Cybersecurity regulation in San Marino (2026)

Law No. 114 of 23 August 2016 amended the Penal Code to criminalise offences aligned with the Budapest Convention on Cybercrime, covering unlawful system access, data interference, and related acts. San Marino is a Party to the Budapest Convention with declarations on articles 24, 27, and 35.

Law No. 171 of 21 December 2018 imposes security obligations on data controllers and processors and requires notification of personal-data breaches. The independent Garante Privacy enforces the law; penalties reach €10 million or 4 % of global annual turnover.

Delegated Decree No. 204 of 20 November 2020 empowered the Autorità ICT to regulate, control, and supervise public-interest telecommunications and IT services, including accreditation of fiduciary service providers and digital-infrastructure security within public administration.

The e-Governance Academy's National Cyber Security Index records that San Marino maintains a government unit specialised in national-level cyber incident detection and response, a designated single point of contact for international coordination, and a crisis management plan for large-scale cyber incidents.

The NCSI further records that digital service providers and operators of essential services in San Marino have a legal obligation to notify appointed government authorities of cybersecurity incidents, indicating a formal incident-reporting regime beyond mere data-breach notification.

San Marino is not an EU member state and therefore has no obligation to transpose NIS2 (EU Directive 2022/2555), which mandates harmonised cybersecurity risk-management and 24-hour incident-reporting duties across 18 critical sectors in EU Member States.