Italy updates National Cybersecurity and Data Protection Framework

Italy published an enhanced iteration of its National Framework for Cybersecurity and Data Protection that, while described as national, closely follows the U.S. National Institute of Standards and Technology's Cybersecurity Framework 2.0.

This reflects and diverges from EU regulatory ambitions under the Network and Information Systems Directive 2. Data protection professionals must closely watch this emerging convergence of cybersecurity management and data protection obligations.

Italy's updated framework goes a step beyond the strategy plan initially outlined in 2015, followed by a 2019 adaptation to encompass obligations introduced by the EU General Data Protection Regulation. This new edition has been designed as an operational reference framework to help public and private organizations — regardless of size — organize and govern cybersecurity and data protection activities in a logical and scalable way.

It is well-timed. The NIS2 Directive is being transposed into Italian law through Legislative Decree 138/2024, expanding more rigorous cybersecurity to a wide range of organizations. The revamped framework is a useful tool to support organizations faced with elaborate compliance environments, helping bridge the gap between strategy and operational implementation.

A key change to the 2025 edition is its compatibility with the NIST Cybersecurity Framework, the newly published internationally accepted standard. This is an apparent step toward embracing internationally validated best practices with adaptation of national, as well as EU, legislation.