January 2025 reinforces three key directions for cybersecurity in Italy and across Europe: (1) a major regulatory step with DORA becoming applicable; (2) sustained pressure on the perimeter (VPNs and exposed edge appliances) as a primary compromise vector; (3) the persistence of ransomware as a systemic risk, with operational and policy implications. This monthly report summarizes the most relevant evidence and translates it into practical actions for newsletters, blogs, and Virtual CISO work.

1) Italy: ACN/CSIRT operational signals and implications

Throughout the month, ACN/CSIRT Italy communications continue to highlight two recurring operational drivers: high-priority vulnerability handling (with attention to real-world exploitation) and readiness for disruption and nuisance attacks (including claimed DDoS). The core message remains: protect the perimeter, accelerate patching/mitigation, improve incident response quality, and build continuous threat awareness.

• Perimeter and exposed services: inventory and harden VPNs, portals, DNS, and internet-facing gateways with continuous monitoring and configuration checks.
• Risk-based vulnerability management: prioritize using exploitation signals and context (not only CVSS), including IT/OT where applicable.
• DDoS readiness: playbooks, escalation contacts, scrubbing procedures, and recovery metrics must be tested, not just documented.

2) EU: DORA applicable (17 January 2025) and what truly changes

The Digital Operational Resilience Act (DORA) is applicable from 17 January 2025, introducing consistent operational resilience requirements for banks, insurers, intermediaries, payment institutions, and other regulated entities. DORA is not a paperwork exercise: it requires verifiable processes, credible testing, and effective control over ICT dependencies.

For financial organizations, DORA impacts:

• ICT risk management: governance, policies, controls, and operational metrics;
• Incident reporting: notification and handling flows with evidence and timelines;
• Testing and resilience: periodic testing programs, tracked remediation, exercises;
• ICT third parties: inventory, criticality, contracts, ongoing monitoring, exit strategies (including cloud and managed services).

For a structured program approach, refer to DORA compliance and Virtual CISO support.

3) NIS2: operational milestones and 2025 readiness

Within the NIS2 perimeter, January 2025 sits in a practical phase focused on registration/scope definition, pushing organizations to structure contacts, roles, domains/IPs, and internal processes. At the same time, there is growing pressure to align governance and supply chain with directive expectations—especially for essential and highly critical sectors.

If you are building or updating your roadmap, consult NIS2 and consider integrating Threat Intelligence to anticipate campaigns targeting exposed assets.

4) Vulnerabilities and global threats that matter for Italy

International attention in January 2025 strongly concentrates on vulnerabilities affecting VPNs and exposed gateways, including active exploitation scenarios (e.g., Ivanti). This is highly relevant for Italy because many organizations—SMEs and supply chains included—still run edge appliances with patch cycles that are not consistently timely.

• VPN/edge appliances: preferred targets for initial access and persistence; require rapid patching, hardening, and IoC-based hunting.
• Ransomware: persistent pressure and operational impact, with policy signals (reporting and payment restrictions) affecting governance, insurance, and incident response.
• Essential services impact: increasing focus on continuity and safety outcomes (healthcare, infrastructure) beyond IT-only effects.

5) Recommended actions for January (operational checklist)

• Internet-facing inventory: control VPNs, DNS, portals, and public assets (including subdomains and shadow IT).
• Patch & mitigation sprint: monthly fast-track window for edge/appliances with exploitation/scanning evidence.
• Tested incident reporting: periodic drills for notification and handling (especially for finance/DORA and NIS2 scope).
• Third-party ICT governance: supplier inventory, criticality, minimum clauses, exit strategy, continuous monitoring.
• DDoS readiness: validate scrubbing, WAF, rate limiting, escalation procedures, and MTTD/MTTR metrics.

Sources and official references

• ESMA – Digital Operational Resilience Act (DORA)
• EIOPA – DORA overview
• Italian Official Gazette – Legislative Decree 10 March 2025, n. 23 (national alignment to DORA)
• NCSC (UK) – Active exploitation alert (Ivanti)
• Ivanti – Security update (Connect Secure / Policy Secure / ZTA Gateways)
• ECSO – NIS2 Transposition Tracker (milestones and deadlines)
• ACN – Operational Summary (January 2025)
• ACN/CSIRT – Cyber Week bulletin (5 January 2025)
• ACN/CSIRT – Threat status report (January 2025 reference)
• Insurance Journal – Healthcare/continuity impact reference (January 2025)

If you want to translate this report into a 2025 audit-ready roadmap, we can connect it to a Virtual CISO program and continuous Threat Intelligence monitoring.