Key Data & Cybersecurity Laws
Jump to
Key Data & Cybersecurity Laws Start Comparison
How are data and cybersecurity laws/regulations implemented?

[Last reviewed: January 2025]

☒         omnibus – all personal data

☒         sector-specific

E.g., telecoms, public healthcare sector, financial sector

☒         constitutional

What are the key data privacy laws and regulations?

[Last reviewed: January 2025]

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

What are the key cybersecurity laws and regulations?

[Last updated date: January 2025]

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

The NIS2 Directive (Directive 2022/2055 on the security of networks and information systems), has been transposed into Italian law through Legislative Decree No. 138 of 4 September 2024 ("NIS2 Legislative Decree"). The NIS2 Legislative Decree references further law provisions to be issued by the Government or the Italian NIS Authority (CAN), which are yet to be adopted. As a result, the legislative framework is defined, but not yet completed.

The NIS2 Decree basically follows the general structure of the NIS2 Directive, even if there are some deviations, for example the timeline for compliance with some requirements have been delayed in time: the obligation to report a serious incident, for example, will be in force as of January 2026 and some obligations relating to information security will be enforceable as of October 2026.

The Italian NIS Authority may also include specific subjects within the scope of application of the NIS2 Legislative Decree.

The registration as an entity falling within the scope of the NIS2 Legislative Decree has to be made online through the portal of the Italian NIS Authority; specific rules on registration and filing apply.

The NIS2 Legislative Decree establishes the Italian NIS Authority (CAN) as the one in charge of application of the same. Within the Italian NIS Authority it is placed the CSIRT Italia (to manage cyber incidents), and the Italian NIS Authority together with the Ministry or Defense are indicated as the authority responsible for strategic national cyber incidents.

Legislative Decree 65/2018 established the CSIRT, whose operation is governed by the DPCM 8 August 2019. The CSIRT, in addition to intervening in the event of cyber incidents and monitoring their frequency at the national level, promotes the adoption and use of common or standardized practices in the field of incident and risk management procedures and incident, risk and information classification systems.

The Italian legislation establishes, as the NIS competent authority, the competent authority in each sector and, as law enforcement authority, the central body of the Ministry of the Interior for security and regularity of telecommunication services (Ministero dell’interno per la sicurezza e per la regolarità dei servizi di telecomunicazione).

On 3 August 2021, Parliament passed the bill converting Law Decree No. 82 of 14 June 2021, containing urgent provisions on cybersecurity, definition of the national cybersecurity architecture and establishment of the National Cybersecurity Agency.

The constitution of a nucleus for cybersecurity at the Agency is introduced (Article 8). It is foreseen as a permanent support to the President of the Council of Ministers regarding cybersecurity issues, for aspects related to prevention and preparation for possible crisis situations and for the activation of alerting procedures.

The national cybersecurity perimeter was established pursuant to Article 1, paragraph 1, of Legislative Decree No. 105 of 21 September 2019, converted with amendments by Law No. 133 of 18 November 2019 (in Official Gazette No. 272 of 20 November 2019) in order to ensure a high level of security of the networks, information systems and IT services of public administrations, public and private entities and operators having an office in the national territory, on which the exercise of essential functions of the State depends. With the tool of the DPCM the government determines crucial factors such as the identification of the subjects included, the procedures for the acquisition of ICT assets and notification of IT incidents. Below the DPCM issued to this date:

  • The DPCM No. 131 of 30 July 2020 indicates the parameters by which public and private entities within the National Cybersecurity Perimeter, which perform functions or provide essential services for the State, are identified by the relevant authorities.
  • The DPCM No. 81 of 14 April 2021 determines procedures for reporting cybersecurity incidents. It regulates in detail the notification procedures that must be followed by the subjects included in the perimeter in case of incidents impacting ICT assets, together with the security measures that the same subjects must adopt for each ICT asset pertaining to them.

Incidents impacting ICT assets are classified by category in Tables no. 1 (less serious) and no. 2 (more serious) of Annex A of the Regulations. As of 1 January 2022, the parties included in the Perimeter must notify the CSIRT of the event within six hours of becoming aware of it, if it is a "less serious" incident, or within one hour, if it is a "more serious" incident.

Failure to comply with the notification obligation is punished with a pecuniary administrative sanction ranging from EUR 250,000 to EUR 1,500,000.

The transmission of the notification is followed by a phase of dialogue with the CSIRT. The Regulations also allow parties included in the PSNC to notify, on a voluntary basis, other incidents that do not fall within the scope of the notification obligation, which will be dealt with by the CSIRT after the mandatory ones.

  • The DPCM of 15 June 2021, identifies the categories of ICT assets, systems, and services used in the National Cyber Security Perimeter.

The annex to the DPCM determines the ICT assets included in the cyber perimeter and the reference macro categories (hardware and software components that perform telecommunications network functions and services (access, transport, switching); hardware and software components that perform functions for the security of telecommunications networks and the data they process; hardware and software components for data acquisition, monitoring, supervision, control, implementation and automation of telecommunications networks and industrial and infrastructure systems; software applications for the implementation of security mechanisms). However, Article 4 of the DPCM stipulates that "the categories identified by this decree are updated, by decree of the President of the Council of Ministers, at least once a year, with regard to technological innovation and changes in technical criteria".

What are the key laws and regulations relating to non-personal data?

Last review date: January 2025

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

There are no specific Italian laws on this subject.

Are new or material changes to those key data and cybersecurity laws anticipated in the near future?

[Last reviewed: January 2025]

We expect the Italian NIS Authority and the Government to adopt the legislative acts needed to finalize the NIS2 framework in Italy.

It is still to be issued the regulation on the use of judicial data which identifies the purposes and conditions of lawful processing of the same.