Cybersecurity in Italy 2026: Regulations, Threats, Market and Practical Posture

Key Takeaways

• Cybersecurity in Italy in 2026 is a resilience, governance and continuity issue, not a purely technical function.
• ACN reported 1,979 cyber events and 573 confirmed-impact incidents handled by CSIRT Italia in 2024; in 2025 the flow remained high, with 1,549 events in the first semester and 1,253 events in the second semester.
• NIS 2, DORA, the national cyber perimeter, Law 90/2024, GDPR, the Cyber Resilience Act and the AI Act create a dense but complementary rule set for Italian organizations.
• The Italian cybersecurity market reached EUR 2.78 billion in 2025, up 12% year on year, according to Politecnico di Milano's Osservatorio Cybersecurity & Data Protection.
• The most practical 2026 priority for SMEs is not buying more tools. It is building a measurable operating posture: scope, assets, identities, suppliers, logs, backups, incident response and evidence.
• Funding can help, but public measures must be read carefully. The MIMIT Cloud & Cybersecurity measure is in a supplier-list registration phase extended to 27 May 2026; beneficiary access must be checked against the official procedure when available.

Scope of This Article

This article gives a 2026 snapshot of cybersecurity in Italy for CEOs, CISOs, CTOs, CFOs and compliance teams. It covers the threat landscape, regulation, market direction, technology trends, funding signals and a practical posture roadmap for Italian SMEs and mid-market organizations.

It does not replace a legal assessment of whether a specific organization falls under NIS 2, DORA, the national cyber perimeter or other sector rules. For that, the starting point is a documented scoping exercise based on official sources and the organization's actual activities.

The 2026 Snapshot: Resilience, Regulation and Market Pressure

Cybersecurity in Italy in 2026 is shaped by three forces moving in the same direction. Threat activity remains continuous, regulation is becoming operational, and investment is increasing because cyber risk now affects production, service continuity, insurance, procurement and board accountability.

The practical consequence is simple: Italian organizations need evidence that cybersecurity is managed as a repeatable process. A policy is not enough. A tool is not enough. A one-off assessment is not enough. Mature posture means being able to show what is in scope, which assets and suppliers matter, which controls are active, which logs are collected, how incidents are escalated and when the board receives risk information.

The Italian Threat Landscape: What ACN and CSIRT Data Show

The most useful source for the Italian picture is ACN and CSIRT Italia reporting. In the 2024 annual report to Parliament, ACN stated that CSIRT Italia handled 1,979 cyber events, about 165 per month, including 573 incidents with confirmed impact. ACN also reported that events increased by 40% and confirmed-impact incidents by almost 90% compared with 2023.

The 2025 data shows that this is not a one-year anomaly. In the Operational Summary for the first semester of 2025, ACN reported 1,549 cyber events, up 53% compared with the first semester of 2024, and 346 confirmed-impact incidents. In the second semester 2025 update, ACN reported 1,253 events and 304 confirmed-impact incidents, with more than 5,205 preventive alert communications sent by CSIRT Italia to Italian subjects with exposed or risky systems.

The data suggests a mature reading of risk. Events can increase because detection, reporting and monitoring improve, while confirmed impact may decrease when prevention and response improve. For organizations, the lesson is that cybersecurity posture should be measured by capability: visibility, triage, containment, evidence, recovery and notification readiness.

European and Industry Context

Italy's threat picture sits inside a wider European pattern. ENISA Threat Landscape 2025 analyzes 4,875 incidents from 1 July 2024 to 30 June 2025 and describes an environment where ransomware, data theft, DDoS, exploitation of known vulnerabilities, identity compromise, supply-chain attacks and cloud exposure remain central.

The Rapporto Clusit 2026 adds an Italian industry lens, including significant incidents, sector trends and data from Italian security operations sources. CLUSIT is useful for trend interpretation, but article-level numbers should only be cited when they are visible in the official report or public communication. The operational point remains consistent with ACN and ENISA: attacks are increasingly business-impacting, not just technically disruptive.

The Italian Regulatory Landscape in 2026

The central regulatory shift is NIS 2. Italy implemented Directive (EU) 2022/2555 through Legislative Decree 4 September 2024, n. 138, published in the Official Gazette on 1 October 2024 and in force from 16 October 2024. ACN is the national NIS competent authority and single point of contact. Its NIS obligations page also documents the initial registration window from 1 December 2024 to 28 February 2025.

NIS 2 should not be treated as a one-time registration task. It is a continuing governance regime covering risk management measures, incident notification, supply-chain security, accountability and evidence. For a practical overview, see Aegister's guide to NIS 2 impact on Italian organizations.

The national cyber perimeter remains relevant for subjects that support essential state functions or strategic services. It comes from Decree-Law 105/2019 and should be read as a national security layer, not as a synonym for NIS 2. The distinction is covered in our explainer on the Italian National Cyber Security Perimeter.

Law 90/2024 strengthens incident-notification discipline for specific public and private subjects. ACN's adoption of incident taxonomy under that law shows Italy's movement toward more structured classification, escalation and notification channels.

For financial entities, DORA is the main reference. The Bank of Italy presents Regulation (EU) 2022/2554 as a harmonized operational digital resilience framework for the financial sector. It covers ICT risk management, incident reporting, resilience testing and third-party ICT risk. For implementation context, see our DORA implementation article.

GDPR remains important because many cyber incidents involve personal data. It is not a cybersecurity regulation in the narrow sense, but it affects technical and organizational measures, breach assessment and notification to the data protection authority. The boundary between the regimes is discussed in NIS 2 vs GDPR for Italian organizations.

The Cyber Resilience Act, Regulation (EU) 2024/2847, shifts product cybersecurity into the market-access conversation for products with digital elements. Manufacturers, software vendors, importers, distributors, IoT suppliers and industrial technology providers should follow the transition calendar and vulnerability-management obligations. See also our CRA guide for manufacturers and software vendors.

The AI Act, Regulation (EU) 2024/1689, is not a cybersecurity regulation, but it affects digital risk governance. AI is now both a defensive aid for triage and correlation, and an offensive amplifier for phishing, fraud, impersonation and social engineering. We cover this overlap in our article on AI Act cybersecurity implications.

Main Institutional Actors

ACN is the central Italian cybersecurity authority. It coordinates national strategy, NIS implementation, prevention, public-private cooperation and institutional reporting. CSIRT Italia is the operational component for alerts, incident handling and technical coordination.

The Italian Data Protection Authority remains relevant when an incident affects personal data. Bank of Italy, IVASS, Consob and COVIP are relevant for financial-sector supervision, especially under DORA. ENISA provides the European threat, capability and policy context that Italian organizations should use when benchmarking maturity.

Priority Threat Scenarios for Italian Organizations

• Ransomware and extortion: encryption is only one part of the model. Data theft, operational interruption and reputational pressure are often the real leverage.
• Credential compromise: stolen or reused credentials remain one of the easiest ways to bypass perimeter controls. MFA, conditional access and privileged access management are baseline controls.
• Phishing and business email compromise: ACN's 2025 reporting highlights phishing growth, including campaigns against sensitive sectors. The risk is financial fraud, account takeover and malware delivery.
• Known vulnerabilities and exposed services: many attacks exploit systems that are reachable, unpatched or poorly configured. Vulnerability management must be operational, not just a quarterly scan.
• Supplier compromise: ACN's 2025 update mentions cascading effects from compromised local web-service suppliers. This is critical for SMEs because outsourced IT and SaaS often become the real attack surface.
• DDoS and availability attacks: public-sector and high-visibility services remain exposed to disruption attempts, even when the direct technical impact is temporary.
• Cloud and SaaS misconfiguration: identity, permissions, storage, logging and backup configuration errors can create data exposure without malware.
• AI-assisted social engineering: attackers can produce more credible messages, fake identities and multilingual lures at lower cost.

Most Exposed Sectors and Why

Public administration is exposed because it provides essential services, holds citizen data and often operates heterogeneous systems. Health care combines sensitive data, operational urgency, legacy systems and high disruption cost. Manufacturing is central in Italy because of the SME-heavy industrial fabric, dependence on suppliers and immediate production impact from ransomware.

Finance is more mature but highly regulated and high-value. Transport and logistics are exposed because of continuity requirements and supply-chain dependencies. Energy and utilities combine criticality, operational technology, geopolitical exposure and public-service obligations. Digital infrastructure and managed service providers matter because their compromise can cascade to many customers.

Cybersecurity Spending in Italy

The market is growing, but the relevant question is how spending is translated into capability. According to Politecnico di Milano's Osservatorio Cybersecurity & Data Protection, the Italian cybersecurity market reached EUR 2.78 billion in 2025, up 12% from the previous year. The same communication reports that 57% of large companies introduced a structural review of incident response plans and that seven out of ten large companies expected budget growth in 2026.

This does not mean every organization should build a bank-grade security operation. For SMEs, the right objective is a sustainable control model: external specialist support where needed, clear ownership, measurable controls, useful logs, tested recovery, supplier evidence and a security roadmap tied to actual risk.

Technology Trends for 2026

AI will be visible on both sides of the conflict. Defenders will use it for alert enrichment, triage, summarization, anomaly detection and analyst support. Attackers will use it for phishing, fraud, language localization and scalable social engineering. Governance should cover both use cases: approved tools, data classification, access control, logging and accountability.

MDR and XDR will continue to grow because many organizations cannot operate 24/7 monitoring internally. Identity-first security will become a practical baseline: MFA, conditional access, least privilege, privileged access management and lifecycle review. Supply-chain assurance will require more contractual clauses, questionnaires, evidence, notification duties and escalation paths.

Log management and SIEM remain foundational. Without logs, an organization cannot understand what happened, prove containment or support notification decisions. For a practical entry point, see what a SIEM is and our guide to Wazuh as an open-source SIEM option for NIS 2 evidence.

Funding Sources and Public Support

The most visible current measure is the MIMIT support for cloud computing and cybersecurity services. The official MIMIT page states that, by decree of 22 April 2026, the deadline for supplier-list registration was extended to 12:00 on 27 May 2026. The measure has a EUR 150 million envelope and is aimed at supporting demand for cloud and cybersecurity services, but SMEs should verify beneficiary windows, supplier eligibility and operational rules in the official procedure before planning purchases. We track the practical implications in the MIMIT Cloud & Cybersecurity voucher article.

PNRR and local calls can also support digital resilience, but they change frequently. Treat funding as an accelerator, not as the governance model. The security roadmap should be valid even if the timing or eligibility of a public measure changes.

What an Italian SME Should Do in 2026

1. Confirm regulatory exposure: check direct obligations under NIS 2, DORA, the national cyber perimeter, Law 90/2024 and sector rules. Also check indirect exposure as a supplier to regulated customers.
2. Map assets and services: identify critical processes, systems, cloud services, identities, data categories, suppliers and externally exposed services.
3. Define the baseline: MFA, backup testing, patching, endpoint protection, vulnerability management, email security, access review, secure configuration and logging.
4. Centralize evidence: policies, procedures, asset inventories, supplier records, risk decisions, training evidence, incident records and management approvals must be retrievable.
5. Prepare incident response: assign roles, escalation paths, legal and privacy contacts, technical responders, backup procedures, communication steps and notification decision rules.
6. Monitor what matters: start with identity, endpoint, firewall, server, cloud and administrative activity logs. The goal is explainability during an incident.
7. Review suppliers: prioritize suppliers with access to data, credentials, production systems, managed services or critical SaaS platforms.
8. Use external support where it is rational: a virtual CISO, a documentation audit or managed monitoring can be more realistic than hiring a full internal team immediately.

The Evidence Pack Italian Companies Should Build

Regulation and incident response both depend on evidence. A useful evidence pack contains the asset inventory, supplier inventory, risk register, policies, incident response plan, backup test records, access review records, vulnerability remediation evidence, security training evidence, logs and board-level decisions. Our article on cybersecurity audit preparation explains how to make this documentation reviewable instead of decorative.

Organizations that already use frameworks should map them cleanly. NIS 2, ISO 27001, NIST CSF and ACN basic measures are compatible, but they are not identical. The practical comparison is in our frameworks comparison guide.

Mistakes to Avoid

• Treating NIS 2 as only a registration deadline.
• Buying tools before assigning ownership and process.
• Equating GDPR compliance with cybersecurity posture.
• Keeping backups without testing restore procedures.
• Ignoring suppliers, SaaS administrators and outsourced IT providers.
• Collecting no logs until the day of the incident.
• Leaving privileged accounts without MFA, review or segregation.
• Using AI tools without policy, data rules and access governance.
• Preparing notification procedures only after an incident has already happened.

What Good Looks Like by the End of 2026

A realistic target for an Italian SME is not perfect security. It is a proportionate and demonstrable posture. By the end of 2026, a well-run organization should know its critical services, have assigned security ownership, maintain an asset and supplier inventory, enforce MFA on critical access, test backups, patch high-risk vulnerabilities, centralize core logs, rehearse incident escalation and maintain evidence for management review.

The important shift is from reactive cybersecurity to managed cybersecurity. Aegister's Cyber Console and advisory workflows are designed around this evidence-first model: less paperwork as theatre, more operational proof that governance, security and compliance are connected.

FAQ

What is cybersecurity in Italy in 2026?

It is the combined discipline of protecting systems, data, services, suppliers and continuity under a more demanding threat and regulatory environment. In Italy it is shaped by ACN, CSIRT Italia, NIS 2, DORA, GDPR, Law 90/2024, the Cyber Resilience Act, the AI Act and sector-specific supervision.

Who is ACN?

ACN is the Italian National Cybersecurity Agency. It coordinates national cybersecurity policy, acts as the NIS competent authority and single point of contact, and publishes operational information through CSIRT Italia and other institutional channels.

Which cybersecurity regulations apply in Italy?

The main regimes are NIS 2 for many essential and important entities, the national cyber perimeter for strategic functions, DORA for the financial sector, GDPR for personal data, Law 90/2024 for specific notification duties, the Cyber Resilience Act for products with digital elements, and the AI Act for AI governance.

Are Italian SMEs obliged to invest in cybersecurity?

Not every SME has the same direct legal obligations, but many are affected directly or indirectly through NIS 2 scope, sector rules, procurement requirements, insurance conditions or supply-chain expectations. Even without a direct obligation, cybersecurity is necessary for continuity, trust and customer access.

How can SMEs fund cybersecurity investments?

They can monitor national measures such as the MIMIT Cloud & Cybersecurity voucher, PNRR-related initiatives and local calls. Funding should be used to accelerate a validated security roadmap, not to buy disconnected tools without governance.

Official and Authoritative Sources

• ACN, Relazione annuale al Parlamento 2024
• ACN, Operational Summary 1° semestre 2025
• ACN, secondo semestre 2025 update
• ACN, NIS obligations
• Gazzetta Ufficiale, D.Lgs. 138/2024
• ENISA Threat Landscape 2025
• Rapporto Clusit 2026
• Politecnico di Milano, Osservatorio Cybersecurity & Data Protection
• MIMIT, Cloud & Cybersecurity support measure
• Bank of Italy, DORA overview
• EUR-Lex, Cyber Resilience Act
• EUR-Lex, AI Act