Banca d'Italia is involved in major international forums and supports the competent bodies and national and European authorities in defining harmonized guidelines, standards and rules for the prevention and mitigation of cyber risks in the financial sector.
This page describes:
- objectives;
- international principles and guidelines;
- the European regulatory framework;
- the Italian regulatory framework;
- the secondary legislation issued by Banca d'Italia.
Objectives
To effectively counter cyber threats, operators must individually put into place numerous safeguards and defences, within their own organization and in managing third-party service relationships (such as ICT services). In both cases, it is the responsibility of individual operators - banks, market infrastructures and other financial institutions - to ensure the security of their systems and the continuity of the services they offer.
For operators to achieve adequate levels of preparation, it is important they have in place rules and guidelines on: governance policies and business strategies; definition of roles, responsibilities and control systems; implementation of effective risk and threat detection, prevention and response measures; provision of adequate business continuity measures; allocation of dedicated, specialized resources; initiatives to raise the level of awareness and training.
Rules are also important for the financial system to develop shared prevention and response measures to address systemic impacts across countries. These responses require harmonized and timely systems for reporting and detecting major incidents and attacks on operators, for information sharing, and the adoption of harmonized sets of metrics.
International principles and guidelines
Cybersecurity is the subject of numerous international cooperation forums (see 'Institutional cooperation and dialogue with the market').
At the FSB, the goal is to harmonize procedures for cyber risk management, detection and measurement (e.g. with the creation of cyber incident reporting schemes), and for third-party risk management. The G7 Cyber Expert Group (CEG) defines high-level cyber risk principles for authorities and financial operators in its 'G7 Fundamental Elements' series (see below); it also develops methodologies and protocols to facilitate coordination and communication between financial authorities and operators in the event of major incidents. Finally, the Bank for International Settlements (BIS) has issued its 'Guidance on cyber resilience for financial market infrastructures' as a means to strengthen the cyber resilience of financial market infrastructures.
New technological and cyber risk management tools are also necessary in light of recent developments in digital finance (e.g. in connection with crypto assets, central bank digital currencies and the digital euro) and new payment infrastructures (e.g. those based on DLT technologies), which are the object of growing interest in international forums.
Further information:
- FSB proposes a new integrated approach to foster greater convergence among cyber incident reporting schemes
- FSB publishes toolkit for enhancing third-party risk management and oversight (external link)
- CPMI-IOSCO - Guidance on cyber resilience for financial market infrastructures (external link)
The European regulatory framework
The European Union has adopted defensive instruments, including a specific cybersecurity strategy, to ensure that the digital development of the economy and of society is secure. In particular, the Digital Operational Resilience Act (DORA) lays down harmonized ICT risk management requirements for the financial sector, covering the various types of financial sector operators and introducing an oversight system of critical third-party ICT service providers. Further contributions to the resilience and continuity of service of the financial system are contained in the Network and Information System Security Directive (NIS2) and the Critical Entities Resilience Directive (CER), which apply to the chief European economic sectors, including credit and market infrastructure.
The European Systemic Risk Board (ESRB) has adopted a macro-prudential strategy to mitigate the impact of large-scale cyber incidents with the potential to produce systemic effects, and is developing dedicated tools (see 'Cybersecurity for financial stability').
The principles and policies to respond to cyber risk are also defined by the European Banking Authority (EBA), in which Banca d'Italia participates as the competent national authority. The orientations and guidelines it has issued, for example, on ICT risk management and outsourcing, are particularly important.
The Eurosystem has formulated its own cyber resilience strategy for payment systems and other financial market infrastructures. The Cyber Survey and the Cyber Resilience Oversight Expectations (CROE), which are models for assessing the cyber resilience of financial infrastructures and technological service providers, are particularly important oversight tools under this strategy. It also seeks to improve cyber resilience through TIBER-EU, the European framework for threat-led penetration testing (TLPT) by financial entities.
Banca d'Italia contributes to defining and updating the Eurosystem's supervision strategy and tools, and implements its methodologies and instruments in the domain of national payment systems and infrastructures, collaborating with Consob on matters within its remit.
User security and risk prevention, including risks related to cyber security and fraud prevention, are also essential elements of the European Payment Strategy to provide safe and innovative payment services, and are part of the ongoing revision of the Payment Services and Instant Payments Directive.
Further information:
- Digital Operational Resilience Act (DORA) (external link)
- ESRB, Mitigating systemic cyber risk (external link)
- EBA: EBA Guidelines on ICT and security risk management (external link)
- ECB - Cyber resilience and financial market infrastructures (external link)
The national regulatory framework
National institutions and authorities are committed to ensuring that cyber resilience levels in Italy are high and that digital developments in the economy and in the services provided to businesses and the public are secure. The general framework of rules and strategies is defined at national and European level. In implementing these strategies, special attention is devoted to the financial sector and the key sectors of the economy.
These initiatives for Italy are in line with: i) the National Cybersecurity Strategy 2022-2026, which builds on the institutional architecture for cybersecurity and the role of the National Cybersecurity Agency (ACN); ii) the National Cybersecurity Perimeter, instituted by Legislative Decree 105/2019 (only in Italian) to ensure high levels of security for the networks, information systems and ICT services of public administrations and of all public and private entities and national operators that perform essential State functions (including in the economics and financial sector).
To this end, Banca d'Italia provides technical support to the Ministry of Economy and Finance (MEF) and engages with the ACN, national authorities and other institutions to define both European and national standards and rules. In this capacity, Banca d'Italia exercises its powers to regulate the financial system (see below 'The secondary legislation issued by Banca d'Italia').
The framework of competences in strengthening cyber resilience in Italy is defined by Legislative Decree 65/2018, which implements Directive (EU) 2016/1148 concerning the security of network and information systems (the 'NIS Directive'). The directive requires Member States to designate one or more competent national authorities. Pursuant to Legislative Decree 65/2018, the national competent authority for NIS is the ACN, while the competent authority for the banking sector and for the financial market infrastructure sector is the MEF, in collaboration with Banca d'Italia and Consob as supervisory authorities for their respective sectors. The regulatory framework under the NIS Directive was recently updated by the new NIS2 Directive.
Moreover, Legislative Decree 105/2019 (the 'Perimeter Decree') requires Banca d'Italia and other sector authorities to collaborate on matters of national security in strategically important sectors in order to facilitate the exercise of golden power functions (see 'Legal framework').
The secondary legislation issued by Banca d'Italia
By law, Banca d'Italia adopts provisions to strengthen cybersecurity and secure the business continuity of supervised and overseen entities. The main sets of regulations are:
- the Banking Supervision Regulation (Circular 285/2013), on corporate governance, internal controls and risk management (Title IV), which lays down provisions establishing the minimum requirements and measures for intermediaries in their management of information systems on which critical processes depend (Chapter 4), as well as business continuity measures for crisis management (Chapter 5);
- the Supervisory Regulation on Payment Institutions (PIs) and Electronic Money Institutions (EMIs), aimed at ensuring the reliability of information systems and the proper management of operational risks, including ICT and security risks;
- the rules for incident reporting, whereby banks, PIs and EMIs are required to promptly notify Banca d'Italia of serious operational or security incidents using a reporting scheme that complies with European legislation. This framework supports the prudential analysis of individual intermediaries, facilitating assistance and the coordination of remedial action, and the timely assessment of new common threats and vulnerabilities in the financial system.
Operators can also enhance their defence capabilities by conducting advanced cybersecurity tests. Banca d'Italia, Consob and IVASS have jointly adopted the TIBER IT National Guidance to help individual financial entities carry out these tests, based on a targeted threat scenario, on a voluntary basis.
As part of the payment systems oversight function that Banca d'Italia performs pursuant to Article 146 of the Consolidated Law on Banking (TUB), the Provisions of 2012 were revised by the Measure of 9 November 2021, which extended the scope of application to wholesale payment systems and to technological and network infrastructure service providers. The new measure is also supplemented by a manual on controls and by measures on business continuity, which include addressing cyber risk.
Further information:
- Circular 285/2013, Title IV (only in Italian)
- Supervisory provisions for payment institutions and electronic money institutions (17 May 2016) (only in Italian)
- Banca d'Italia ‒ Reporting significant operational or security incidents
- TIBER-IT National Guidance
- Regulation concerning the oversight of payment systems and the supporting technological or network infrastructures
Links to documents on international principles and guidelines
- FSB consultation paper on a toolkit to improve third-party risk management and oversight Publish date::26 June 2023
- A new FSB proposal to achieve greater convergence in cyber incident reporting Publish date::24 October 2022
- G7 Fundamental Elements for Third Party Cyber Risk Management in the Financial Sectorpdf 250.7 KB Publish date::17 October 2022
- G7 Fundamental Elements of Ransomware Resilience for the Financial Sectorpdf 508.2 KB Publish date::17 October 2022
- G7 Fundamental Elements of Cyber Exercise Programmespdf 387.3 KB Publish date::25 November 2020
- G7 Fundamental Elements for Threat Led Penetration Testingpdf 284.6 KB Publish date::12 October 2018
- G7 Fundamental Elements for Third Party Cyber Risk Managementpdf 386.5 KB Publish date::12 October 2018
- CPMI-IOSCO Guidance on cyber resilience for financial market infrastructures (external link)
- Banks' cyber security - a second generation of regulatory approaches (external link)
- Basel Committee calls for improved cyber resilience, reviews climate-related financial risks and discusses impact of digitalisation (external link)
Links to documents on the European regulatory framework
- European Council, Cybersecurity: how the EU tackles cyber threats (external link)
- Digital finance package (external link)
- Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 (external link) on measures for a high common level of cybersecurity across the Union
- Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities (CER) (external link)
- Retail Payments Strategy for the EU (external link)
- European Commision, Payment services: revised rules to improve consumer protection and competition in electronic payments (external link)
- European Commission, Legislative proposal on instant payments (external link)
- EBA, EBA Guidelines on outsourcing arrangements (external link)
- Cyber resilience oversight expectations for financial market infrastructures (external link)
- TIBER-EU Framework (external link)
Links to documents on the National regulatory framework
Links to documents on the secondary legislation issued by Banca d'Italia
- Regulation of 9 November 2021pdf 718.1 KB Publish date::28 December 2021
- Guide for controls (only in Italian)pdf 610.2 KB Annex to the Regulation of 9 November 2021 Publish date::01 March 2023
- Measures on business continuity (only in Italian)pdf 799.5 KB Annex to the Regulation of 9 November 2021 Publish date::01 March 2023
