Last review date: December 2025

Please note that this chapter focuses solely on specific local laws and regulations. Please refer to the EU chapter of the Global Data & Cyber Handbook for detailed information on EU-wide data privacy and other data-related legislation applicable across all EU Member States, such as the EU GDPR and the EU AI Act.

• Italian Privacy Code: Legislative Decree of 30 June 2003, n. 196, as amended by Legislative Decree No. 101 of 10 August 2018 (consolidated text available in Italian here and in English here)

Last review date: December 2025

Please note that this chapter focuses solely on specific local laws and regulations. Please refer to the EU chapter of the Global Data & Cyber Handbook for detailed information on EU-wide cybersecurity and other data-related legislation applicable across all EU Member States, including the Cybersecurity Act, DORA, and the NIS 2 Directive.

• Legislative Decree 23/2025 aligns Italy's regulatory framework with the provisions of DORA. The Decree designates the competent authorities responsible for overseeing compliance and enforcement, including Banca d'Italia, CONSOB, and IVASS, depending on the financial entity subject to DORA. It also identifies the entities responsible for receiving and managing reports of major ICT incidents, thus ensuring a structured and efficient response framework. In addition, the Decree introduces a rigorous administrative sanctions regime, with penalties reaching up to 10% of annual revenue in the most severe cases. In specific circumstances, disqualification measures may also apply, imposing temporary bans on directors and statutory auditors from holding key positions.
• Legislative Decree No. 138 of 4 September 2024 ("NIS2 Legislative Decree") transposes the NIS2 Directive into Italian law, establishing a comprehensive framework for the security of networks and information systems. It significantly broadens the scope of entities subject to cybersecurity obligations, covering both essential and important entities across critical sectors such as energy, transport, banking, health, and digital infrastructure. The decree largely mirrors the structure of the NIS2 Directive but introduces some deviations, particularly regarding compliance timelines. For example, the obligation to report significant incidents will apply from January 2026, while certain governance and risk management requirements will become enforceable from October 2026. The Italian National Cybersecurity Agency (ACN) is designated as the competent authority for implementation and supervision, with CSIRT Italia providing incident response support. The Italian NIS Authority, together with the Ministry for Defense, is indicated as the authority responsible for strategic national cyber incidents. The decree also provides for an online registration system for entities falling within its scope and anticipates further implementing measures to be issued by the Government and ACN to complete the regulatory framework. The ACN issued several implementing measures under the NIS2 Legislative Decree, including:
  • ACN Determination No. 136117 (10 April 2025) – Establishes the digital platform and sets out certain requirements, including the designation of a point of contact (POC) and a substitute/representative POC for NIS entities, and information update requirements.
  • ACN Determination No. 136118 (10 April 2025) – Regulates the notification of Security Information Sharing Agreements
  • ACN Determination No. 38564 (26 November 2024) – Sets out the rules for the NIS Implementation Table.
  • ACN Determination No. 164179 (14 April 2025) – Provides the baseline cybersecurity measures and incident notification criteria under Articles 23, 24, 25, 29, and 32 of the NIS2 Decree.
  • Annex 1 – Basic security measures for "Important" NIS entities
  • Annex 2 – Basic security measures for "Essential" NIS entities
  • Annex 3 – Basic significant incidents for "Important" NIS entities
  • Annex 4 – Basic significant incidents for "Essential" NIS entities
  • ACN Determination No. 333017/2025 – Appointment of CSIRT representatives and operational rules for NIS entities

     

• The provisions of Legislative Decree 65/2018, which established the CSIRT, and whose operation was governed by the DPCM 8 August 2019, have been repealed by Legislative Decree No. 138 of 4 September 2024. Nevertheless, the CSIRT continues to operate as the national incident response team. In addition to intervening in the event of cyber incidents and monitoring their frequency at the national level, it promotes the adoption and use of common or standardized practices in incident and risk management, as well as incident, risk, and information classification systems.
• On 3 August 2021, Parliament enacted Law Decree No. 82 of 14 June 2021, introducing urgent measures to strengthen cybersecurity resilience, reorganize institutional responsibilities, and establish a unified cybersecurity architecture. It also created the National Cybersecurity Agency (ACN). The decree also establishes, under Article 8, a dedicated Cybersecurity Nucleus within the ACN. This body serves as a permanent support mechanism to the President of the Council of Ministers on cybersecurity matters, particularly in relation to the prevention, preparedness for possible crisis situations, and the activation of alerts and early-warning procedures.

The national cybersecurity perimeter (PSNC) was established pursuant to Article 1, paragraph 1, of Legislative Decree No. 105 of 21 September 2019, as subsequently amended by Law No. 133 of 18 November 2019 (published in Official Gazette No. 272 of 20 November 2019). Its purpose is to ensure a high level of security for the networks, information systems, and IT services of public administrations, as well as public and private entities and operators located within the national territory, whose activities underpin the exercise of essential State functions. Through the DPCM, the government defines key operational components, including the identification of the subjects to be included, the procedures governing the acquisition of ICT assets, and the rules and modalities for notifying IT incidents. The following are the DPCMs that have been issued to date:

• The DPCM No. 131 of 30 July 2020 defines what entities and sectors are considered critical for national security; sets the criteria and governance model for their classification; and enables subsequent decrees to impose concrete obligations such as procurement controls, security baselines, and incident reporting.
• The DPCM No. 81 of 14 April 2021 determines the procedures for reporting cybersecurity incidents. It details the notification procedures that entities within the perimeter must follow in the event of incidents affecting ICT assets, as well as the security measures they must implement for each ICT under their responsibility.

Incidents impacting ICT assets are classified into categories set out in Table 1 (less serious incidents) and Table 2 (more serious incidents) of Annex A to the Regulations. As of 1 January 2022, entities within the national cybersecurity perimeter must notify the CSIRT within six hours of becoming aware of a "less serious" incident and within one hour of becoming aware of a "more serious" incident.

Failure to comply with the notification obligation is punishable by a pecuniary administrative sanction ranging from EUR 250,000 to EUR 1,500,000.

Once the notification is submitted, a dialogue phase with the CSIRT follows. The Regulations also allow entities included in the PSNC to voluntarily report other incidents that fall outside the mandatory notification obligation; these will be handled by the CSIRT after the mandatory notifications.

• The DPCM of 15 June 2021, identifies the categories of ICT assets, systems, and services used in the National Cyber Security Perimeter.

The annex to the DPCM identifies the ICT assets included within the PSNC and assigns them to specific macro categories. These include hardware and software components that enable telecommunications network functions and services (access, transport, switching); hardware and software components that perform functions for the security of telecommunications networks and the data they process; hardware and software components used for data acquisition, monitoring, supervision, control, implementation and automation of telecommunications networks and industrial and infrastructure systems; and software applications used for the implementation of security mechanisms.

Article 4 of the DPCM further provides that these categories must be updated, by decree of the President of the Council of Ministers, at least once a year, to reflect the technological developments and changes in technical criteria."

Last review date: December 2025

Please note that this chapter focuses solely on specific local laws and regulations. Please refer to the EU chapter of the Global Data & Cyber Handbook for detailed information on EU-wide legislation related to non-personal data, also applicable in all EU Member States, such as the Regulation on the free flow of non-personal data, the Data Governance Act, the Data Act, etc.

There are no local laws or regulations in Italy that specifically govern non-personal data. For other rules applicable in Italy, please refer to the EU chapter, which covers legislation on non-personal data that applies directly in all EU Member States, including Italy.