Data protection and cybersecurity laws in Italy

• General Data Protection Regulation, (EU) 2016/679 of 27 April 2016), in force since 25 May 2018 (“GDPR”). 
• Legislative Decree No. 196 of 30 June 2003 (the “Privacy Code”), as amended by Italian Legislative Decree No. 101 of 10 August 2018 containing provisions for the alignment of the domestic legislation to the EU Regulation 2016/679.

To date, the GDPR is the reference text along with the Privacy Code. The relevant provisions of more sectorial pieces of legislation, such as Legislative Decree No. 24/2023 (“Whistleblowing Decree”), Law No. 71 of 29 May 2017 (“Cyberbullism Law”) and Legislative Decree of 7  March 2005, No. 82 ("Digital Administration Code”) all cross-refer to the provisions of the GDPR / Privacy Code. 

Garante per la protezione dei dati personali (the “GPDP”) 

The new EU e-Privacy Regulation is set to replace the EU Directive 2002/58/EC (the e-Privacy Directive). In effect, this will replace the provisions of the Privacy Code implementing the e-Privacy Directive. This is still in the legislative process, with no definite timeframe for implementation.

As of 23 June 2025, the legislative process of the new EU e-Privacy Regulation remains ongoing. No definitive publication date or final text has yet been issued, and Italy awaits further clarification at the EU level before any additional implementing measures are enacted.

In line to the administrative fines under the GDPR, the Privacy Code (art. 166) provides for two levels of fines based on Article 83 the GDPR for violations of the provisions of the Privacy Code.

Specifically, as set out in Art. 83 par. 4 GDPR, administrative fines can be up to 10 million euros or, for companies, 2% of the annual worldwide turnover of the previous year, whichever is higher, and concern: 

1. non-compliance with Article 2-quinquies, par. 2, Privacy Code (information to minors); 
2. non-compliance with Article 92, par. 1, Privacy Code (clinical records);
3. non-compliance with Article 93, par. 1, Privacy Code (childbirth assistance certificate);
4. non-compliance with Article 123, par. 4, Privacy Code (information to users for telephone traffic data);
5. non-compliance with Article 128 Privacy Code (Automatic Call Forwarding ); 
6. non-compliance with Article 129, par. 2, Privacy Code (consent for inclusion in telephone directories); 
7. non-compliance with Article 132-ter Privacy Code ( security measures for providers of electronic communication services); 
8. failure to carry out the impact assessment referred to in Article 110 Privacy Code, par. 1, first sentence; 
9. non-submission of the research program to prior consultation of the GPDP pursuant to Article 110 Privacy Code, par 1, third sentence.

As set out in Art. 83 par. 5 GDPR, administrative fines can be up to 20 million euros or, for companies, up to 4 % of the total annual worldwide turnover of the previous year, whichever is higher, concern: 

• non-compliance with Articles 2-ter, 2-quinquies, par. 1, 2-sexies, 2-septies, par. 8, 2-octies, 2-terdecies, par. 1, 2, 3 and 4, 52, par. 4 and 5, 75, 78, 79, 80, 82, 92, par. 2, 93, par. 2 and 3, 96, 99, 100, par. 1, 2 and 4, 101, 105 par. 1, 2 and 4, 110-bis, par. 2 and 3, 111, 111-bis, 116, par. 1, 120, par. 2, 122, 123, par. 1, 2, 3 and 5, 124, 125, 126, 130, par. 1 to 5, 131, 132, 132-bis, par. 2, 132-quater, 157, as well as the safeguards, rules of conduct referred to in Articles 2-septies and 2-quater, respectively.

The Privacy Code furthermore stipulates criminal provisions in case of (i) unlawful data processing, (ii) illegal communication and disclosure of data processed on a large scale, (iii) fraudulent acquisition of personal data processed on a large scale; (iv) false declarations to the GPDP and interruption of the activities of the GPDP; (v) failure to comply with measures imposed by the GPDP; (vi) breaches of provisions on remote monitoring and surveys of workers' opinions.

No derogations from the GDPR under national law, except for the request of authorization set forth in Article 110-bis of the Privacy Code, according to which the GPDP may authorise the further processing of personal data, including special categories of data referred to in Article 9 of the GDPR, for scientific research or statistical purposes by third parties primarily engaged in such activities when, for specific reasons, informing the data subjects is impossible or involves a disproportionate effort, or is likely to render impossible or seriously impair the achievement of the research objectives, provided that appropriate measures are taken to protect the rights, freedoms and legitimate interests of the data subject, in accordance with Article 89 of the GDPR, including preventive forms of data minimisation and anonymisation.

The GPDP shall communicate its decision on the request for authorisation within forty-five days, after which failure to respond shall be deemed to constitute rejection.

No derogation from the GDPR under national law, except with regard to the processing activities mentioned in Articles 6 par. 1 (c) and (e), 9 par. 2(g), 9 par. 4 and Chapter IX of the GDPR (as listed below).

Children. Where point (a) of Article 6 par. 1 GDPR applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child is considered lawful where the child is at least 14 years old. Where the child is below the age of 14 years, such processing is considered lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Deontological rules. The GPDP will promote the adoption of deontological rules relating to the processing of personal data under Article 6 par. 1 (c) and (e), 9 par. 4 and Chapter IX of the GDPR, which will be binding for all data controllers and processors carrying out the relevant processing activities. So far the GPDP has approved the following deontological rules: (i) Deontological rules relating to the processing of personal data in the exercise of journalistic activity; (ii) Deontological rules for processing for statistical purposes or scientific research; (iii) Deontological rules for processing for statistical purposes or scientific research carried out within the national statistical system; (iv) Deontological rules for the processing of personal data carried out to carry out defensive investigations or to assert or defend a right in court, and (v) Deontological rules for processing for purposes of archiving in the public interest or for purposes of historical research. 

Processing of special categories of personal data which is necessary for reasons of substantial public interest. Article 2-sexies of the Privacy Code lists some processing of special categories of personal data that shall be considered as necessary for reasons of substantial public interest for the purpose of Article 1 par. 2 (g) GDPR.

Safeguard measures for the processing of health, genetic and biometric data. Article 2-septies of the Privacy Code provides for that the GPDP has issued the “Clarification on the application of the framework for the processing of health-related data in health care settings” guidelines, adopting specific safeguards and promoting the adoption of ethical rules for the processing of health-related data in health care settings.

Exemptions to data subject rights. Article 2-undecies and 2-duodecies of the Privacy Code provide for certain exemptions in respect of data subject rights contained in the GDPR, e.g. if the exercise of such rights can jeopardize interests protected by anti-money laundering laws or the confidentiality of the identity of a whistle-blower in the employment context.

Personal data of deceased persons. Article 2-terdecies provides for that the rights referred to in Articles 15 - 22 GDPR can be exercised by anyone who has an interest or acts as an agent or in the interest of the deceased person or for family reasons that deserve protection, unless the law provides otherwise. In the context of the provision of an information society service, the relevant data subject can notify in writing the provider of such service of its will to prevent the exercise of any or all of such rights after his/her death, without prejudice to the possibility for third parties to nonetheless exercise such rights to protect property interests or to exercise or defend a legal claim.

Provisions for the other processing situations as provided for in Chapter IX GDPR. The Privacy Code contains specific provisions for some of the other processing situations as provided for in Chapter IX GDPR, i.e. freedom of expression and information; public access to official documents; employment; archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Provisions for the processing necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Part II of the Privacy Code contains specific provisions applying to the processing necessary for compliance with a legal obligation (Article 6 par. 1 (a) GDPR) or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6 par. 1 (e) GDPR), including specific provisions applying to the processing carried out for health protection purposes.

Data protection impact assessments. On 11 October 2018, the GPDP issued a general decision pursuant to Article 35, par. 4 GDPR, containing a list of processing activities that require a data protection impact assessment. The processing activities mentioned in the list are the following:

1. Large-scale evaluation or scoring processing, as well as processing involving the profiling of data subjects and the carrying out of predictive activities, including activities online or through apps, relating to aspects concerning professional performance, economic situation, health, personal preferences or interests, reliability or conduct, location or displacements of the data subject.
2. Automated processing for the purpose of taking decisions which have ‘legal effects’ or ‘significant similar effects’ on the data subject, including decisions which prevent the data subject from exercising a right or making use of a good or service or continuing to be party to an existing contract (e.g. screening of a bank’s clients using data recorded in a central risk database).
3. Processing involving the systematic use of data for the purpose of observing, monitoring or controlling the data subjects, including the collection of data through networks, whether carried out online or through apps, as well as the processing of unique identifiers capable of identifying users of information society services, including web services, interactive television, etc., with respect to usage habits and viewing data for extended periods. This includes metadata processing, e.g. in telecommunications, banks, etc., carried out not only for profiling, but more generally for  organizational reasons, budgetary forecasts, technological upgrades, or to improve networks, as well as to offer anti-fraud, anti-spam, security and other services.
4. Large-scale processing of data of highly personal nature (see WP 248, rev. 01): this refers, inter alia, to data relating to family or private life (such as data relating to electronic communications for which confidentiality must be protected), to data affecting the exercise of a fundamental right (such as location data, the collection of which jeopardises freedom of movement) or whose misuse has a serious impact on the daily life of the data subject (such as financial data which could be used to commit fraud in respect of payments).
5. Processing in the context of an employment relationship by means of technological systems (including video-surveillance and geolocation systems) from which it is possible to carry out remote monitoring of employees’ activities (see WP 248, rev. 01, in relation to criteria 3, 7 and 8);
6. Non-occasional processing of data relating to vulnerable persons (children, disabled, elderly, mentally ill, patients, asylum seekers);
7. Processing carried out using innovative technologies, even with particular  organizational measures applied (e.g. IoT; artificial intelligence systems; use of online voice assistants via voice and text scanning; monitoring carried out by wearable devices; proximity tracking such as wi-fi tracking) whenever at least one other criterion identified in WP248, rev. 01 applies;
8. Processing involving large-scale data sharing between different controllers on large scale using telematic means;
9. Processing of personal data by interconnecting, combining or comparing information, including processing activities involving the cross-referencing of digital goods data with payment data (e.g. mobile payment);
10. Processing of special categories of data under Article 9 GDPR or data relating to criminal convictions and offences under Article 10 GDPR linked to other personal data collected for different purposes.
11. Systematic processing of biometric data, considering, in particular, the volume of data, the duration, as well as the length or persistence, of the processing activity.

Systematic processing of genetic data, considering, in particular, the volume of data, the duration, as well as the length or persistence, of the processing activity. 

Article 2-undecies of the Privacy Code contains a list of cases in which data subjects cannot exercise their rights under Articles 15-22 of the GDPR, e.g. if the exercise of such rights can jeopardize interests protected by anti-money laundering laws or the confidentiality of the identity of a whistle-blower in the employment context. 

There are no other derogations from GDPR under national law. 

No derogation from the GDPR under national law.

No derogation from the GDPR under national law.

Appointment should be notified to the GPDP by completing a form available at the GPDP website (see Useful links below).

Judicial authorities will have to appoint a data protection officer in relation to the processing of personal carried out in the content of their activity.

The GPDP, following the obligations set forth in the Privacy Code at Article 2-septies has issued the “Clarification on the application of the framework for the processing of health-related data in health care settings” guidelines, adopting specific safeguards and promoting the adoption of ethical rules for the processing of health-related data in health care settings.

There are no derogations from the GDPR. 

Data breaches should be notified to the GPDP by completing a form available on the GPDP website (see Useful links below).

Automated calling systems without human intervention, email, SMS/MMS, fax or other forms of electronic communications: opt-in (both for natural persons and legal persons); soft opt-in is allowed for e-mail marketing only (so-called soft spam), provided that the conditions set forth in Article 130 par. 4 of the Privacy Code (which substantially reflects Article 13 par. 2 of e-Privacy Directive) are met.

Specific rules apply to marketing telephone calls and mail marketing.

Storing information or accessing information that is already stored in the terminal equipment of a contracting party or a user, is permitted only on condition that the contracting party or user has given consent after having been informed. Consent is not required if technical storage or access to stored information is aimed exclusively at carrying out the transmission of a communication on an electronic communication network; strictly necessary to the provision of an information society service that has been explicitly requested by the contracting party or user. 

The GPDP has issued a general decision on cookies, stating that:

• first-party technical or analytics cookies and less intrusive third-party analytics cookies (e.g. cookies which use IP masking and do not aggregate data obtained from different sources) can be used without the user’s consent, provided that the use of these cookies is mentioned in the privacy notice to the users
• third-party analytics cookies and first-party/third-party profiling cookies can be used only if specific conditions are met and with the user’s prior consent, which can be obtained through a banner/pop-up on a website.

On 10 June 2021, the GPDP adopted the Guidelines on cookies and other tracking tools, effective as of January 2022. The main updates relate to the cookie banner requirements:

• A banner (or equivalent interface) must appear at the first user access if non-technical cookies or tracking tools are used.
• It must clearly state:
  • purposes of the non-technical cookies,
  • link to the full cookie policy,
  • “accept all” and “reject all” buttons,
  • access to an area for granular choices (categories/purposes and third parties).
• By default, non-technical cookies must remain disabled until the user provides consent.
• Mere scrolling, swiping, or continued navigation cannot be interpreted as valid consent.
• Cookie walls (blocking access absent consent) are unlawful unless the controller offers an equivalent, non-tracking alternative.
• The banner may be re-presented only if processing conditions change, if it is impossible to verify prior consent, or after at least 6 months.

Severe

• GPDP website https://www.garanteprivacy.it;
• DPO appointment notification: https://servizi.gpdp.it/comunicazionerpd/s/compilazione-comunicazione ;
• Data breach notification : https://servizi.gpdp.it/databreach/s/
• Cookie: https://www.garanteprivacy.it/temi/cookie

• Decree of the President of the Council of Ministers of 17 May
• 2022, introducing the "National Strategy for Cybersecurity", including the related "Implementation Plan", pursuant to Article 2, paragraph 1, letter b), of Decree-Law No. 14 June 2021, No. 82, converted, with amendments, by Law No. 4 August 2021, No. 109;
• Decree-Law No. 82 of June 14, 2021 which establishes the ACN (Italian Cybersecurity Agency) and redefines the national cybersecurity architecture, aiming to rationalise and simplify the system, enhancing the aspects of cybersecurity and resilience;
• Regulation (EU) 2019/881 of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on Information and Communications Technology Cybersecurity Certification and Repealing Regulation (EU) No.526/2013 (the “Cybersecurity Act”);
•  Law Decree no. 105 of 21 September 2019, (as converted into Law n. 133 of 18 November 2019) introducing a “National Cyber Security Perimeter” (the “Perimeter Decree”), followed by:
  • Italian Ministerial Decree no. 131 of 2020, containing the regulation on the perimeter of national cybersecurity (article 3 provides specific sectors of operating entities included in the perimeter: Government; energy; transport; defence; financial markets; telecommunications; and digital infrastructures, etc.);
  • Italian Presidential Decree no. 54 of 2021, containing the regulation that defines the procedures, methods, and terms of evaluation of the acquisitions of goods, systems and services by the individuals included in the information and communication technology (ICT) cybersecurity perimeter;
  • Italian Ministerial Decree no. 81 of 2021, containing the regulation governing the procedures for notifications in the event of incidents having an impact on networks, information systems and IT services, as well as measures aimed at guaranteeing high security models; and
  • Italian Ministerial Decree of June 15, 2021, which defines the category of goods, systems and ICT services that the individuals included in the national cybersecurity perimeter are requested to implement.
• Decree of the President of the Council of Ministers of 8 August 2019 laying down provisions on the organization and operation of the Italian Computer Security Incident response team (CSIRT).
• Legislative Decree no. 65 of 18 May 2018, implementing the EU NIS Directive, which is repealed by Legislative Decree no. 138/2024 (the "NIS 2 Decree") implementing the EU NIS 2 Directive. 
• ACN Determination no. 38565/2024 establishing registration on the NIS Portal which was amended by Determination no. 136117/2025, Determination no. 283727/2025 which regulates the procedures by which NIS entities are required to update information, pursuant to Article 7, paragraphs 3 and 4, of the NIS 2 decree, from April 15 to May 31 of each year.
• ACN Frequently Asked Questions (“FAQ”) are sections within the ACN website that collect and present answers to questions that users frequently ask. They provide clarification on complex issues, helping potential applicants, entities, and citizens to understand the regulations and requirements for cybersecurity activities.
• Legislative Decree No. 123 of 3 August 2022, aligns Italy with the EU Cybersecurity Act (Regulation (EU) 2019/881).
• Law No. 90 of 28 June 2024, provisions on strengthening national cybersecurity and cybercrime offenses).
• The AgID Circular n. 2 of 2017 concerning ICT minimum security requirements for Public Administrations. 
• Sector-specific obligations to protect data security are imposed by regulatory authorities (such as Banca d’Italia, Consob and IVASS) on companies such as banks, financial services providers and insurance companies. 

• Measures to be adopted to comply with Directive 2022/2557 on the resilience of critical entities and repealing Council Directive 2008/114/EC (CER).
• Italy has adopted the legislative instruments transposing the NIS 2 Directive (Directive (EU) 2022/2555) through Legislative Decree No. 138/2024, which entered into force on 1 May 2025. In particular, the scope of regulated entities has been expanded, and obligations for both essential and important entities have been introduced in line with NIS2 Directive. Moreover, Italy has also partially transposed the CER Directive (Directive (EU) 2022/2557), with additional implementing decrees expected to follow later in 2025.

The NIS 2 Decree sets out security and notification requirements for: 

• Essential Entities (‘EE’) / “Entità Essenziali”, i.e. public or private entities providing key services in energy (electricity, oil and gas), transport (air, rail, maritime and road), banking and financial market infrastructures, health sector, drinking water supply and distribution, digital infrastructure, ICT service management, public administration, and space.
• Important Entities (‘IE’) / “Entità Importanti”, i.e. entities operating in other critical sectors such as postal and courier services, waste management, food production, manufacturing of critical products (including medical devices, pharmaceuticals, chemicals, electronics, machinery, motor vehicles), and digital providers (online marketplaces, search engines, social networking platforms, cloud computing, data centre services, managed services).

Unlike the original NIS framework, NIS2 applies directly to all medium and large entities in these sectors (and, in some cases, to smaller ones if critical for national or EU security), without the need for prior designation by the State.

The Perimeter Decree sets out requirements and notification duties for public administrations and both public and private national operators (collectively, the “Operators”) that: 

• exercise an essential function of the State, or ensure the provision of an essential service for the maintenance of social, civil and economic activities that are fundamental for the interest of the State, and  
• perform such essential functions or services through information systems and information services whose malfunctioning, interruption or improper use could affect the national security (“Critical Systems”). 

Furthermore, the Perimeter Decree defines:

• the procedures according to which entities included in the national cybersecurity perimeter, notify the Italian CSIRT of incidents impacting networks, information systems and information services;
• measures to ensure high levels of security of networks, information systems and IT services, taking into account the standards defined at international and European Union level.

The NIS 2 Decree designates the following authorities: 

1. The NIS 2 competent authorities and single point of contact: 

• ACN – Agenzia per la Cybersicurezza Nazionale (National Cybersecurity Agency) is the central authority for supervision, enforcement and coordination.
• ACN also acts as the Single Point of Contact, ensuring cooperation with other EU Member States, the Cooperation Group, and the CSIRTs network.
•  The Agency is responsible for safeguarding security and resilience in cyberspace, supervising compliance with the NIS 2 obligations, and coordinating responses to major incidents. It plays a central role in the implementation of the National Cybersecurity Strategy adopted by the President of the Council of Ministers, which sets the goals to be pursued by 2026.
• E-mail: info@acn.gov.it

2. The CSIRT

The CSIRT Italia, operating within the National Cybersecurity Agency (ACN):

• defines the procedures for the prevention, detection and management of incidents;
• receives incident notifications and informs the ACN, as the single point of contact;
• provides the notifying party with information that may facilitate incident handling;
• notifies other EU Member States that may be affected by the incident;
• collaborates actively in the EU CSIRT network.
• E-mail: csirt@pec.acn.gov.it

3. The Perimeter Decree authorities:

The Perimeter Decree continues to apply in parallel with NIS 2 and designates the following authorities:

• National Office for Assessment and Certification (Centro di valutazione e certificazione nazionale – (CVCN)):
  • Responsible for the assessment and certification of ICT products, systems and services used in Critical Systems, including supplier evaluations.
• The Competent Ministries: 
  • Ministries such as the Ministry of Enterprises and Made in Italy (MIMIT, formerly MISE) and the Ministry of Internal Affairs continue to play a role within the Perimeter governance.
  • Under NIS 2, however, operators no longer notify ministries directly. Notifications are sent to the CSIRT/ACN, which coordinates with the relevant ministries as needed. 

*** 

Italy’s Intelligence System for the Security of the Republic (www.sicurezzanazionale.gov.it) is the collective name given to the authorities and organizations responsible for intelligence policies, intelligence coordination and intelligence operations involved in the implementation of both the NIS 2 Decree and the Perimeter Decree. The Security Intelligence System includes: 

• the President of the Council of Ministers; 
• the Delegated Authority; 
• the CISR – Comitato Interministeriale per la Sicurezza della Repubblica (Interministerial Committee for the Security of the Republic); 
• the DIS – Dipartimento Informazioni per la Sicurezza (Security Intelligence Department); 
• the AISE – Agenzia informazioni e sicurezza esterna (External Intelligence and Security Agency); 
• the AISI – Agenzia informazioni e sicurezza interna (Internal Intelligence and Security Agency). 

The NIS 2 Decree requires Essential Entities (EE) and Important Entities (IE) to take appropriate and proportionate technical-organizational measures for the management of risks and the prevention of cybersecurity incidents. In implementing such measures, entities must take into account the guidelines and recommendations of the EU Cooperation Group and the technical guidance of the European Commission and ENISA.

The NIS 2 Decree also establish that public and private entities referred to in Annexes I, II, III and IV of the Decree, must identify themselves and report to the competent national NIS authority by registering on the digital platform provided by ACN (Article 7, paragraph 1). ACN Determinations (see above) adn FAQs are crucial tools in order to comply with provisions set out in the NIS 2 Decree.

With regard to incident notification obligations, Essential and Important Entities must notify the Italian CSIRT / ACN of incidents having a significant impact, according to the following timeline:

• within 24 hours: early warning;
• within 72 hours: incident notification;
• within 1 month: final report with root cause analysis and mitigation measures.

Entities outside the scope of NIS 2 may still voluntarily notify incidents.

The Perimeter Decree identifies a series of requirements and notification duties that Operators (as defined above) are bound to comply with. Such requirements include the obligation to:

1. notify to the Presidency of the Council of Ministers and to the Ministry of Enterprises and Made in Italy (MIMIT), and subsequently update, a list of Critical Systems used by the Operator;
2. notify any incident having an impact on such Critical Systems to the Italian CSIR, according to specific procedures; and
3. adopt specific measures aimed at guaranteeing high standard of security of the Critical Systems.  

In addition to the above, the Perimeter Decree affects also suppliers of goods, ICT systems and services to be used on Critical Systems so that Operators which are planning to purchase such goods and services must notify the National Office for Assessment and Certification (Centro di valutazione e certificazione nazionale – CVCN), for detailed evaluation on security implications.  

Furthermore, the Perimeter Decree introduces a duty of collaboration of said suppliers with the CVCN, which may impose them specific conditions and request hardware and software testing on the ground of a risk assessment at their own costs; in such a case, the relevant contracts with the suppliers shall include a condition precedent or a termination clause connected to the outcome of the assessment carried out by the CVCN. 

In case of a serious and imminent risk for national security or in cyber-crisis events, the Perimeter Decree gives an immediate authority to the President of the Council of Ministers to partially or wholly de-activate, on a temporary basis, one or more equipment or product that are employed in Critical Systems. 

Under the NIS 2Decree, non-compliance with cybersecurity risk management and incident reporting obligations is punishable by significant administrative fines:

• Essential Entities: up to €10 million or 2% of the total worldwide annual turnover (whichever is higher).
• Important Entities: up to €7 million or 1.4% of the total worldwide annual turnover (whichever is higher).

Failure to comply with the requirements provided for by the Perimeter Decree is punishable by a fine ranging from 250,000 euros to 1,800,000 euros, namely:

• Failure to comply with the notification obligation is punishable by a fine ranging from 250,000 euros to 1,500,000 euros.
• Failure to comply with security measures is punishable by a pecuniary administrative sanction from 250,000 euros to 1,500,000 euros.
• The use of products and services on the networks, information systems and for the performance of IT services in violation of the conditions or in the absence of passing the tests imposed by the CVCN is punished with a pecuniary administrative sanction from 300,000 euros to 1,800,000 euros.

Italy has a Computer Security Incident Response Team (CSIRT Italia), which operates within the National Cybersecurity Agency (ACN).

The management of cybersecurity incidents is coordinated by the ACN – Agenzia per la Cybersicurezza Nazionale, through CSIRT Italia. ACN acts as the national NIS authority, the single point of contact (SPOC), and the coordinator of national response measures, in cooperation with sectoral ministries and the national intelligence system where relevant.

N/A

•  Italy’s Intelligence System for the Security of the Republic (www.sicurezzanazionale.gov.it)
• Italian CSIRT (https://csirt.gov.it)
• National Cybersecurity Agency (ACN) (https://www.acn.gov.it) and FAQ (https://www.acn.gov.it/portale/faq/nis/ambito-e-registrazione)