🇮🇹Digital Operational Resilience Act in Italy
A comprehensive guide to Digital Operational Resilience Act compliance for organisations operating in Italy. Understand local enforcement, the national data protection authority, key focus areas, and notable enforcement actions.
About Digital Operational Resilience Act
The EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector, covering ICT risk management, incident reporting, testing, and third-party risk.
Digital Operational Resilience Act Enforcement in Italy
Italy's Garante is one of the oldest data protection authorities in Europe and one of the most active in terms of enforcement volume and fine amounts. The Italian Privacy Code (Legislative Decree 196/2003) was substantially amended by Legislative Decree 101/2018 to align with the GDPR, maintaining sector-specific rules on health data, marketing, and journalistic processing. The Garante has been notably active in addressing telemarketing abuse, with TIM/Telecom Italia receiving one of Europe's largest fines. Italy was the first EU country to temporarily ban ChatGPT in March 2023, citing GDPR concerns, and the Garante has continued to lead EU-wide scrutiny of AI systems. The Garante has also issued comprehensive cookie guidelines and enforced strict rules on marketing consent chains.
Data Protection Authority
Garante per la protezione dei dati personali
Key Enforcement Focus Areas in Italy
- Telemarketing and aggressive commercial practices
- AI and emerging technology oversight (ChatGPT ban precedent)
- Health and medical data processing
- Cookie consent and web tracking
- Employee and judicial data processing
Notable Enforcement Actions in Italy
TIM/Telecom Italia
Millions of unsolicited promotional calls and messages, including to users on the opt-out register
Enel Energia S.p.A.
Aggressive telemarketing through unauthorised contact lists and lack of consent verification
Clearview AI
Unlawful processing of biometric data through mass facial recognition scraping
OpenAI (ChatGPT)
Processing personal data without adequate legal basis, transparency failures, and age verification deficiencies
Check Your Compliance Status
Take our free assessment to evaluate your organisation's compliance posture. Get a personalised report with actionable recommendations in minutes — no sign-up required.
Start Free AssessmentDisclaimer: The information on this page is for educational purposes and does not constitute legal advice. For specific compliance guidance, consult a qualified legal professional in your jurisdiction.
Other Regulations Affecting Italy
General Data Protection Regulation (GDPR)
The EU's landmark data protection law that governs how organisations collect, store, process, and transfer personal data of individuals in the European Economic Area.
Network and Information Security Directive (NIS2)
The updated EU cybersecurity directive that expands security requirements to a broader range of sectors and imposes stricter obligations on essential and important entities.
EU Artificial Intelligence Act (AI Act)
The world's first comprehensive AI regulation, establishing a risk-based framework for the development, deployment, and use of artificial intelligence systems within the EU.
ePrivacy Directive (2002/58/EC)
The EU directive governing privacy in electronic communications, covering cookies, direct marketing, traffic data, and the confidentiality of communications — often called the "Cookie Law".