Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Italy published an enhanced iteration of its National Framework for Cybersecurity and Data Protection that, while described as national, closely follows the U.S. National Institute of Standards and Technology's Cybersecurity Framework 2.0.
This reflects and diverges from EU regulatory ambitions under the Network and Information Systems Directive 2. Data protection professionals must closely watch this emerging convergence of cybersecurity management and data protection obligations.
Italy's updated framework goes a step beyond the strategy plan initially outlined in 2015, followed by a 2019 adaptation to encompass obligations introduced by the EU General Data Protection Regulation. This new edition has been designed as an operational reference framework to help public and private organizations — regardless of size — organize and govern cybersecurity and data protection activities in a logical and scalable way.
It is well-timed. The NIS2 Directive is being transposed into Italian law through Legislative Decree 138/2024, expanding more rigorous cybersecurity to a wide range of organizations. The revamped framework is a useful tool to support organizations faced with elaborate compliance environments, helping bridge the gap between strategy and operational implementation.
A key change to the 2025 edition is its compatibility with the NIST Cybersecurity Framework, the newly published internationally accepted standard. This is an apparent step toward embracing internationally validated best practices with adaptation of national, as well as EU, legislation.
The update is the result of a development process led by Sapienza University of Rome's Research Center of Cyber Intelligence and Information Security and the Cybersecurity National Lab of CINI with the guidance of Italy's National Cybersecurity Agency. The multistakeholder engagement reflects an overall attitude toward cybersecurity — one that spans academia, research institutions, government agencies and private industry — and aims to create an effective cybersecurity community that addresses the increasingly changing threat landscape.
In particular, the framework is neither binding nor an instrument of regulation. Rather, it is an adaptive, voluntary instrument organizations can apply to align internal procedures to regulatory requirements and best practices in cybersecurity. Far from replacing compliance with laws such as the GDPR or NIS2, it assists organizations in developing consistent internal procedures for risk management, continuity and resilience.
A major update with this version is the addition of nine controls directed specifically toward privacy, prefixed by the letters "DP." These controls address such key data protection matters as notice to data subjects, making processing pursuant to some requirement of law, and managing privacy risks within the broader universe of cybersecurity methodologies.
The controls were added because of growing recognition of the extent to which data protection is no longer separate from cybersecurity — particularly where, as it is within the EU, data protection is statutory and constitutional.
Modified framework is practical, strategic guidance
As organizations doing business within Italy make their way toward NIS2 compliance and complete convergence with the GDPR, this framework is a natural, logical means of creating efficient controls over security and privacy.
It is particularly significant to recognize how the Italian system translates to the NIST CSF 2.0. That is because it lets privacy officers bridge the gap between cybersecurity practice at the technical level and the privacy requirements arising from compliance obligations. Specific privacy controls make it easier for data protection officers, as well as compliance teams, to integrate privacy into overall risk management designs.
Moreover, the new framework is an intriguing example of balancing international models with domestic frameworks today. Although it takes heavily from an American system, the localization to EU and Italian context — plus the added inclusion of privacy controls — is an example of a hybrid approach. It is an attempt to bring operational guidance into concert with EU regulatory intent, an exercise more relevant than ever given the global reach of organizations within a digitized international economy.
For those who advise multinational or cross-border companies, such nuances matter. The ability to read home country regimes into broader international norms — and where they fall short — is going to increase their ability to give accurate, risk-driven advice tailored to both the operational and legal reality of clients.
The role of the National Cybersecurity Agency
At the heart of Italy's cybersecurity system is the National Cybersecurity Agency. In addition to assisting with system development, the ACN is responsible for issuing complete guidelines related to NIS2 implementation, including parameters for establishing "significant" security incidents, technical mitigation techniques for risks, and reporting incident guidelines. They are issued as official determinations and are part of the broader set of regulatory tools at the disposal of NIS authorities.
For the privacy profession, this renewed framework cannot be looked at independently. Instead, it is at the nexus of an ecosystem of regulatory programs, industry-specific requirements, and technical ACN guidance. Knowledge of these documents — and where they overlap with the framework — is key to building an efficient compliance solution.
Conclusion
The 2025 Italian National Framework for Cybersecurity and Data Protection is an important step forward to construct the country's digital infrastructure. Taking inspiration from international best practices like the NIST CSF 2.0 and building upon it by adding controls specifically tailored to protect privacy, it offers organizations an organized, comprehensive framework for cybersecurity and data protection.
The framework is an important tool to assist clients and organizations operating in Italy, offering guidance on addressing NIS2 compliance, maintaining GDPR compliance and integrating privacy into cybersecurity initiatives. The framework raises questions about compliance of international frameworks to individual country systems, raising fundamental issues around interoperability, sovereignty and electronic regulatory positioning.
As requirements become increasingly sophisticated, models like this one will be crucial to help organizations translate high-level requirements into day-to-day practice. The Italian model is significant for its integration of global best practices with local specificity — making it particularly relevant for privacy and cybersecurity practitioners in this globalized, networked world.
