special categories of personal data are also found in the guidelines of the Italian DPA. However,
the actual definition of security measures to be implemented is contained in old provisions of the relevant legislation,
which need to be updated, or is delegated to future sectorial regulation yet to be issued.

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 6/20

Lexology GTDT - Cybersecurity

The same approach may be found in Legislative Decree 65/2018, in particular in article 14 where criteria to assess the
security measures to be applied are included. However, the evaluation of the precise security measures adopted is left
to the discretion of the specific operator.

Law stated - 31 January 2022

Scope and jurisdiction

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to
intellectual property?

The legal framework of cyberthreats to intellectual property (IP) can be broadly differentiated between:

legal provisions that discipline the protection of IP assets that were originally conceived in an offline scenario, in
whose context cyberthreats to intellectual property represent a new technological way to carry out an attack on
third-party IP owners and assets; and
legal provisions that identify specific cyberthreat conduct as an administrative or criminal offence, that may also
eventually (yet not necessarily) result in a violation of third-party IP rights.

Among the first group it is possible to include, inter alia:

Legislative Decree No. 30/2005, dated 10 February 2005, (Italian Code of Industrial Property); just by way of
example, cyberthreats might result in the illegal gathering, use or disclosure of confidential information of a
competitor (articles 98–100); likewise, the disclosure is not to be taken into account in determining the novelty of
a design or a patent if it occurred due to an abuse to the prejudice of the applicant (eg, by means of a
cyberthreat) (articles 34 and 47);
provisions on intellectual property rights set forth in the Italian Civil Code (articles 2569 to 2594);
specific provisions of the Italian Criminal Code that identify criminal offences pertaining to intellectual property
assets (eg, disclosure of trade secrets or scientific inventions, known by reason of office (article 623); unlawful
use of third-party trademarks, marketing of counterfeit products (articles 473, 474 and 517-ter); and
Law No. 633/1941, dated 22 April 1941, (the Italian Copyright Law), to the extent an unlawful exploitation of
copyrightable works of a third party is committed by means of a cyberthreat; and the Italian Communications
Regulatory Authority Regulation dated 31 March 2014 on the protection of online intellectual property pursuant to
Legislative Decree No. 70/2003, dated 09 April 2003.

On the other hand, the Italian legal framework also identifies provisions that identify certain cyberthreats as an
administrative or criminal offence, that might also eventually (yet not necessarily) amount to or otherwise be aimed at
perpetrating a violation of third-party IP rights. Reference can be made in particular to:

Provisions of the Italian Criminal Code, such as unlawful access to computer systems (article 615-ter); detention,
disclosure or dissemination of keywords, access codes or any other means to access a protected computer or
telematic system, or providing any assistance in support thereof (article 615-quater); unlawful possession or
distribution of access codes to IT systems (article 615-quater); distribution, offering or sale of devices or
software tools having the purpose of damaging computer, telematic system, information, data or software
programs contained therein (article 615-quinquies); unlawful interception and destruction of communications
articles 616 and 617); damage to information, data, software programs or IT systems of a third party (articles 635-
bis to 635-quinquies); computer fraud (article 640-ter).

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 7/20

Lexology GTDT - Cybersecurity

On 29 November 2021, Legislative Decree No. 184/2021 introduced into the Criminal Code the new crimes under
article 493-ter (undue use and falsification of non-cash payment instruments) and article 493-quater –(possession and
diffusion of equipment, devices or computer programs aimed at committing offences regarding payment instruments
other than cash), and a new aggravating circumstance to computer fraud as per article 640-ter penal code, in the case
that alteration of the computer system determines a transfer of money, monetary value or virtual currency. Some of
these new crimes have become relevant also under Legislative Decree No. 231/2001.

Provisions of the Italian Copyright Law that prohibit conducts, including cyberthreats, perpetrated either to
bypass the technical protection measures implemented by a legitimate right holder to prevent access by
unauthorised users to copyrighted works (even if no explicit mention is made to cyberthreats: eg, articles 102-
quater and 102-quinquies), or violate the scope of copyright exceptions and limitations (eg, illustration for
teaching, public security, etc: articles 70 and the following of Italian Copyright law). Some of the aforementioned
conduct constitutes a criminal offence, such as the importation, distribution or sale of computer programs or any
means, the sole intended purpose of which is to allow or to facilitate the unauthorised removal or circumvention
of any technical device applied to protect a computer program (article 171-bis); the broadcast, by whatever
means, of ‘an encrypted service received by means of devices or parts of devices capable to decode the
conditioned-access transmissions’ (article 171-ter, paragraph 1, let. e); the distribution, sale or set-up of special
devices or decoding elements that allow to have access to an encrypted service without paying the due
subscription fee (let. f); the production, import, distribution or sale of products or services whose main purpose is
to circumvent any effective technological measures, or which are primarily designed or performed for enabling or
facilitating any such circumvention (let. f-bis); unlawful removal or altering of the electronic rights-management
information under article 102-quinquies, or distribution of protected works or other subject matter whose
electronic information has been removed or altered (let. h).

Cybercrimes that affect intellectual property rights, where performed by the representatives of organisations or
subjects under the latter’s authority, are also relevant for the purposes of Legislative Decree No. 231/2001 on corporate
criminal liability, if and to the extent the relevant criminal offences were committed either in the company’s interest or
for the company’s benefit, while no corporate liability occurs where directors, managers or individuals subject to
direction and coordination of the former acted exclusively in their own (or a third party’s) interest.

Law stated - 31 January 2022

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to
critical infrastructure or specific sectors?

Prime Ministerial Decree No. 131/2020, implementing Decree-Law No. 105/2019 concerning the National Cyber
Security Perimeter, entered into force on 5 November 2020, thus laying the first concrete foundations of the Italian
National Cyber Security Perimeter.

Entities that are included in the Perimeter must carry out important tasks, such as updating the list of ICT assets
annually; carrying out risk analyses to identify the risk factors of incidents; managing and implementing necessary
security measures; indicating the ICT assets it needs; and the related risk analysis to ensure the integrity, efficiency and
security of the data and information they contain. In addition, obstructing or conditioning the inspection and verification
activities carried out within the Perimeter may lead to criminal liability.

Legislative Decree 65/2018 transposed Directive EU 2016/1148 (NIS Directive), providing guidance on risk
management and the prevention, mitigation and notification of cyber incidents and attacks.

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 8/20

Lexology GTDT - Cybersecurity

Law stated - 31 January 2022

Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing
of cyberthreat information?

The Italian Criminal Code and Personal Data Protection Code contain provisions aimed at preventing the dissemination
of confidential information. In fact, article 615-ter et seq of the Criminal Code contains provisions on computer
offences in relation to a series of criminal offences committed by means of computer systems, such as abusive
access to a computer system; the dissemination of equipment, devices or computer programs intended to damage or
interrupt a computer or telecommunications system; computer fraud; and other offences in the illicit use of payment
instruments.

Specific provisions of the Italian Criminal Code that identify criminal offences pertaining to intellectual property assets
may also come into play.

With reference to the criminal law on privacy, the incriminating provisions are contained in the Italian Personal Data
Protection Code. In particular, the entire second Chapter of the third Title of the Personal Data Protection Code is
dedicated to criminal offences, such as the unlawful communication and dissemination of personal data subject to
large-scale processing or the communication of a personal data database (or a substantial part of it) of personal data
subject to large-scale processing without consent, when consent is required for the data processing activity.

Law stated - 31 January 2022

What are the principal cyberactivities that are criminalised by the law of your jurisdiction?

The principal crimes punished in the Italian Criminal Code concern abusive access to the computer system (under the
provision of article 615-ter), damage to computer systems (articles 635-bis and 635-quarter) and computer fraud
(article 640-ter), also when committed with the alteration of the computer system that determines a transfer of money,
monetary value or virtual currency. Under these provisions, the most important forms of cybercrimes that can be
committed by company employees or by cybercriminals are criminalised, such as unauthorised access to an
employee’s email account, phishing or ransomware. The illicit use of payment instruments that could be the result of
phishing activities and ransomware viruses is punished.

Additionally, article 24-bis ‘Computer crimes and unlawful data processing’ of Legislative Decree 231/2001 punishes
companies where the same criminal conduct indicated above has been committed in the interest of and to the
advantage of the company.

Law stated - 31 January 2022

How has your jurisdiction addressed information security challenges associated with cloud
computing?

No specific rules have yet been issued in Italy for the private sector. In any case, ISO 27017 and 27018 contain precise
security controls to be followed by those offering cloud services and to ensure that both customer and supplier data
are processed in a safe and secure environment.

For the public sector, the AgID has accredited CSA STAR certification as the only alternative to ISO 27001 certification
(integrated with ISO 27017 and 27018) to certify the security of SaaS cloud services for the Italian Public
Administration. Moreover, the three-year plan for IT in public administration for 2020–2022 expressly mentions the use

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 9/20

Lexology GTDT - Cybersecurity

of cloud systems.

To date, therefore, apart from the above indications, no specific requirements have been issued to operators offering
cloud services.

Law stated - 31 January 2022

How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your
jurisdiction? Are the regulatory obligations the same for foreign organisations?

Italian cybersecurity laws do not provide any specific distinctions for foreign organisations.

Any company that does business in Italy falls within the applicability of the cybersecurity legislation mentioned in this
chapter and shall comply with the same obligations as Italian companies. Regulatory obligations are generally aligned
with European legislation and international standards; however, foreign organisations must be aware of and also
comply with the specific national requirements.

Law stated - 31 January 2022

BEST PRACTICE
Increased protection
Do the authorities recommend additional cybersecurity protections beyond what is mandated by
law?

The Cyber Security Framework introduces a series of useful controls depending on the type of business (small or
medium-sized enterprise). In addition, since July 2019, as required by the Network and Information Security (NIS)
Directive and Legislative Decree 65/2018, Italy has added a new instrument for national cybersecurity, the guidelines on
risk management and the prevention, mitigation and notification of cyber incidents and attacks, which have been
shared with the operators of essential services. Moreover, the Agency for Digital Italy (AgID) has accredited CSA STAR
certification as the only alternative to ISO 27001 certification (integrated with ISO 27017 and 27018) to certify the
security of software as a service cloud services for the Italian Public Administration.

Law stated - 31 January 2022

How does the government incentivise organisations to improve their cybersecurity?

Transition 4.0 (formerly Industry 4.0) is the national plan that provides for a series of facilities to help the Italian
entrepreneurial system face the challenge of the fourth industrial revolution.

A further strengthening of the Transition 4.0 plan has also been provided for in the Budget Law 2021 It includes
measures to develop cybersecurity. The  Transition 4.0  three-year plan provides for:

the replacement of the former hyper-depreciation in tax credit for 4.0 assets; and
the replacement of the former super-depreciation into a tax credit for tangible capital goods, with an increase in
the rate from 6 to 10 per cent. In the case of assets useful for smart working, the rate will increase to 15 per cent,
at least for the first year.

In addition, some further incentives have been provided, such as:

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 10/20

Lexology GTDT - Cybersecurity

a ‘Call for proposals’ by the MADE Competence Center to finance projects of innovation, industrial research and
experimental development on the themes of Industry 4.0;
a notice by MISE ‘Digital Transformation’ to support the technological and digital transformation of the
production processes of SMEs through the realisation of projects directed to the implementation of the enabling
technologies identified in the National Plan Impresa 4.0 as well as other technologies related to digital
technological solutions of the chain; and
from Simest (a mostly state-owned company):
financing for digital and ecological transition for SMEs with an international focus. Thanks to PNRR (the Piano
Nazionale di Ripresa e Resilienza, the plan prepared by Italy to relaunch its economy after the covid-19
pandemic to permit the green and digital development of the country) funds, Simest has launched a new
financing tool for SMEs for the realisation of investments aimed at favouring the digital (at least 50 per cent of
the financing) and ecological transition of SMEs and strengthening their competitiveness in foreign markets;
and
financing for e-commerce abroad. Thanks to PNRR funds, Simest supports the realisation of digital investment
projects of SMEs for the creation or improvement of a proprietary e-commerce platform (dedicated) or access
to a third-party platform (marketplace) for the marketing of goods or services produced in Italy or with an
Italian brand; and
a call for Temporary Export Management: digital vouchers for the internationalisation of manufacturing
companies.

Law stated - 31 January 2022

Identify and outline the main industry standards and codes of practice promoting cybersecurity.
Where can these be accessed?

AgID is responsible for implementing the objectives of the Italian Digital Agenda, in accordance with the guidelines laid
down by the President of the Council of Ministers or the Minister delegated to him or her, and with the European Digital
Agenda. In particular, AgID promotes digital innovation in the country and the use of digital technologies in the
organisation of the public administration and in the relationship between the latter and citizens and businesses, in
compliance with the principles of legality, impartiality and transparency and according to criteria of efficiency, cost-
effectiveness and effectiveness.

It collaborates with the institutions of the European Union and carries out the tasks necessary for the fulfilment of the
international obligations assumed by the state in the matters for which it is responsible. AgID set out a series of
obligations to promote cybersecurity in the Public Administration such as the Minimum ICT security measures , which
are a practical reference for assessing and improving the level of IT security of administrations to combat the most
frequent IT threats. Depending on the complexity of the information system to which they refer and the organisational
reality of the Administration, the minimum measures can be implemented in a gradual manner following three levels of
implementation.

Law stated - 31 January 2022

Are there generally recommended best practices and procedures for responding to breaches?

The most suitable standard in information security to deal with a cybersecurity incident is ISO/IEC 27035:2016. From a
risk perspective, this standard should be only a model for the organisation to start its compliance process.

Furthermore, the indications coming from the Data Protection Authority (DPA) (many of which are collected on this
page ) constitute an important guide and indication for the correct management of security incidents.

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 11/20

Lexology GTDT - Cybersecurity

Law stated - 31 January 2022

Information sharing
Describe practices and procedures for voluntary sharing of information about cyberthreats in
your jurisdiction. Are there any legal or policy incentives?

Article 18 of Legislative Decree 65/2018 encompasses the conceptual core of the regulatory framework. As the
purpose of the NIS directive is to foster the resilience of the European information system, the basis of this resilience
can only be identified in the necessary information sharing that allows a multi-sectoral and proactive approach to
cybersecurity issues, creating a climate of cooperation and unity.

The provision in article 18 of Legislative Decree 65/2018 provides that those who have not been identified as operators
of essential services and are not providers of digital services may equally voluntarily notify any incidents that have
occurred that have generated a significant impact on the continuity of the services they provide. An organisation that
has IT systems and infrastructure similar to those of an essential service operator or a digital service provider, by
notifying incidents, will allow the competent NIS authorities and the Italian Computer Security Incident Response Team
(CSIRT) to take preventive action to avoid incidents that could compromise the continuity of services considered of
fundamental importance to citizens. Voluntary notification is, therefore, not an instrument of self-reporting but intended
to prevent the possibility that known vulnerabilities on the European territory are exploited to the detriment of the
essential and digital services within the Union.

In addition, the Whistleblowing Directive (1937/2019), which must be transposed in Italy by 17 December 2021,
provides for the companies with more than 50 employers to create a system dedicated to the reporting of facts
committed by a company in violation of EU law (ie, for all areas of EU competence). People who make such reports are
granted some forms of protection. In addition, the EU member states should provide a ‘public’ channel to allow
reporting if the internal channels are not available or are unsuitable.

Law stated - 31 January 2022

How do the government and private sector cooperate to develop cybersecurity standards and
procedures?

The first of the implementing regulations of Decree-Law No. 105/2019, concerning the National Cybersecurity
Perimeter, Prime Ministerial Decree No. 131/2020, provides for the establishment of an inter-ministerial platform, in
which representatives of public and private entities and operators may be called upon to offer their expertise.

In addition, Legislative Decree 65/2018 established the CSIRT, whose operation is regulated by the Prime Ministerial
Decree of 8 August 2019 . The CSIRT, in addition to intervening in the event of cyber incidents and monitoring their
frequency at the national level, promotes the adoption and use of common or standardised practices in the areas of
incident and risk-handling procedures and incident, risk and information classification systems.

Law stated - 31 January 2022

Insurance
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance
common?

Yes, there are insurance policies that cover cybersecurity breaches, and they are usually included in the broader

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 12/20

Lexology GTDT - Cybersecurity

coverage related to personal data protection. Typically, policies cover various risks such as those related to cyber-
attacks or failures (including malware, cybercrime, unauthorised data dissemination and unauthorised data operations)
that can also result in data breaches (ie, loss of control of personal data). They also cover cybersecurity and losses
resulting from events such as cyber terrorism and cyber-attacks, including abusive access to computer systems, but
also human error (operational or in IT management) of employees. Moreover, they cover service interruptions and
access interruptions (including due to internet outages). The coverage typically offers the cost of restoring computer
systems and compensates for the direct economic loss resulting from business interruption due to flaws in computer
security and arising from malicious use of or access by third parties to the computer systems. Policies usually require
a careful risk assessment before calibrating the cost of coverage. More widespread use of these policies has been
seen with the entry into force of the General Data Protection Regulation, which imposes very high fines, allows for
damage recovery (eg, when caused by lack of data security) and, more specifically, in article 32 requires the adoption of
adequate security measures to protect personal data. In fact, risk coverage is often subject to the policyholder
maintaining the security measures required by the data protection regulations.

Law stated - 31 January 2022

ENFORCEMENT
Regulation
Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?

As far as the designation of competent authorities for the implementation and supervision of the Network and
Information Security (NIS) Directive legislation is concerned, the institutional model chosen by the Italian government
is highly decentralised. In fact, five ministries are designated as ‘competent NIS authorities’: Economic Development;
Infrastructure and Transport; Economy and Finance; Health and Environment; and Land and Sea Protection. Each
ministry is responsible for one or more sectors falling within its areas of competence, as well as, for certain limited
areas, the Italian regions and autonomous provinces.

The main Italian authority in charge of the prosecution of cybercrimes is the Prosecutor’s Office, assisted by the police
and in particular the Postal Police.

Law stated - 31 January 2022

Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute
infringements.

The Italian Department of Security Intelligence (DIS) is designated as the single point of contact under article 8(3) of
the NIS Directive. The DIS is, therefore, responsible for liaising with the EU and coordinating with cybersecurity
authorities in other member states.

Legislative Decree 65/2018 has also provided for the establishment at the Presidency of the Council of Ministers of a
single Computer Security Incident Response Team, called the Italian Computer Security Incident Response Team
(CSIRT), to perform tasks related to the prevention of and response to computer incidents, carried out in cooperation
with other European CSIRTs.

The CSIRT offers a number of services in response to reports received. These include:

alerts and warnings

incident management and analysis; and
vulnerability management;

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 13/20

Lexology GTDT - Cybersecurity

review and assessment of security levels;

configuration and maintenance of security;
development of security tools; and
dissemination of security-related information; and
risk analysis;
support for business continuity and disaster recovery activities; and
awareness raising and training.

The Italian Data Protection Authority (DPA) through the Special Unit for the Protection of Privacy and Technological
Fraud of the financial police, has the power to investigate compliance with data protection law. For example, it may be
verified if the company has adopted adequate measures to prevent risks to the rights of individual, pursuant to article
32 General Data Protection Regulation (GDPR).

The Italian Personal Data Protection Code has also introduced a new form of cooperation between the Judicial
Authority and the Italian DPA. Therefore, in the context of the respective activities of investigation it is possible that,
where relevant facts emerge on the criminal side or on the privacy side, the file is immediately transmitted to the
competent authority.

Law stated - 31 January 2022

What are the most common enforcement issues and how have regulators and the private sector
addressed them?

At present, cybersecurity enforcement in Italy is mainly conducted by the Italian DPA, as the approval of dedicated
cybersecurity laws is still relatively recent.

The Italian DPA has issued a number of notable fines for data breach violations. Among them, a fine of €600,000 has
been issued to one of the leading Italian banks following a complex investigation into a data breach caused by abusive
access to the personal data of over 700,000 customers. The Italian DPA determined the failure of the bank to adopt
adequate technical and organisational measures.

Another example is the €27.8 million fine for one of the leading national telecommunication operators for several
instances of unlawful data processing in relation to marketing activities that affected millions of data subjects. In this
case, the DPA found that there was also a breach of the provisions that aim to guarantee the integrity and
confidentiality of systems by way of suitable technical and organisational measures.

Law stated - 31 January 2022

What regulatory notification obligations do businesses have following a cybersecurity breach?

Must data subjects be notified?

The provisions of article 33 GDPR are also taken into account, where applicable, by article 13 Legislative Decree
65/2018, which outlines a framework for cooperation between the competent NIS authority and the Italian DPA in the
event of security incidents that also include personal data breaches. This measure would, therefore, entail a double
notification if a security incident results in a personal data breach. The operator is called upon to notify the DPA under
article 33 GDPR and the competent NIS authority under articles 12 and 14 of Legislative Decree 65/2018.

Regarding data subjects, the notification of a data breach is regulated under article 34 GDPR. The Italian DPA recently
released a self-assessment tool on its website to help controllers and processors evaluate the necessity to notify the

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 14/20

Lexology GTDT - Cybersecurity

breach to the DPA and to data subjects.

Law stated - 31 January 2022

Penalties
What penalties may be imposed for failure to comply with regulations aimed at preventing
cybersecurity breaches?

In the transposition of article 21 of the NIS Directive in Italian legislation, it should be noted that penalties of a criminal
nature have been excluded from the list of penalties that may be imposed. Article 21 does not distinguish between the
types of penalties that may be imposed, allowing member states a wide margin of discretion in that regard.

Furthermore, pursuant to article 15 Legislative Decree 65/2018, sanctions may be applied, at least for digital service
providers, only after the demonstration of non-compliance, since only in the event of this condition will the NIS
competent authorities be able to activate their verification powers.

Article 21 of Legislative Decree 65/2018 lists the sanctions that can be imposed by prioritising their commensuration
subject to the occurrence of various circumstances. The administrative fines, ranging from €12,000 to €150,000, are
provided for operators of essential services where they fail to adopt adequate and proportionate technical and
organisational measures, to notify to the Italian CSIRT of incidents having ‘a significant impact on the continuity of the
essential services provided’ or to comply with the instructions issued by the competent authority.

Moreover, if the breach is caused by a computer crime committed in the interest and to the advantage of the entity and
this is due to the lack of adequate security measures, this may entail, in addition to the administrative sanctions
referred to above, criminal liability under article 24-bis of Legislative Decree No. 231/2001.

Lastly, article 83 GDPR provides the administrative fines for non-compliance with article 32 GDPR regarding the
application of the security measures to the processing of personal data.

Law stated - 31 January 2022

What penalties may be imposed for failure to comply with the rules on reporting threats and
breaches?

Article 21 of Legislative Decree 65/2018, and specifically paragraphs 3, 6, 7, regulates in the case of a failure to notify
by an essential service operator or a digital service provider.

Paragraph 3 punishes the failure to notify the Italian CSIRT of incidents having a significant impact on the
continuity of the essential services provided. The penalty is a pecuniary administrative sanction ranging from
€25,000 to €125,000.
Paragraphs 6 punishes the failure by a digital service provider to notify an incident to the CSIRT with a fine
ranging from €25,000 to €125,000.
Paragraph 7 regards the lack of notification of incidents that affected third parties that provides the operator of
essential services with the digital services necessary for the provision of a service that is indispensable for the
maintenance of fundamental economic and social activities. The sanction in this case is an administrative fine
ranging from €12,000 to €120,000.

Moreover, although not strictly determined by the mere presence of a data breach, when the data breach is determined
by a computer crime committed in the interests and to the advantage of the entity and this is due to the lack of

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 15/20

Lexology GTDT - Cybersecurity

adequate security measures, this may entail not only the administrative sanctions mentioned above, but also criminal
liability under article 24-bis of Legislative Decree No. 231/2001.

Law stated - 31 January 2022

How can parties seek private redress for unauthorised cyberactivity or failure to adequately
protect systems and data?

Depending on their nature as a legal or natural person, any party that believes itself to have been damaged by an
unauthorised cyberactivity or failure to adequately protect systems and data may seek redress by bringing the matter
to court or reporting the violation to the relevant authority.

Where the matter concerns personal data, the data subject may always lodge a complaint with the DPA or file a court
case.

Law stated - 31 January 2022

THREAT DETECTION AND REPORTING

Policies and procedures
What policies or procedures must organisations have in place to protect data or information
technology systems from cyberthreats?

It is advisable for companies to put a comprehensive cybersecurity framework in place to address any specific risks
and to have a comprehensive approach to possible threats. Such a framework shall at least include policies and
procedures on information security, access control, asset management, cryptography, network management, third-
party management and business continuity.

Under article 14 of Legislative Decree 65/2018 (in relation to digital service providers) and article 32 GDPR, companies
must demonstrate that they have put in place all appropriate technical and organisational measures to prevent risks to
the freedoms and rights of data subjects.

Furthermore, the last Confindustria Guidelines for the creation of a Model of Organisation, Management and Control in
accordance with Legislative Decree 231 of 8 June 2001 specified that companies must promote integrated forms of
compliance, including in the field of cybersecurity, so that all the IT and security procedures put in place are
coordinated with each other and suitable to protect the company from all possible forms of liability.

Law stated - 31 January 2022

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

Without prejudice to the documentation obligations provided for by the GDPR (article 33 article 5) where an attack or
incident has led to a personal data breach, Legislative Decree 65/2018 provides for security incident reporting
obligations for essential service operators and digital service providers. Because under articles 13 and 15 these
entities must provide the ‘competent NIS [Network and Information Security] authorities’ (ie, the ministries indicated in
article 7) with the information necessary to assess the security of their network and information systems, including
documents relating to security policies, it can be indirectly inferred that they need to keep track of incidents that have
occurred, and the countermeasures adopted.

Law stated - 31 January 2022

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 16/20

Lexology GTDT - Cybersecurity

Describe any rules requiring organisations to report cybersecurity breaches to regulatory

authorities.

Legislative Decree 65/2018 provides for a specific notification obligation for digital service providers and operators of
essential services in articles 12 and 14. These are required to notify the CSIRT and the competent NIS authority of any
incidents with a significant impact on the provision of their services. To determine the significance of the impact, the
following shall be taken into account:

the number of users affected by the incident, in particular users who depend on the digital service for the
provision of their services;
the duration of the incident;
the distribution in geographical terms of the area affected by the accident;
the extent of the disruption to the operation of the service; and
the extent of the impact on economic and social activities.

While not being required to, companies that fall outside of the scope of Legislative Decree 65/2018 may notify
cybersecurity breaches to the Italian CSIRT on a voluntary basis (article 18 of the same legislative decree).

Any cybersecurity breach that involves personal data shall be notified to the Italian Data Protection Authority (DPA),
unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The notification must include:

the name of the organisation;

the time at which the incident occurred;
the duration of the incident;
information regarding the impact and nature of the incident;
information regarding any transnational impact; and
any other information that may help the CSIRT to determine the relevance of the incident.

To facilitate the notification process, the Italian CSIRT has prepared a notification template and provided instructions
on the same on the  dedicated website .

The notification is to be considered confidential and will be forwarded through protected channels via the above-
mentioned website.

Law stated - 31 January 2022

Time frames
What is the timeline for reporting to the authorities?

Organisations that fall within the Perimeter must adopt a comprehensive process for security management that starts
from the prevention or identification of events and ends with their management and reporting. This process must
involve technological, procedural and organisational aspects and is composed of various activities, including cyber
threat intelligence (collection, analysis, attribution or reporting); implementation of incident management policies and
procedures (detection, analysis, classification, response, eradication, recovery, closing, notification or lessons learned);

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 17/20

Lexology GTDT - Cybersecurity

and implementation of operations centres or control rooms dedicated to the management and monitoring of
cybersecurity events (eg, SOC or CERT).

In addition, the GDPR requires that in the event of a personal data breach, the Authority must be notified of the incident
within 72 hours.

Law stated - 31 January 2022

Reporting
Describe any rules requiring organisations to report threats or breaches to others in the industry,
to customers or to the general public.

Articles 33 and 34 of the GDPR require that security incidents in which it is likely that the breach may result in risks to
the rights and freedoms of data subjects are notified to the DPA and the data subjects. Pursuant to article 28
GDPR, the processor shall promptly inform the controller of security incidents that have occurred.

Moreover, according to article 12 of the NIS Directive, operators of essential services shall notify the Italian CSIRT
without undue delay and, for their information, the competent NIS authority, of incidents having a significant impact on
the continuity of the essential services provided. The Italian CSIRT then promptly forwards the notifications to the body
set up at the Security Intelligence Department in charge of any crisis situations.

Law stated - 31 January 2022

UPDATE AND TRENDS

Key developments of the past year
What are the principal challenges to developing cybersecurity regulations? How can companies
help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and
policies will change over the next year in your jurisdiction?

Check Point Research , the Threat Intelligence division of Check Point Software Technologies, a global cybersecurity
solutions provider, has announced that cyber-attacks in 2021on businesses worldwide rose by 40 per cent compared
with 2020, with losses of $6 trillion by 2021. According to the Clusit report published in October 2021, while in 2020
‘critical’ impact attacks accounted for 13 per cent of the total and ‘High’ impact attacks accounted for 36 per cent, in
the first half of 2021, critical and high impact attacks accounted for 74 per cent of attacks. The great challenge of the
pandemic requires investing heavily in cybersecurity. That is why, in July 2020, the European Commission issued a
strategy document aiming for an effective and coordinated approach to rapidly evolving threats over the next five years.
In particular, to take action against hybrid threats (ie, those posed by physical and digital means) some priorities and
guiding principles have been indicated. Among these, collaboration between the private and public sectors is
paramount. The first step in this approach was made through the issue of the Network and Information Security
Directive (NIS Directive).

An important step towards an integrated framework for cybersecurity at European level has been taken thanks to the
General Data Protection Regulation and the NIS Directive. Nevertheless, Italy has decided to create a further standard,
the Cybersecurity Perimeter, which has effectively extended the scope of the NIS Directive. In this sense, the extension
of the subjects included among the organisations subject to the NIS Directive and a strengthening of the security
measures aimed not only at reporting incidents but above all at their prevention, is fundamental.

*Antonio Landi and Alessandro Fratini also contributed to this chapter.

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 18/20

Lexology GTDT - Cybersecurity

Law stated - 31 January 2022

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 19/20

Lexology GTDT - Cybersecurity

Jurisdictions
Austria MGLP Rechtsanwälte | Attorneys-at-Law

Belgium NautaDutilh

China Fangda Partners

European Union Taylor Wessing

France ADSTO

India AZB & Partners

Italy ICT Legal Consulting

Japan TMI Associates

Singapore Drew & Napier LLC

Switzerland Walder Wyss Ltd

Turkey Paksoy

USA Ropes & Gray LLP

© Copyright 2006 - 2021 Law Business Research www.lexology.com/gtdt 20/20