### DORA: The News of the Implementing Decree

The implementing decree, identified as Government Act number 242, introduces important changes for the Italian financial sector and is structured into six sections. These sections address general provisions, competent authorities regarding the Digital Operational Resilience Act (DORA), cooperation principles, the extension of the scope to financial intermediaries, supervisory powers and sanctions, as well as amendments to sector regulations and final provisions.

The scope of DORA extends to entities operating as financial intermediaries, including those established under current legislation, with particular attention to the Bank of Italy, which has the power to identify categories of “significant” intermediaries that must adhere to a comprehensive ICT risk management framework rather than a simplified one.

Regarding supervision, the Bank of Italy assumes a central role, alongside other authorities such as Consob, IVASS, COVIP, and the National Cybersecurity Agency. These entities will collaborate to coordinate the management of ICT incidents, which must be reported to the national CSIRT to ensure a quick and efficient response.

The decree imposes a series of stringent obligations to ensure operational resilience. Among the most significant are periodic resilience tests, with some simplifications reserved for micro-enterprises. Additionally, specific obligations are established for ICT service providers, who must maintain a high level of security throughout the supply chain and contribute to creating a robust digital ecosystem against potential attacks and disruptions caused by various malicious actors.

The sanctions for violations of DORA regulations are detailed. The dedicated article establishes that administrative sanctions can range from measures of prohibition from six months to three years for key figures involved in the management of the entity. Sanctions vary based on the severity of the transgressive behavior, with amounts ranging from €5,000 to €5 million, depending on the type of violation and the entity involved.

Supervisory authorities, when applying sanctions, must adhere to proportionality criteria, considering various factors such as the relevance and duration of the violation, the degree of responsibility of the offender, and the economic conditions of the legal entity. It is important to note that sanctions vary depending on the type of entity involved: for banks and financial intermediaries, they can reach up to 10% of revenue, while for insurance companies and pension funds, they are similar but with limits above €3.5 million.

Finally, DORA establishes specific dates for the implementation of the new rules. The effectiveness of the regulation is set for January 17, 2025, while some specific provisions will come into force starting January 2027.

A crucial point of the decree is the absence of additional burdens on public finances, a principle clearly established in the text. The competent administrations are called to implement the regulatory requirements using only the resources already available, without requiring additional funding. This implies that each entity must carefully plan its investments in cybersecurity, integrating the expenses for operational resilience into existing budgets rather than viewing them as additional costs.

This new approach marks an important transition in how Italian financial organizations must consider cybersecurity and operational resilience. Instead of perceiving these requirements as an economic burden, they should be seen as opportunities to reorganize and improve resource allocation. Investing in cybersecurity is not simply a response to a regulatory obligation but a step towards creating a more robust business capable of facing the challenges posed by an ever-evolving threat landscape.