Exploratory survey of the Italian market for cybersecurity testing services

23 September 2025

Banca d'Italia today publishes 'Exploratory survey of the Italian market for cybersecurity testing services', the new issue of the series 'Markets, infrastructures, payment systems'.

Authorities and market participants have long been committed to strengthening the cybersecurity of the entire financial sector. The recent EU regulation on digital operational resilience (DORA) has introduced harmonized rules, including the requirement for certain financial institutions to conduct advanced cybersecurity tests - known as Threat-Led Penetration Testing (TLPT).

This paper analyses the supply of TLPT services in Italy, assessing the sector’s size and examining the structure of the market. Based on a voluntary-response questionnaire, we evaluate the key characteristics of the supply side, including service volumes, enabling factors, and barriers to the sector’s development.The findings point to a dynamic and growing market, with a predominance of domestic providers. TLPT service provision is concentrated in the hands of a small number of players, and there is significant variability in the resources allocated to individual services, indicating a market offering that is not yet fully standardized. Regulatory frameworks coexist with proprietary methodologies. Among the main obstacles to market development are a shortage of skilled professionals and persistently high costs.