--- title: "DORA Implementation Italy 2025 | Aegister" description: Complete guide to DORA implementation in Italy for 2025. Learn about compliance deadlines, requirements, and how to build financial cyber resilience. canonical: https://www.aegister.com/en/cms/insights/dora-implementation-italy-2025/ url: /en/cms/insights/dora-implementation-italy-2025/ lang: en --- ![](/static/images/header-contact.webp) # DORA Implementation in Italy: A New Era for Financial Cyber Resilience --- ![DORA Implementation in Italy: A New Era for Financial Cyber Resilience](/static/images/cms/dora-implementation-italy-2025.webp) ## DORA Implementation in Italy: A New Era for Financial Cyber Resilience June 03, 2025 [compliance](/en/cms/keyword/compliance/) [CSIRT](/en/cms/keyword/csirt/) [cybersecurity](/en/cms/keyword/cybersecurity/) [resilience](/en/cms/keyword/resilience/) +11 The **Digital Operational Resilience Act (DORA)**, EU Regulation 2022/2554, officially came into force on **January 17, 2025**. The regulation establishes a harmonized framework for **digital resilience** in the European financial sector, imposing stringent requirements on banks, insurance companies, payment institutions, asset managers, and other regulated entities. ## What the DORA Regulation entails DORA introduces **five main areas of obligation** for financial operators: - **ICT Risk Management:** implementation of structured frameworks and continuous governance for technological and IT risks. - **Incident Reporting and Response:** obligation to notify significant incidents within defined timelines. - **Resilience Testing:** regular and advanced simulations (e.g., intelligence-based penetration testing) of critical systems. - **ICT Third-Party Risk Management:** obligation for assessment, monitoring, and contractual clauses with relevant external providers (e.g., cloud providers). - **Information Sharing:** promotion of voluntary threat intelligence sharing mechanisms among financial operators. ## Implementation in Italy: Legislative Decree No. 23/2025 To make DORA effective at the national level, the **Council of Ministers** approved **Legislative Decree 23/2025**, published in the *Official Gazette* on **March 11, 2025**. The decree establishes the competent authorities for implementation and supervision: - **Bank of Italy** for banks and financial intermediaries - **Consob** for markets and listed companies - **IVASS** for insurance companies - **COVIP** for pension funds Furthermore, the **obligation to notify significant cyber incidents to CSIRT Italy** has been formalized, making it a central hub in the national response to cyber attacks in the financial sector. ## Supervision and next steps The **Bank of Italy** has activated a joint *Supervisory Forum* with other authorities to monitor the effective application of the regulation and promote uniform interpretation. Consultations with the sector are underway for the publication of **operational guidelines** to facilitate compliance and minimize cyber gaps. Other initiatives include the integration of DORA controls into ordinary inspection processes, and the adaptation of business continuity plans and critical third-party registers. ## Implications for financial companies The regulators' message is clear: **digital operational resilience is now a primary regulatory requirement**, on par with prudential and capital constraints. Deficiencies in IT security, ICT governance, or digital supplier management may result in **sanctions, warnings, and operational restrictions**. To prepare, it is essential to immediately activate a structured [DORA compliance](/en/solutions/compliance/) process, relying on experienced professionals in [cyber governance and resilience](/en/solutions/virtual-ciso/). ## Further reading and resources - [Full text of DORA Regulation (EU 2022/2554)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554) - [Legislative Decree No. 23/2025 – Official Gazette (Italian)](https://www.gazzettaufficiale.it/eli/id/2025/03/11/25G00032/sg) - [CSIRT Italy – Incident Management Coordination Center](https://www.csirt.gov.it/) Contact Aegister for compliance support and to build a robust and evolving cyber framework: [discover our Virtual CISO services](/en/solutions/virtual-ciso/). ## FAQ ### What is the main objective of this project? The project focuses on developing and operationalizing cybersecurity capabilities for target organizations in scope. ### Which funding framework supports the initiative? The article references PR FESR/Campania Startup funding context and related decree identifiers for the initiative. ### What timeline is stated for implementation? The timeline is defined in the project timeline section of this article. ## Official sources - [Official reference 1](https://www.regione.campania.it/) - [Official reference 2](https://commission.europa.eu/funding-tenders/find-funding/eu-funding-programmes/european-regional-development-fund-erdf_en) - [Official reference 3](https://commission.europa.eu/) - [Official reference 3](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554) - [Official reference 3](https://www.gazzettaufficiale.it/eli/id/2025/03/11/25G00032/sg) Share this post ## Related News [![New NIS Subjects in 2026: Incident-Notification and Baseline-Measure Deadlines](/static/images/cms/nis-registrazione-2026-scadenza.webp)](/en/cms/insights/new-nis-subjects-2026-incident-notification-deadlines/) [New NIS Subjects in 2026: Incident-Notification and Baseline-Measure Deadlines](/en/cms/insights/new-nis-subjects-2026-incident-notification-deadlines/) [The ACN 2026 timing determination sets a distinct implementation path for entities first listed in the Italian NIS perimeter during 2026: significant-incident notification starts on 1 January 2027 and baseline security measures must be adopted by 31 July 2027.](/en/cms/insights/new-nis-subjects-2026-incident-notification-deadlines/) [ACN](/en/cms/keyword/acn/) [compliance](/en/cms/keyword/compliance/) +8 [![NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/) [NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/) [NIS2 implementation guidance distinguishes the legal Point of Contact from the operational CSIRT contact role. Practical guide to role formalization, substitute model, competence mapping, and audit-ready evidence.](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +10 [![NIS2 Significant Incident IS-3: Violation of Expected Service Levels](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-significant-incident-is-3-service-level-violation/) [NIS2 Significant Incident IS-3: Violation of Expected Service Levels](/en/cms/insights/nis2-significant-incident-is-3-service-level-violation/) [IS-3 in the ACN baseline model covers service-level violation incidents affecting entity services and activities. Practical guide to qualification, service-impact mapping, and escalation workflow.](/en/cms/insights/nis2-significant-incident-is-3-service-level-violation/) [NIS2](/en/cms/keyword/nis2/) [ACN](/en/cms/keyword/acn/) +10 ### NIS 2 Compliance with Aegister Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support. [Discover](/en/solutions/compliance/nis2/)