Global Data and Cyber Handbook

Italy

Select a Topic
Start Comparison
Security Requirements and Breach Notification
Jump to
Security Requirements and Breach Notification Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

[Last reviewed: January 2025]

Yes.

☒   general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

☒   appropriate technical, physical and/or organizational security controls

☒   reasonable security controls

☒   encryption

Not a strict legal requirement, but encryption is considered by the GDPR as an appropriate technical and organizational measure. In practice, the authorities expect encryption unless specific circumstances justify no encryption. Encryption is required by Decree 24 of 2023 which implements the EU Whistleblowing Directive.

Do other laws or regulations impose obligations to protect systems from cyberattack?

[Last reviewed: January 2025]

☒   public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks?)

☒   network information security requirements (broader than telecommunications)

☒   health regulatory requirements

☒   financial services requirements

☒   telecommunication requirements

☒   providers of critical infrastructure

   digital or connected (IoT) products

☒   other

Essential service operators and digital service providers as identified by NIS and NIS2 Directive (e.g., companies in energy, telecommunications, transportation, banking and financial markets, healthcare sectors; companies providing, among others, digital services, e.g., cloud computing platforms, data centers, content delivery network providers, and electronic communication network services; healthcare services, such as-among others-pharmaceutical companies, medical device manufacturers, and healthcare providers; and even food production, processing, and distribution services, including large-scale retail companies)

Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

☒   Data privacy

☒   network information security

☒   health

☒  financial services

☒   telecommunications

☒    other The Italian cybersecurity Agency (ACN).

Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

[Last reviewed: January 2025]

Yes.

"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Controllers/Owners have to notify:

[Last reviewed: January 2025]

☒   data protection authorities

  • in case of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
  • without undue delay and, where feasible, not later than 72 hours after having become aware of it

☒   cybersecurity authorities

☒   affected individuals

  • without undue delay, as per Art. 34 (1) GDPR
  • if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, unless any of the following conditions are met:
  • the controller has implemented technical and organizational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption
  • the controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize

☒   other

There shall be public communication or a similar measure whereby the data subjects are informed in an equally effective manner (instead of informing the data subjects) if the communication to the data subject would involve disproportionate efforts, as per Art. 34 (3) c GDPR. There is no fixed timeline: the communication shall be made 'without undue delay' (Art. 34 (1) GDPR.

Processors/Agents have to notify:

[Last reviewed: January 2025]

This issue should be regulated in the data processing agreement in place with processors and agents – the latter when acting as data processors and not data controllers.

☒   controller/ owner

  • in case of a personal data breach, irrespective of a risk to the rights and freedoms of the data subjects
  • without undue delay after becoming aware of it, as per Art. 33 (2) GDPR

☒   cybersecurity authorities

Are there any additional sector-specific or non-personal data security breach notification requirements?

[Last reviewed: January 2025]

Yes.

☒   public company obligations (e.g., to notify security incidents that may materially affect an investor's decision)

☒   cybersecurity authorities

☒   health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)

☒   financial services requirements

☒   telecommunication requirements

☒   providers of critical infrastructure

☒   other

The DPCM No. 81 of 14 April 2021 determines procedures for reporting cybersecurity incidents of the subjects included in the national cybersecurity perimeter. It regulates in detail the notification procedures that must be followed by the subjects included in the perimeter in case of incidents impacting on ICT assets, together with the security measures that the same subjects must adopt for each ICT asset pertaining to them. Incidents impacting ICT assets are classified, by category, in Tables no. 1 (less serious) and no. 2 (more serious) of Annex A of the Regulations. As of 1 January  2022, the parties included in the Perimeter must notify the CSIRT of the event within six hours of becoming aware of it, if it is a "less serious" incident, or within one hour, if it is a "more serious" incident.

Failure to comply with the notification obligation is punished with a pecuniary administrative sanction ranging from EUR 250,000 to EUR 1,500,000.

The transmission of the notification is followed by a phase of dialogue with the CSIRT. The Regulations also allow parties included in the national cybersecurity perimeter to notify, on a voluntary basis, other incidents that do not fall within the scope of the notification obligation, which will be dealt with by the CSIRT after the mandatory ones.

Pursuant to sec. 96 of the PSD2 Directive, in the case of a major operational or security incident, payment service providers shall, without undue delay, notify the competent authority in the home Member State of the payment service provider. In Italy, this is the Bank of Italy. Such obligation has been detailed through operational standards by the guidelines provided by EBA, with which Italy intends to comply, according to sec. 16 of EU Regulation 1093/2010. No sanctions have yet been introduced in the national legal framework in case of non-compliance. Please note that payment service providers may delegate such obligation to third parties, provided they have informed the competent authority.

According to Art. 131 of the Italian Privacy Code, providers of publicly available electronic communications services shall notify the contracting party and, as applicable, the user in case of circumstances that unintentionally expose the content of communications or conversations. There is no specific timeframe for such notification. The sanction for breach of this provision is a fine of EUR 20 million or 4% of global annual turnover of the group of undertaking, whichever is higher.

Please note that other breaches such as obligations for product recall are considered out of scope.

{{ $store.state.loadingScreen.message }} ...