Italy’s cybersecurity framework has undergone a profound transformation in recent years. Long characterized by a fragmented regulatory and institutional landscape, Italy has moved decisively toward centralized cyber governance, positioning cybersecurity as a pillar of national resilience and strategic autonomy.
At the heart of this shift is the creation of the Agenzia per la Cybersicurezza Nazionale (ACN), which now serves as Italy’s primary authority for cybersecurity policy, coordination, and enforcement. Combined with the transposition of EU directives and a growing emphasis on critical infrastructure protection, Italy’s approach reflects both European harmonization and strong domestic reorganization.
From fragmentation to a central authority
For many years, Italy’s cybersecurity responsibilities were distributed across multiple ministries, intelligence bodies, and sector regulators. While functional, this structure often resulted in overlapping mandates and limited enforcement clarity.
This changed significantly with Decree-Law No. 82/2021, which established the Agenzia per la Cybersicurezza Nazionale (ACN).
- ACN is Italy’s primary cybersecurity authority and national CSIRT coordinator. ACN reports directly to the Prime Minister, underscoring its strategic importance.
The creation of ACN marked a decisive move toward centralized cyber governance, aligning Italy more closely with models seen in France and Germany.
Cybersecurity in Italy is now framed as a matter of national interest, directly linked to economic stability, public service continuity, and geopolitical resilience.
The National Cybersecurity Perimeter
Italy’s cybersecurity obligations are anchored in the National Cybersecurity Perimeter, introduced by Decree-Law No. 105/2019.
This framework identifies public and private entities whose digital assets are deemed essential to national security. Entities falling within the perimeter must:
- Implement specific cybersecurity measures defined by national authorities.
- Notify incidents affecting ICT assets critical to national functions.
- Submit to inspections, audits, and technical controls.
The Perimeter applies across sectors including energy, telecommunications, finance, transport, health, and public administration.
What does the ACN do?
Decree-Law No. 82/2021 formally created the ACN, transferring responsibilities from the Prime Minister’s Office and intelligence structures into a dedicated civilian agency.
ACN is responsible for:
- National cybersecurity strategy and policy implementation.
- Oversight of the National Cybersecurity Perimeter.
- Coordination of incident response and crisis management.
- Supervision of NIS and NIS2 obligations.
- Certification and security evaluation of ICT products and services.
This reform significantly strengthened Italy’s enforcement capacity and reduced institutional ambiguity.
NIS Directive and NIS2 Transposition
Italy transposed the original NIS Directive through Legislative Decree No. 65/2018, imposing security and incident reporting obligations on operators of essential services and digital service providers.
With NIS2, Italy is expanding both scope and enforcement authority. The updated framework is expected to substantially increase the number of regulated entities, introduce stricter incident reporting timelines, grant ACN enhanced supervisory and sanctioning powers, and align penalties more closely with GDPR-style turnover-based fines.
Italy’s NIS2 transposition further reinforces ACN’s role as the central compliance authority.
GDPR and data protection laws
The General Data Protection Regulation (GDPR) is enforced in Italy alongside the Italian Data Protection Code (Legislative Decree No. 196/2003, as amended).
The Garante per la protezione dei dati personali oversees data protection enforcement and frequently addresses cybersecurity failures linked to personal data breaches, weak access controls, or insufficient technical safeguards.
Cyber incidents in Italy often trigger parallel oversight by both the ACN and the Data Protection Authority, depending on the scope of impact.
Obligations
Sector regulators (energy, finance, telecommunications) and law enforcement agencies support enforcement through inspections, investigations, and criminal prosecutions in cases involving sabotage, espionage, or fraud.
Cybersecurity obligations in Italy vary based on sector and classification. Organizations designated as part of the Perimeter must register ICT assets deemed critical, apply the prescribed cybersecurity controls, and notify incidents affecting asset availability or integrity. They also must allow technical inspections and audits by ACN.
Suppliers to public administrations and critical operators face heightened scrutiny, particularly for cloud services, managed IT, and telecommunications infrastructure.
Enforcement
Italy has steadily increased enforcement visibility since the creation of ACN.
- Incident reporting: CSIRT Italia published alerts and guidance following national campaigns and major vulnerabilities.
- Public sector incidents: local administrations and health institutions have been targeted by ransomware, prompting stricter compliance enforcement.
- Supply-chain oversight: Italy actively monitors ICT vendors and foreign technology dependencies under the Cybersecurity Perimeter framework.
While enforcement traditionally emphasized remediation, sanctions are becoming more common as supervisory maturity increases.
A vision for the future
Organizations operating in Italy now require close attention to asset classification, incident reporting, and supply-chain risk management.
However, as NIS2 becomes fully operational, Italy is set to emerge as one of Europe’s more assertive cybersecurity regulators.