DORA Implementation in Italy: A New Era for Financial Cyber Resilience

Article Thumbnail
cybersecurity | compliance | CSIRT | DORA | finance | regulation | resilience | incident reporting | Banca d'Italia | Consob | IVASS | COVIP | third-party risk | penetration testing | Virtual CISO

DORA Implementation in Italy: A New Era for Financial Cyber Resilience

June 03, 2025

The Digital Operational Resilience Act (DORA), EU Regulation 2022/2554, officially came into force on January 17, 2025. The regulation establishes a harmonized framework for digital resilience in the European financial sector, imposing stringent requirements on banks, insurance companies, payment institutions, asset managers, and other regulated entities.

What the DORA Regulation entails

DORA introduces five main areas of obligation for financial operators:

  • ICT Risk Management: implementation of structured frameworks and continuous governance for technological and IT risks.
  • Incident Reporting and Response: obligation to notify significant incidents within defined timelines.
  • Resilience Testing: regular and advanced simulations (e.g., intelligence-based penetration testing) of critical systems.
  • ICT Third-Party Risk Management: obligation for assessment, monitoring, and contractual clauses with relevant external providers (e.g., cloud providers).
  • Information Sharing: promotion of voluntary threat intelligence sharing mechanisms among financial operators.

Implementation in Italy: Legislative Decree No. 23/2025

To make DORA effective at the national level, the Council of Ministers approved Legislative Decree 23/2025, published in the Official Gazette on March 11, 2025. The decree establishes the competent authorities for implementation and supervision:

  • Bank of Italy for banks and financial intermediaries
  • Consob for markets and listed companies
  • IVASS for insurance companies
  • COVIP for pension funds

Furthermore, the obligation to notify significant cyber incidents to CSIRT Italy has been formalized, making it a central hub in the national response to cyber attacks in the financial sector.

Supervision and next steps

The Bank of Italy has activated a joint Supervisory Forum with other authorities to monitor the effective application of the regulation and promote uniform interpretation. Consultations with the sector are underway for the publication of operational guidelines to facilitate compliance and minimize cyber gaps.

Other initiatives include the integration of DORA controls into ordinary inspection processes, and the adaptation of business continuity plans and critical third-party registers.

Implications for financial companies

The regulators' message is clear: digital operational resilience is now a primary regulatory requirement, on par with prudential and capital constraints. Deficiencies in IT security, ICT governance, or digital supplier management may result in sanctions, warnings, and operational restrictions.

To prepare, it is essential to immediately activate a structured DORA compliance process, relying on experienced professionals in cyber governance and resilience.

Further reading and resources

Contact Aegister for compliance support and to build a robust and evolving cyber framework: discover our Virtual CISO services.

Share this post