Cybersecurity regulation in Italy (2026)

Following the Dec 2024–Feb 2025 registration window, Italy's National Cybersecurity Agency (ACN) compiled and notified the list of essential/important entities under the NIS2 decree and began defining baseline security obligations, with full compliance phased through October 2026. This operationalized Italy's largest-ever expansion of cybersecurity duties across the economy.

The Italian Data Protection Authority (Garante) ordered an immediate limitation on processing of Italian users' data by DeepSeek over transparency, legal-basis and cross-border (China) data-storage concerns, effectively blocking the service pending its inquiry. It underscored Italy's aggressive posture on data and AI-related security risks.

The Garante concluded its ChatGPT investigation, fining OpenAI €15 million for GDPR breaches including unlawful processing and inadequate transparency/age-verification. It is one of Europe's most significant enforcement actions against a generative-AI provider.

Italy's Legislative Decree No. 138 of 4 September 2024 (published 1 Oct, in force 16 Oct) transposed the EU NIS2 Directive, repealing the 2018 NIS framework and vastly expanding sectoral scope, governance duties, incident reporting and ACN supervision over 'essential' and 'important' entities. It is the cornerstone of Italy's current cybersecurity obligations.

Approved 28 June and in force 17 July 2024, Law No. 90 widened mandatory incident-notification duties (24-hour reporting for public administrations), mandated cybersecurity contact points and cryptographic standards in the public sector, and raised criminal penalties for unauthorized access and interception. It tightened the domestic regime ahead of NIS2.

ACN published Italy's first national cybersecurity strategy, setting 82 measures through 2026 around protection of strategic assets, threat/crisis response, and digital autonomy, backed by roughly €2.2 billion in funding. It established the strategic roadmap guiding all subsequent cyber policy.

Amid the Russia-Ukraine war, ACN issued guidance urging public administrations to diversify away from antivirus and software from Russia-linked vendors (notably Kaspersky), citing national-security risk from highly invasive software. The move signaled supply-chain/technological-sovereignty as a core security concern.

A RansomEXX attack on LazioCrea encrypted the region's datacenter and took down the COVID-19 vaccination booking portal for days, traced to compromised admin credentials. The high-profile incident exposed public-sector vulnerabilities and accelerated cyber-governance reforms.

Decree-Law No. 82 of 14 June 2021 created the Agenzia per la Cybersicurezza Nazionale, consolidating national cyber competencies, hosting the CSIRT Italia and serving as NIS authority; it began operations on 1 September 2021. ACN became the central pillar of Italy's cybersecurity architecture.

Decree-Law No. 105/2019 (converted by Law 133/2019) established the Perimetro di Sicurezza Nazionale Cibernetica, requiring designated public and private entities running critical functions to inventory strategic ICT assets, meet security measures, notify incidents and submit ICT procurement for vetting. It built Italy's regime for protecting the most critical systems.

Italy's first dedicated cybersecurity law implemented the EU NIS Directive, imposing security and incident-notification duties on operators of essential services and digital service providers, creating CSIRT Italia and mandating a national cyber strategy. It laid the foundation later superseded by NIS2.