In brief: telecoms regulation in Italy

Communications policy

Summarise the regulatory framework for the communications sector. Do any foreign ownership restrictions apply to communications services?

The primary legislation governing the communication sector in Italy is Legislative Decree No. 259/2003 (the Electronic Communications Code), which implemented the EU regulatory framework and regulates the electronic communications networks and services, the authorisation of electronic communications networks and services, the interconnection of electronic networks and user rights, and aims at:

• updating and harmonising the regulation of electronic communications networks and services;
• promoting the efficient, effective and coordinated use of spectrum and the development of very high-capacity networks;
• creating a favourable environment for investment and co-investment in very high-capacity networks;
• facilitating the access of operators into electronic communications markets and promoting competition;
• facilitating the access of users to electronic communications services and strengthening the protections provided for them; and
• defining the competencies of the regulatory and administrative authorities of the sector, and in particular of the Italian Communications Authority, the Ministry of Enterprises and Made in Italy (formerly the Ministry of Economic Development) and the newly established National Cybersecurity Agency.

More recently, Law Decree No. 48/2025 introduced new provisions regarding methods for user identification and established penalties for non-compliance.

Law No. 193/2024 introduces amendments to the rules on mobile number portability.

Legislative Decree No. 138 of 2024, in article 41, regulates the transitional regime and made the necessary repeals for the implementation of the NIS 2 Directive on cybersecurity, establishing the legal framework to ensure an orderly transition to the new provisions. In particular, article 2, paragraph 1, h), article 30, paragraph 26, and articles 40 and 41 of the Electronic Communications Code were repealed.

Legislative Decree No. 48/2024 contains corrective provisions to the 2003 Electronic Communication Code, aiming to simplify the implementation of electronic communication infrastructures and the adaptation to technological innovation.

The main amendments concern:

• the introduction of the definitions of ‘Access Point’ and ‘Mac Address’ (media access control address);
• the introduction of the concept of Certified Start of Activity Report (SCIA), to allow a homogeneous recognition of the legal authorisation schemes;
• the introduction of textual amendments to the original provisions regarding the market entry and distribution;
• the introduction of some changes in the area of access to local radio-frequency networks; and
• the introduction of some new rules for the activation of sim cards (including references to numbering resources, blocking of foreign numbers, identification of mobile phone users).

Legislative Decree No. 70/2003 (the E-commerce Decree) provides for the rules governing liability of internet service providers (namely, access, caching and hosting providers).

Legislative Decree No. 196/2003 (the Data Protection Code) provides specific rules concerning the protection of personal data processed by operators in the context of provision of electronic communications services, in addition to the provisions laid down in Regulation (EU) 2016/679 (the General Data Protection Regulation) (GDPR).

Moreover, the Italian Communications Authority (AGCOM) issues resolutions as secondary legislation containing detailed rules in the offering of electronic communication services and networks. Indeed, AGCOM, established by Law No. 249/1997, is a regulatory agency designed to actively promote the integration between the telecommunication and media markets and to supervise and monitor the markets.

The Data Protection Authority issues resolutions containing specific obligations for operators in the storage, processing and use of personal data information.

The Ministry of Enterprises and Made in Italy (the Ministry) is in charge, inter alia, of issuing authorisations and allocating the spectrum.

A general authorisation is required to offer electronic communications services in Italy. Such authorisation can be issued only to:

• entities with a permanent establishment in Italy or a country within the European Economic Area;
• member states of the World Trade Organization; and
• countries granting Italian citizens reciprocal rights of access to the relevant telecoms activity (article 11 of the Electronic Communications Amending Law).

Such general authorisation must be obtained for every single service offered, by submitting an application drawn up in accordance with Annex 14 to the Electronic Communications Amending Law, exclusively through the website of the Ministry’s SIDFORS platform.

Requests for general authorisations to operate phone centres, internet points, fax and data-processing centre services do not have to be submitted through the SIDFORS portal but directly to the competent territorial inspectorate.

Describe the authorisation or licensing regime.

Under article 11 of the Electronic Communications Amending Law, an operator that intends to provide electronic communications networks and services or to establish and operate network equipment at a point of presence in Italy shall apply with the Ministry for the issuance of a general authorisation that is required to offer electronic communications services in Italy.

The request must describe the services to be rendered and identification data about the applicant.

Starting from the filing of the relevant request, the operator is immediately entitled to run the activity. However, the Ministry has a 60-day term (from filing) to deny the authorisation. If the Ministry does not respond within this deadline, the authorisation is definitively issued.

General authorisations have a maximum validity of 20 years and may be renewed.

All operators holding a general authorisation are obliged to register with the Register for Communications Operators kept by AGCOM.

General authorisations are subject to payment of an annual contribution to the Ministry, whose amount is indicated in the Electronic Communication Code based on the service currently provided by the operator and the relevant extension thereof.

Do spectrum licences generally specify the permitted use or is permitted use (fully or partly) unrestricted? Is licensed spectrum tradable or assignable?

The spectrum licences specify the permitted spectrum use. Under article 14 of the 2003 Electronic Communications Code, the Ministry prepares the master plan for the use of spectrum licences, while AGCOM is in charge of the allocation plan.

The most up-to-date master plan is Ordinary Supplement No. 35, adopted by Ministerial Decree dated 31 August 2022 and published in Italian Official Gazette No. 214 on 13 September 2022. It provides the principles for the allocation of the frequencies between zero GHz and 3,000GHz to each type of service (eg, fixed, mobile, satellite or radio navigation), the authorities to which the frequencies shall be required (eg, the Ministry and the Ministry of Defence) and the frequency bands and (if any) the international provision applicable.

Individual rights of spectrum use are granted within the limits set out in the master plan, and any holders of such rights shall be compliant with the spectrum use allocated.

Which communications markets and segments are subject to ex-ante regulation? What remedies may be imposed?

According to EU Recommendation No. 879 of 17 December 2007, the electronic communications sector that is subject to ex-ante regulation can be divided into two groups:

• markets for fixed networks (eg, services for access to new generation networks); and
• markets for interconnection services on fixed and mobile networks (eg, interconnection services on fixed networks).

EU Recommendation No. 710 of 9 October 2014 modified the number and list of markets that are subject to ex-ante regulation. In particular, the latest Recommendation included fixed and mobile call-termination markets in the list, as well as wholesale broadband access markets.

The European Commission, under article 64 of Directive (EU) 2018/1972, which establishes the European Electronic Communications Code (EECC), periodically reviews electronic communications markets that may be subject to ex-ante regulation, updating the 'Recommendation' on relevant markets. National Regulatory Authorities (NRAs) are required to analyse these markets and, in some cases, can identify additional markets for regulation. NRAs must also review markets not included in the Recommendation if they are already regulated based on previous market analyses.

AGCOM, under Legislative Decree No. 207 of 8 November 2021, which transposes the EECC, conducts periodic market analyses to identify relevant markets at the national level, check for the presence of companies with significant market power, and determine if ex-ante regulatory obligations should be imposed.

On 1 November 2022, the EU Digital Markets Act (the DMA) came into force. It regulates the activities of major digital platforms in the EU market and it applies to gatekeepers, namely, companies offering online intermediation services (including search engines, social networks, messaging and video sharing).

The DMA introduces an ex-ante approach whereby specific and circumscribed obligations are imposed on the operators of platforms qualified as gatekeepers.

Is there a legal basis for requiring structural or functional separation between an operator’s network and service activities? Has structural or functional separation been introduced or is it being contemplated?

Under article 17 of the Electronic Communications Amending Law, companies with exclusive or special rights for public communication network installation or communication services provision – in Italy or even abroad – shall provide networks or electronic communication services accessible to the public only through their subsidiaries or affiliated companies (eg, structural separation). This limitation does not apply to companies that generate an annual turnover of less than €50 million with the provision of electronic communication networks or services in the European Union.

Functional separation is instead provided by article 88 of the Electronic Communications Amending Law as an exceptional measure to be implemented if AGCOM assesses that other available remedies have failed to achieve effective competition. If AGCOM intends to impose a functional separation, it shall notify its proposal to the European Commission, explaining the grounds of such proposal.

Outline any universal service obligations. How is provision of these services financed?

The services that must be made available to end users and must be provided by all operators as universal service obligations are:

• access to end users from a fixed workstation (article 96 of the Electronic Communications Amending Law); and
• special measures for disabled and low-income users (article 95 of the Electronic Communications Amending Law).

AGCOM identifies one or more undertakings in charge of providing the universal service at an accessible price.

If AGCOM finds that the provision of the universal services by the identified undertaking results in an unfair burden to the latter upon the undertaking’s request, it will share the net costs deriving from the provision of the universal services among providers of electronic communications networks and services using the ad hoc fund established by the Ministry (article 98-ter of the Electronic Communications Amending Law).

Describe the number allocation scheme and number portability regime in your jurisdiction.

With Resolution No. 274/07/CONS (article 6 et seq), AGCOM has set the standards for activation and migration of fixed number procedures and pure number portability (it will take place without being accompanied by the transfer of physical access resources).

Under article 98-octies decies of the Electronic Communications Amending Law, users have the right to change operator for mobile phone, voice and data services, while keeping their own mobile number (mobile number portability). The relevant inter-operator procedures are regulated by Resolution No. 339/18/CONS. The user is not actively involved in the transfer procedure. It is simply requested to subscribe to an offer with a new operator and communicate to the latter the transfer code. Thus, the user shall not even communicate the withdrawal to the former operator as the new operator is in charge of dealing with the transfer procedure, including liaising with the former operator to terminate the user’s contractual relationship.

With Resolution No. 86/21/CIR, AGCOM introduced new verification obligations for the operator involved in the portability procedure to avoid the risk of fraud with SIM card replacement (called SIM Swap) against consumers. Such obligations came into force on 14 November 2022.

Are customer terms and conditions in the communications sector subject to specific rules?

Consumers are generally protected by Italian Legislative Decree No. 206/2005 (the Consumer Code) both from a contractual point of view (including off-premises agreements) and against unfair business-to-consumer commercial practices (including teleselling practices).

Specific rules are further provided by the E-commerce Decree (implementing EU Directive 2000/31/EC) on information society services and electronic commerce, which, among others, includes specific provisions on the information to be provided to consumers when dealing with electronic agreements.

Also, the Electronic Communications Code provides for specific terms and conditions to be included in communications contracts, such as the services provided, the minimum service level, and the procedures used by the company for measuring network traffic.

EU Directive 2019/2161 (Omnibus Directive) was implemented in Italy on 18 March 2023 with Legislative Decree No. 26/2023, which entered into force on 2 April 2023, introducing new consumer protection measures in the Consumer Code including, inter alia, higher penalties for companies and widening the cases of unfair commercial practices. In particular, with specific reference to e-commerce, the legislation introduced by Legislative Decree No. 26/2023 imposes the obligation to:

• clearly indicate, in marketplaces, the entity – professional or private – that offers products for sale, bearing in mind that, in the case of private individuals, consumer protection rules will not apply;
• to inform about the main parameters governing the classification of products, whenever the possibility of searching for products offered by different professionals is offered (this obligation, however, does not apply to providers of online search engines); and
• to ensure the reliability of product reviews.

Are there limits on an internet service provider’s freedom to control or prioritise the type or source of data that it delivers? Are there any other specific regulations or guidelines on net neutrality?

Net neutrality is regarded as a fundamental principle recognised by AGCOM to ensure democratic internet service provision. Net neutrality is regulated by Regulation (EU) 2015/2120, and in Italy, the competent Authority issued specific Resolution No. 348/18/CONS concerning the net-neutrality regulation. Several legislative discussions have resulted in the Declaration of Internet Rights of 14 July 2015 approved by the Italian parliament, a document consisting of 14 sections and conceived as a guideline to drive an evolutionary interpretation of the existing provisions and to serve for any legislative developments.

Article 4 of Law No. 167/2017, raised the maximum penalty that can be imposed by AGCOM, in the case of a violation of net neutrality, to a limit of €2.5 million.

In compliance with the Body of European Regulators for Electronic Communications’ guidelines, AGCOM published the 2024 report including the activities carried out concerning net neutrality. The report highlights AGCOM's commitment to ensuring open and non-discriminatory Internet access, in line with Regulation (EU) 2015/2120.

The document outlines AGCOM's monitoring and regulatory activities, including oversight of internet service provider practices, transparency in traffic management, and protection of user rights. It also describes international cooperation with BEREC (Body of European Regulators for Electronic Communications), an organisation that brings together national regulatory authorities from across Europe to promote consistent regulation of electronic communications. The report emphasises the importance of regulation in fostering a fair and innovative digital environment.

The resolution concerning the abolition of net neutrality in the United States, taken by the Federal Communications Commission on 14 December 2017, does not seem to have influenced the activity of the Italian legislator yet. On the other hand, the advent of 5G connectivity may be a game-changer as it will be necessary to understand if the innovative capacity of the network is inextricably linked to its free accessibility or not.

Is there specific legislation or regulation in place, and have there been any enforcement initiatives relating to digital platforms?

No specific legislation or regulations have yet been enacted in Italy concerning digital platforms.

In any case, the following legislation may apply to various aspects of the digital platforms:

• the e-commerce regulation provided by the E-commerce Decree;
• the Consumer Code and the data protection rules provided by the GDPR; and
• the Data Protection Code.

Moreover, the Italian Competition Law (Law No. 118/2022) introduced a provision specifically referred to digital platforms consisting in a relative presumption of economic dependence in the event that an enterprise uses the intermediation services provided by a digital platform that plays a decisive role in reaching end users or suppliers, including in terms of network effects or data availability.

In addition, Regulation (EU) 2019/1150, in force in EU member states since July 2020, outlines the relationship between business users of online intermediation services (marketplaces) and search engines.

The purpose of this Regulation is to guarantee greater transparency in the contractual terms applied to business users by, among others, the big players of the network. The target of the Regulation is the relationship of dependence that business users have on these large online players to offer their goods and services to consumers, which indirectly affects consumers who may not be able to enjoy balanced offers. The Regulation is directly applicable in EU member states and, so far, Italy has issued no specific rules regarding its implementation. By 13 January 2022, and subsequently every three years thereafter, the European Commission shall evaluate this Regulation and report to the European Parliament, the European Council and the European Economic and Social Committee.

On 27 October 2022, the DMA was published in the EU’s Official Journal. The DMA regulates the activities of major digital platforms in the EU market, and it applies to gatekeepers, namely, companies offering online intermediation services (including search engines, social networks, messaging and video sharing). Eligible gatekeepers are suppliers that:

• have a size that has an impact on the internal market (assessed on the basis of turnover and capitalisation thresholds);
• are in control of important access for business users to end consumers; and
• have an established and durable position.

The designation as gatekeepers is made by the EU Commission, following a notification from the companies concerned, or acting ex officio. Under the DMA, specific and circumscribed obligations are imposed on the operators of platforms qualified as gatekeepers.

The Regulation (EU) 2022/2065 (Digital Services Act – the DSA) governs digital platforms, imposing specific obligations to ensure online safety, user protection, and transparency in practices. Platforms must remove illegal content, provide clear information about moderation and advertising policies, and ensure reporting mechanisms for users. In Italy, AGCOM is responsible for implementing the DSA, which also covers digital intermediary platforms (such as social media and search engines). The DSA requires platforms to protect minors, prevent the spread of harmful content, and provide quick remedies in case of user rights violations. The Act applies to all providers of intermediary services, as of 17 February 2024. A key provision of this framework is the creation of so-called 'trusted flaggers', as outlined in article 22 of the DSA. These are organisations recognised for their specialised knowledge in identifying illegal online content. Due to their reliability, the DSA grants preferential treatment to notifications they send to online platforms under article 16. Recently, on 22 January 2025, AGCOM appointed the first trusted flagger in Italy, the company Argo Business Solutions Srl. The qualification was granted in relation to issues concerning the violation of intellectual property rights and other commercial rights, as well as combating online scams and fraud. As a trusted flagger, Argo Business Solutions will be responsible for reporting illegal content to online platforms, which will be required to assess such reports promptly and effectively.

Are there specific regulatory obligations applicable to NGA networks? Is there a government financial scheme to promote basic broadband or NGA broadband penetration?

Since 2015, Italy has been executing the ultra-broadband strategic plan (UBP) to develop an ultra-broadband network across all Italian territory and create a public telecommunications infrastructure in coherence with the purposes of the European Digital Agenda. The Ministry acts through its in-house company (Infratel Italia Spa) whose mission is to implement the infrastructure development schemes throughout the country, with a particular focus on the development of an ultra-broadband network and Wi-Fi public-services connection.

The UBP is part of the wider Italian Ultra-Broadband Strategy – approved by the government in March 2015 – which intends to reduce the existing market and infrastructure gap through the creation of conditions that are more favourable to the integrated development of fixed and mobile telecommunications infrastructure. Such strategy represents the reference national framework for any public initiative supporting the development of ultra-broadband networks in Italy.

The strategy is implemented through state aid (national and EU funds alike), approved by the European Commission. Moreover, on 11 February 2016, the Council of Ministers and the Conference of the Regions approved the ‘Framework agreement on the developing of the NGA as European target 2020’, allocating €3 billion to the project, subdividing the funds to the regions, according to their population, and strengthening the management of the project.

The intervention is intended to build a publicly owned network that will be made available to all operators willing to provide services in favour of the population and undertakings.

On 6 July 2023, the Interministerial Committee for Digital Transition approved the Ultra Broadband (BUL) Strategy 2023–2026. This strategy aims to address critical gaps in the BUL value chain, identified through a detailed analysis of the current state of ultra-high capacity network creation and dissemination in Italy. The primary goal of the BUL Strategy is to bridge these gaps, ensuring seamless integration and enhancement of digital infrastructure across the country. By doing so, the strategy seeks to significantly strengthen the Italian telecommunications sector, providing a robust foundation for sustained economic growth. The anticipated economic benefits are substantial, with an estimated increase in GDP of €96.5 billion between 2020 and 2025, and €180.5 billion between 2020 and 2030. The strategy outlines several key interventions:

• enhancing public administration skills and sector research and development;
• strengthening monitoring, programming, and planning activities;
• building and enhancing network infrastructures;
• increasing network efficiency and resilience; and
• supporting demand and increasing take-up.

Is there a specific data protection regime applicable to the communications sector?

The provisions applicable to the communications sector are contained in the Data Protection Code and the resolutions of the Data Protection Authority. In particular, articles 121 to 132, a quarter of the Data Protection Code, apply to the processing of personal data connected to the provision of electronic communication services accessible to the public-on-public communications networks.

The retention of data in the terminal equipment of a user or the access to information already stored is permitted only on the condition that the user has given his or her consent after being informed in a simplified manner. This does not prohibit any technical archiving or access to information that has already been archived if it is solely aimed at transmitting a communication over an electronic communication network, or as strictly necessary for the provider of an information society service explicitly requested by the user to provide this service. Traffic data concerning users processed by the provider of a public communications network or an electronic communication service accessible to the public are erased or anonymised when they are no longer necessary for the transmission of electronic communications.

The provider of an electronic communications service accessible to the public may process user data to the extent and for the duration necessary for the marketing of electronic communication services or the provision of value-added services, only if the user to whom the data relates has previously expressed their consent, which is, however, revocable at any time.

The processing of personal data relating to traffic is only allowed for subjects authorised to process and operate under the direct authority of the provider of the electronic communication service accessible to the public or, as the case may be, of the provider of the public communications network that deals with billing or traffic management, analysis on behalf of customers, fraud detection or the marketing of electronic communication services.

If calling line identification is available, the service provider of electronic communication accessible to the public assures the calling user the possibility of preventing, free of charge and through a simple function, the presentation of the calling line identification, call by call.

Location data other than traffic data referring to users can be processed only if anonymised or if the user has previously expressed his or her consent, and is revocable at any time.

Without prejudice to the provisions of articles 8 and 21 of the E-commerce Decree, the use of automated call or call communication systems without the intervention of an operator for sending advertising material or direct sales or for carrying out market research or commercial communication is permitted only with the user’s consent.

Furthermore, the provisions of the GDPR (articles 15 et seq) shall be integrated into the processing of data, including a data-protection impact assessment (article 35).

Concerning the security of the processing, article 32 of the GDPR shall apply, and therefore, providers of a publicly available electronic communications service shall, also through other entities entrusted with the provision of the service, implement technical and organisational measures appropriate to the risk involved.

The latter measures shall ensure that traffic and location data and other personal data stored or otherwise transmitted are protected against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, as well as ensure the implementation of a security policy. Where the security of the service or personal data also requires the adoption of security measures to be taken concerning the network, the provider of the publicly available electronic communications service shall take such measures jointly with the provider of the network. In the event of failure to reach an agreement, at the request of one of the providers, the dispute shall be settled by the Communications Authority.

Furthermore, the provider of a publicly available electronic communications service shall inform the subscribers and, where possible, users, using clear, appropriate and adequate language concerning the category and age group of the subscriber, with particular attention in the case of minors, if there is a particular risk of a breach of network security, indicating, when the risk is outside the scope of the measures to be taken by the provider described above, all possible remedies and the relative presumable costs. Similar information shall be provided to the Data Protection Authority and the Communications Authority.

At the end of March 2022, Italian Presidential Decree No. 26/2022 on the public register of oppositions (RPO) was published and repealed the Italian Presidential Decree No. 178/2010.

The RPO is a public registry where the contracting parties (those with a contract with a telco operator) are entitled to register their numbers to avoid being contacted for marketing purposes.

Pursuant to the Italian Presidential Decree No. 26/2022, it is possible to also include in the RPO the mobile phone numbers of the contracting parties or data subjects.

Therefore, the entity that is willing to run telemarketing activities shall consult the RPO before starting such activities and shall provide the list of the telephone numbers that it intends to contact.

Once registered before the RPO, the entity shall consult the RPO itself by accessing the relevant website.

Within the following 24 hours, the RPO shall return to the relevant entity with an updated and cleared list of telephone numbers that shall not be contactable.

The list is valid for 15 days only, to enable a continuous update of the RPO.

It is noteworthy that with the registration before the RPO, the consent of the contracting party shall be deemed withdrawn.

In any case, the contracting party can withdraw the right to object only against one or certain operators or companies.

The Data Protection Authority approved the Code of Conduct for telemarketing and teleselling activities with resolution no. 70 dated 9 March 2023, and accredited the Monitoring Body (MoB) of the Code with resolution no. 148 dated 7 March 2024 (Official Gazette no. 73 dated 27 March 2024). MoB is an independent body charged with verifying adherents’ compliance with the Code of Conduct and with handling the resolution of complaints.

The companies that adhere to the Code will undertake to adopt specific measures to guarantee the correctness and legitimacy of data processing carried out throughout the telemarketing chain, such as the collection of specific consents for individual purposes (marketing, profiling, etc), giving specific and precise information to the persons contacted on the purposes for which their data are used, and ensuring the full exercise of the rights provided for by the privacy legislation.

Is there specific legislation or regulation in place concerning cybersecurity or network security in your jurisdiction?

From a local standpoint, two main pieces of legislation on cybersecurity are to be noted:

• NIS2 framework; and
• Cybersecurity Perimeter.

On 27 December 2022, the NIS2 Directive, which updates and succeeds Directive (EU) 2016/114 on the security of network and information systems (the NIS Directive), was published in the EU’s Official Journal and transposed in Italy by virtue of Legislative Decree No. 138/2024

The main innovation of the NIS2 Directive is its wide area of application, which is extended to medium and large companies operating in further sectors such as, inter alia:

• cloud computing;
• data centres;
• content delivery network providers;
• electronic communication services; and
• electronic communication networks.

The scope of the Directive is extended to the entire information and communications technology (ICT) infrastructure of entities, categorised as essential and important based on the criticality of their activities and the sector in which they operate.

The companies concerned shall implement an appropriate risk assessment process for the management of potentially malicious cyber events.

The NIS2 Directive also envisages new stringent reporting requirements in the event of a cyber incident to be fulfilled by notifying the CSIRT (cyber security incident response team) of all incidents likely to cause impacts of a ‘significant’ nature.

Differently from the past, where reporting had to be done ‘without undue delay’ (see the NIS Directive), the NIS2 Directive provides for a more circumscribed, comprehensive and timely reporting process. In this sense, it provides for:

• an early warning period of within 24 hours from the knowledge of the incident (the sending of the ‘early warning’);
• a notification within 72 hours of knowledge of the incident, updating – if necessary – the information in the early warning; and
• a final report within one month from the transmission of the notification, completing the reporting process.

NIS 2 Directive was implemented in Italy by virtue of Legislative Decree No. 138/2024 (NIS2 Decree), which, by repealing Legislative Decree No. 65/2018 (NIS Decree), establishes measures aimed at ensuring a high level of cybersecurity at the national level. An interim period is foreseen between the implementation of the NIS2 Decree and the NIS Decree, which safeguards the partial application of the latter until the NIS2 Decree requirements become fully enforceable.

With reference to the Cybersecurity Perimeter, five implementing decrees are provided to fully implement the architecture of the Perimeter. The first implementing decree was fully effective from 5 November 2020 (Presidential Decree No. 131/2020) and defines the criteria for identifying the entities included in the Perimeter and the obligations imposed on them to safeguard national security. The list of entities included in the Perimeter has already been drawn up, with about 100 entities involved, but was not published for national security reasons.

Nonetheless, the sectors in which to identify, as a matter of priority, in relation to public and private entities carrying out functions with a significant impact on national security include, among others, telecommunications, digital services and critical technologies.

Furthermore, Presidential Decree No. 131/2020 imposes several obligations on the entities within the Perimeter to ensure a high level of security.

First, entities must prepare, and annually update, the list of their ICT assets and must then identify the ICT assets needed to perform the essential function or service, to:

• assess the impact of an incident on the ICT asset, in terms of its operability and the compromise of data availability, integrity or confidentiality; and
• assess dependencies with other networks, information systems, IT services or physical infrastructures belonging to other subjects.

Finally, entities must identify the ICT assets that, in the event of an incident, would cause the total interruption of the essential function or service.

The second implementing Decree on notifications of incidents affecting networks, information systems and information services, as well as security measures, is Presidential Decree No. 54/2021. This Decree identifies the procedures, modalities and terms by which the National Assessment and Certification Centre (CVCN) and the Assessment Centres of the Ministries of Interior and Defence (CV) carry out assessments on the acquisition, by the entities included in the Perimeter, of ICT technologies and software – including 5G technology – that could present vulnerabilities and therefore expose them to cyber risks.

The latter Decree provides that, before the launch of award procedures or the conclusion of supply contracts, entities included in the Perimeter must notify the CVCN or the CV. Subsequently, the procedure is divided into three phases:

• preliminary assessments;
• preparation for the execution of tests; and
• execution of hardware and software tests.

The third implementing Decree, fully effective from 8 May 2021 (Presidential Decree No. 54/2021 of 5 February 2021), focuses on the procedures and terms for assessments by the CVCN and the CVs on products being acquired by entities included in the Perimeter.

The latter Decree also establishes the criteria for identifying the supply objects falling within the categories to which the assessment procedure applies.

Indeed, the categories of ICT goods, systems and services subject to the assessment by the CVCN or the VCs are identified based on the execution or performance of the following functions:

• switching or protection against intrusion and detection of cyber threats in a network, including the application of security policies;
• command, control and implementation in an industrial control network;
• monitoring and configuration control of an electronic communication network;
• network security concerning the availability, authenticity, integrity or confidentiality of services offered or data stored, transmitted or processed;
• authentication and allocation of the resources of an electronic communication network; and
• implementation of an IT service through the configuration of an existing software program or the development, in part or in full, of a new software program, constituting the application part relevant to the provision of the IT service itself.

The Decree of the President of the Council of Ministers, 15 June 2021, was the fourth implementing the Perimeter, identified the categories of networks, information systems and IT services for which it will be necessary to notify the CVCN.

The entities included in the Perimeter will notify the commencement of a technology acquisition procedure together with a risk assessment.

The fifth implementing Decree – Decree of the President of the Council of Ministers, 18 May 2022, No. 92, defined the criteria for the accreditation of laboratories responsible for verifying the security conditions in the procurement of products, processes and services for networks, information systems and IT services.

Is there specific legislation or regulation in place, and have there been any enforcement initiatives in your jurisdiction, addressing the legal challenges raised by big data?

On 7 October 2024, Legislative Decree No. 144 was published in the Official Gazette, aligning national regulations with the provisions of the Data Governance Act (Regulation (EU) 2022/868). The Decree came into effect on 25 October 2024.

The Agency for Digital Italy (AgID) has been designated as the competent authority for managing the notification procedure for data intermediation services and for registering data altruism organisations. Additionally, AgID is expected to work in close and loyal cooperation with the following authorities: the National Cybersecurity Agency (ACN), the Competition and Market Authority (AGCM), and the Data Protection Authority (Garante). To facilitate this, AgID can enter into specific, non-onerous collaboration agreements with these authorities.

Regarding sanctions, AgID is authorised to impose administrative fines ranging from a minimum of €10,000 to a maximum of €100,000, or, for companies, up to 6 per cent of the total worldwide annual turnover of the previous financial year. Big data often includes personal data and, in many cases, it is not possible to separate these data from non-personal data; therefore, as highlighted by the Data Protection Authority in the fact-finding survey on Big Data of February 2020, the privacy risks derived from the use of big data are different:

• the processing of personal data outside the purposes for which it was collected;
• the use of incorrect or outdated information;
• discrimination or prejudice against certain individuals or groups resulting from the application of certain profiling algorithms; and
• the processing of personal data above what is necessary to process them.

Are there any laws or regulations that require data to be stored locally in the jurisdiction?

Some localisation requirements are provided by:

• the Regulation for Digital Infrastructures and Cloud Services for Public Administration issued by the ACN, which provides that in some cases the data must be stored within the European territory;
• the Cybersecurity Perimeter;
• article 6(2) of the recent draft Law No. 1146/2024 on artificial intelligence (AI), which provides that AI systems intended for use in the public domain, with the exception of those deployed abroad in the context of military operations, must be installed on servers located on national territory, in order to guarantee the sovereignty and security of citizens' sensitive data; and
• the Digital Operational Resilience Act (Regulation (EU) 2022/2554) (DORA), as applicable to financial entities and their supply chain.

Certain limitations may apply concerning specific types of data.

By way of example, under article 39 of Presidential Decree No. 633/1972 (relating to the value added tax applicable to the sale of goods and services), any accounting document shall be retained through electronic archives and stored in a foreign country only to the extent that there are reciprocal assistance rights.

Summarise the key emerging trends and hot topics in communications regulation in your jurisdiction.

The Metaverse represents a new dimension of our era that is not yet entirely regulated. However, the regulation of a system in which physical, augmented and virtual reality converge, allowing users to interact with a computer-generated environment, is not easy to manage. With the implementation of Directive (EU) 2019/770, which refers to contracts for the supply of digital content and services, digital content is subject to stricter regulation to ensure the conformity of the digital content with the contract and the supplier’s public statements. Furthermore, the metaverse represents a marketplace as various types of trade take place within such dimension and is the reason Regulation (EU) 2019/1150 was issued to promote fairness and transparency for commercial users of online intermediary services. This Regulation governs the relationship between the owners of platforms and business users who provide consumers with goods and services. In addition to these rules, the Omnibus Directive was implemented in Italy by virtue of Legislative Decree No. 26/2023, which entered into force on 2 April 2023 and it provides for certain relevant amendments and integration to the Italian Consumer Code, in particular providing – among other changes – for new information requirements on distance contracts, new conducts that could amount to misleading omission or practice, new sanction regime and also specific additional information requirements for contract concluded on online marketplaces.

Last year, within the context of AI, AGCOM took measures against ChatGPT (the AI platform developed by OpenAI). Specifically, on 30 March 2023, AGCOM ordered, with immediate effect, the temporary limitation on the processing of Italian users’ data. AGCOM highlighted the lack of:

• information to users and data subjects;
• legal basis for the mass collection and processing of personal data to train the algorithms of ChatGPT; and
• age verification that exposes children to receiving inappropriate answers (even if the service is aimed at users above 13 years of age).

AGCOM also flagged that the information made available by ChatGPT was sometimes inaccurate. AGCOM required OpenAI to provide within 20 days the evidence of the measures taken to implement what is requested and to provide any information deemed useful to justify the above violations, failing which OpenAI might be fined up to €20 million or up to 4 per cent of its annual global turnover.

Thereafter, on 13 April 2023, the European Data Protection Board (EDPB) launched a dedicated task force on ChatGPT ‘to foster cooperation and to exchange information on possible enforcement actions conducted by data protection authorities’.

On 28 April 2023, in the formal press release of AGCOM, the latter announced that OpenAI sent it a letter describing the measures implemented to comply with the order issued by AGCOM on 11 April 2023. In particular, OpenAI expanded the information to European users and non-users, it amended and clarified several mechanisms and deployed amenable solutions to enable users and non-users to exercise their rights. Based on these improvements, OpenAI reinstated access to ChatGPT for Italian users. AGCOM acknowledges the improvements taken by OpenAI to reconcile technological advancements with respect for the rights of individuals and AGCOM hopes that OpenAI will continue its efforts to comply with GDPR provisions. In any case, AGCOM confirms that its investigation continues also with the task force set up by the EDPB.

On 29 January 2024, the Italian Data Protection Authority (Garante) notified breaches of data protection law to OpenAI. Following the temporary ban on processing imposed on OpenAI by the Garante on 30 March 2023, and based on the outcome of its fact-finding activity, the Italian DPA concluded that the available evidence pointed to the existence of breaches of the provisions contained in the EU GDPR. The Italian Garante will take account of the work in progress within the ad-hoc task force set up by the EDPB in its final determination on the case.

Moreover, on 8 March 2024, the Garante opened an investigation into the US company that recently announced the launch of a new AI model, which, according to the announcement, is able to create dynamic, realistic and imaginative scenes from short text instructions.

The Garante recently concluded the public consultation on data scraping. It focused specifically on the use of this technique by companies developing generative artificial intelligence systems for purposes of training related algorithms. As of today, the Garante has not published, even informally, any paper or guidelines on the topic.

Another relevant topic in communications regulation is one related to the development of ultra-broadband, which is also an essential prerequisite for the development of 5G. Decree-Law No. 22 of 1 March 2021 established the Inter-Ministerial Committee for Digital Transition chaired by the Minister for Technological Innovation and Digital Transition, which coordinates the governance of Italy’s ultra-broadband strategy Towards the Gigabit Society, approved on 25 May 2021. The strategy consists of various interventions, including the Italian 5G plan (for which €2,020 million of National Recovery and Resilience Plan resources have been allocated). Furthermore, with Resolution No. 67/22/CONS of 3 March 2022, the Communications Regulator adopted the ‘Guidelines to identify the conditions of wholesale access to ultra-broadband networks receiving public contribution – integration for 5G networks’, which are regulated by:

• general conditions;
• the minimum set of wholesale services to be provided by the beneficiary of the financed network;
• the pricing of those services; and
• the approval procedure of prices.

On 20 March 2025, the Italian Senate approved draft Law No. 1146/2024, a concrete step towards aligning national regulations with Regulation (EU) 2024/1689 (AI Act). The text, divided into six chapters, establishes that the research, development, adoption, and use of AI must respect the fundamental rights and freedoms guaranteed by the Constitution and EU law. General principles such as transparency, proportionality, security, data protection, privacy, accuracy, non-discrimination, gender equality, and environmental sustainability are indicated.

The text provides for the creation of a national governance system for AI, as well as a fund of €1 billion euros for investments in AI, cybersecurity, quantum technologies, and 5G telecommunications.

Specific areas of AI application are regulated, such as the labour market, data protection, minors' access to intelligent systems, and cybersecurity, imposing measures to ensure inclusion and accessibility for people with disabilities.

Coordinated by the Presidency of the Council of Ministers, the National AI Strategy guides public choices in technological, industrial, and educational fields, with periodic updates and involvement of businesses, universities, and research centres. AgID” and the ACN collaborate on support tools like regulatory sandboxes and initiatives to promote innovation and competitiveness.