top of page

THE EU’S CYBER SHIELD: UNPACKING THE DIGITAL OPERATIONAL RESILIENCE ACT (DORA) – LESSONS FROM ITALY


Dr. Costantino Grasso and Members of the Thai Office of the National Anti-Corruption Commission (ONACC)
European Union's Cyber Shield

1.    Introduction: Cyber Attack Vulnerability in the Financial Sector: Prevention Strategies and the Quest for Unified European Regulation


This brief paper intends to outline the most interesting profiles that the new European Regulation n. 2022/2554, the Digital Operational Resilience Act, known as DORA, adopted by the European Parliament and the Council to prevent cyber-attacks in the European Union financial sector, offers to the attention of scholars and compliance practitioners.


DORA poses significant new challenges in the area of corporate compliance in cybersecurity and potentially opens up new forms of liability.


To understand the ratio and the purpose of this Regulation, it is necessary, first of all, to investigate the reasons that led the European Commission and then the European Parliament to take action on cybersecurity, precisely in the financial sector.


In recent years, there has been a significant increase in cyber-attacks against large companies, both in terms of frequency and variety, as well as in severity and intensity. This trend has particularly affected major corporations in the banking and financial sector, as seen in Italy with the cases of UniCredit (Biagio, 2019), Intesa Sanpaolo, and Monte dei Paschi di Siena (Romeo, 2023), as well as public administrations.


These cyber-attacks are often the cause of security incidents that result in damage not only to the targeted company but to a community, a territory or even an entire country (Naddeo, 2019).


The first effect of security breaches deals with the confidentiality, integrity or availability of data and information alteration, with immediate and deleterious repercussions for citizens, not only of economic nature. At the same time, security breaches can interfere also with the exercise of constitutional rights (Longo, 2024) and freedoms, such as the right to privacy (Brkan, 2019) and health, the right to confidentiality of correspondence, the right to property or the protection of savings.


In Italy, the CLUSIT report on ICT security for the year 2023 , published by the Italian Association for Information Security, highlighted how the country became a primary target of massive cyber-attacks, particularly in the months following Russia's invasion of Ukraine. These attacks compromised millions of data records, causing significant economic losses amounting to several million euros. In 2022, 13,099 attacks were detected (see page 88), compared to 7,590 in 2021 and 5,509 in 2020. The number of individuals investigated increased to 304 in 2022, up from 201 in 2021.


The more recent 2025 CLUSIT report highlights an increasing impact of cyber-attacks on the economy. Italy, despite accounting for only 0.7% of the global population and 1.8% of the world's GDP, suffered 10% of the recorded cyber-attacks worldwide in 2024 (see page 10). In particular, over the last year, cyber-attacks have been focusing on the strategic sectors of the domestic industry and economy, such as, for instance, manufacturing, educational, transport, public and financial and technological sectors.


Similarly, the 2023 National Cybersecurity Agency’s Report to Parliament identified 1,411 cyber incidents affecting strategic industries (see page 12). In particular, due to the ongoing invasion of Ukraine and the war in the Middle East, the report highlighted the rise of a specific cyber phenomenon that had previously been relatively insignificant in terms of numbers: cyber activism (Ayers, 2003). This refers to groups that carry out malicious cyber actions in support of one of the parties in conflict, with clearly visible impacts, which are later claimed by the group itself. These attacks are primarily DDoS events targeting the websites of public administrations and companies (Candito, 2025).


These first hints, which represent only a small reference useful for framing the topic, testify to how the current, and - in perspective - future panorama will be constantly characterized by the cyber threat and how it will become more serious and dangerous in step with technological development.


In the digital age, moreover, information and communication technologies (ICT) keep running the main sectors of our economies, including the financial sector and are essential for the functioning of a globalized market. On the other hand, the increasing level of digitization and interconnectedness amplifies cyber risks, making society and the financial system vulnerable to cyber threats or ICT disruptions.


The widespread use of ICT systems and the high degree of digitization are now the key features of the activities of EU financial corporations and the European internal market, that is the reason why the vulnerability of the system calls for a higher and broader level of protection, integrated at all levels of governance and business management.


Indeed, it was no longer possible to leave to the domestic legal systems of the European Union countries the duty to regulate such a phenomenon, capable of affecting individuals, companies and institutions across all geographical boundaries. Moreover, any legislative disparities and uneven regulatory or supervisory approaches that would be created at the national level would hamper the functioning of the EU internal market for financial services, hindering the smooth exercise of the freedom of establishment, and the freedom to provide services for financial entities operating on a cross-border basis. Consequently, competition between financial companies operating in different Member States could be distorted.


2.    The DORA Regulation: Corporate Compliance for European Digital Resilience


For those reasons, in November 2022, DORA was approved and came into force in January 2023, becoming binding in Italy in January 2025, with the aim of increasing security and digital resilience measures within the financial sector. It is targeted to fight cyber-attacks and it is strategic in the European Union for guaranteeing the free movement of capital and consequently of people, goods and services.


In this context, therefore, DORA proposes to safeguard the competitiveness and stability of the European Union, aiming, first and foremost, to harmonize the legislation of EU countries around a set of specific rules for the prevention and management of cyber-attacks against corporations in the financial sector.


Secondly, DORA attempts to remedy the regulatory differences existing among the EU countries, implementing the system outlined in the NIS 2 Directive, introducing very precise rules on the management of the risk of cyber-attack, also through the provision of specific standards for operational resilience tests and in monitoring the adequacy of the internal compliance program in reporting ICT incidents to the competent authorities.


The main scope of the DORA is to enhance a business culture of cyber risk prevention, of rational and effective management of critical issues that may arise in the course of business life and, ultimately, of «digital resilience», that is «the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions» (Art. 3, DORA).


The European Regulation therefore aims to increase security measures - through the adoption of mandatory rules - in favour of the financial sector's cyber security.


Turning to the important content profiles of the new European Regulation, in order to achieve a high common level of digital operational resilience, under Article 1,  companies operating in the financial sector, such as banks, insurance companies and financial intermediaries, investment funds, as well as providers and issuers of crypto assets, financial market participants and their suppliers, are required to fulfil specific obligations to ensure the security of the networks and information systems supporting business and trading processes.


These obligations can be classified into two categories: internal obligations (Art. 6, DORA), which relate to the governance, organization and management of cybersecurity risk (Michieli, 2024), and external obligations (Art. 7, DORA), which relate to the entities' duty to inform and notify the competent authorities about serious incidents or critical issues related to ICT.


Considering internal obligations, DORA requires the adoption of an «internal governance and control framework» (Art. 5, DORA), that operates as an instrument of corporate compliance, suitable to ensure an effective and prudent management of ICT risk, as part of the overall management risk system (Art. 6, DORA), establishing what is defined as the «digital operational resilience» (Schneider, 2022)  and the so-called "tolerance level" of the company's ICT-related risks, which consists of methods, objectives, strategies and policies, but above all, procedures and protocols, aimed at preventing, managing, extinguishing, and mitigating the risk of the company's ICT risks.


To be truly effective, the «internal governance and control framework» must be consistent with the company’s nature and the complexity of the business and must be structured in a way to ensure an efficacious and prudent management of all cyber risks.


Article 5(1), requires the company to establish an independent management and internal control organism to work on constant monitoring, control and application of the measures implemented and provide for the prevention of ICT risk and the successful management of the cyber risks, in order to ensure both the «business continuity» (Art. 9, DORA) and the «disaster recovery» (Art. 10 and 11, DORA), that is the capacity to repair the damage suffered.


The adoption of the control framework must be preceded by a risk management and cyber risk assessment activity to verify which areas and processes pose the greatest threat to the company's business. Secondly, the company proceeds with the implementation of the software and hardware technologies to be used for the administration, use and transfer of data and, consequently, with the adoption of the most appropriate protocols to prevent the detriment, loss, alteration, unauthorized access and leakage of information data. To be effective, the governance and internal control framework is subject to periodic checks by external auditors with specific and appropriate skills in the ICT sector.


The internal framework aims to make the company a dynamic entity, capable of constantly adapting to the type of ICT risk.


The second part of DORA, in particular Chapter III (Art. 17 to 23, DORA), is instead dedicated to the financial institution's obligations of external relevance, which can be summarized in the process of reporting to the National Supervisory Authorities designated to monitor and intervene in the event of cyber incidents or in the presence of significant ICT-related criticalities.


That reporting process provides that, first of all, corporations must implement plans for reporting the computer crises and incidents that have occurred and classify the losses according to the severity of what happened and the criticality of the services endangered. In particular, according to Art. 15, companies must adequately process, record and classify the criticalities or computer incidents, also based on the impact that may have on third parties, as provided specifically by Art. 16.


The communication of the incident to the ICT system must be made by a Lead Overseer (Art. 35, DORA), identified within each legal entity, to a Public Supervisory Authority that, again according to the Regulation, has to be identified autonomously by each member state.

In this sense, therefore, DORA does not identify the Public Supervisory Authority that must monitor the reporting process but leaves it up to each member country to designate it internally and autonomously, thus being able to attribute this task to an already existing body, or by setting up an ad hoc one. In Italy, the law identifies the Bank of Italy, Consob, IVASS and COVIP, according to their respective powers, as the competent national authorities in exercising supervisory, regulatory and administrative sanctioning powers (see Art. 3, Legislative Decree 10th March 2025, n. 23).


In accordance with the Regulation, the main tasks of the Public Supervisory Authorities include:


  1. assessing the operational resilience of financial institutions that fall within their jurisdiction, through reviewing resilience plans, mapping and auditing critical business services, ICT systems, processes and contracts with third-party entities and vendors involving ICT;

  2. conducting on-site inspections to confirm compliance with the requirements of the Regulation;

  3. providing guidance or best practices to help financial institutions comply with the requirements of the Regulation;

  4. promoting coordination between national and European authorities and law enforcement and judicial authorities;

  5. applying sanctions.


As regards the enforcement system, under DORA, authorities have the power to impose sanctions on institutions that fail to comply with its requirements. Specifically, it provides for administrative sanctions and remedial measures (Art. 50 and 51, DORA), such as fines of up to 10 million or 5% of annual turnover, corrective measures, public reprimands, revocation of authorizations, and compensation for damages, leaving at the same time the option to member states to act through criminal sanctions.


More specifically, Art. 52(1), provides that member states may also decide not to enact rules on administrative sanctions for violations that are already punishable within their jurisdictions by criminal sanctions. This is in order to avoid a double combination of sanctions that could result in a bis in idem and to ensure the exclusive prerogative of criminal policies in member states.


Art. 52(2) establishes that if member states have decided to impose criminal sanctions for violations of the Regulation, they must provide the Public Supervisory Authorities with all the necessary powers and attributions to act in cooperation with the competent judicial authorities.


3.    Challenges in Identifying Minimum Compliance Standards and Corporate Liability


Outlined the general structure and content of the Regulation, it is possible to highlight, from a critical perspective, how the new legal provisions may have an impact on companies’ compliance systems.


Firstly, DORA leaves the problem of identifying the standards of compliance with digital resilience obligations still open, since the Regulation does not specifically make out specific minimum requirements and, consequently, opens up the major issue of the management and company liability. The regulatory framework does not offer precise and objective indications about the level of control, administration and minimization of the risk of ICT attacks that companies must fulfil, that can be considered “adequate” and that can, at the same time, represent an objective and effective parameter in terms of predictability of the risk of damage to ICT systems. In this sense, therefore, it cannot be easy to understand to what extent and under what conditions companies may be called to account, in terms of non-compliance, for their failure to fulfil their obligations.


Therefore, there is no certainty about the objective minimum level of digital financial resilience that companies must achieve and the 'level of tolerance' of the risk.


In a nutshell, the Regulation does not identify a specific benchmark about the level of compliance requested and consequently represents some issues that have already been raised with respect to other segments of corporate compliance, such as with reference to the GDPR or the adequacy of compliance programmes to prevent the commission of offences within the company.[i] 


Nevertheless, DORA (Art. 28(9)) establishes that the full and uniform implementation of the legislative framework will occur through subsequent, coordinated second-level technical-regulatory activity entrusted to the European Supervisory Authorities, namely the EBA (European Banking Authority), EIOPA (European Insurance and Occupational Pension Authority), and ESMA (European Securities and Markets Authority). These authorities are responsible for developing Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), as well as guidelines and reports, with the aim of providing normative references suitable for ensuring consistent application and effective internal compliance.


For example, the European Authorities will be required to define Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) concerning the content, timing, and templates for reporting security incidents (see Commission Implementing Regulation (EU) 2024/2956).


Furthermore, they are expected to develop requirements for managing risks associated with the subcontracting of essential ICT services, as well as guidelines on supervisory cooperation between competent European and national authorities.


Despite the support that may derive from the guidelines, companies are required to implement DORA autonomously, in a manner consistent with their business operations, internal organization, as well as economic and legal relationships. Specifically, for instance, companies may assess whether to establish or maintain an independent ICT control function meeting the requirements of second-level corporate control functions or to assign the tasks of the ICT control function to the management or the compliance function. If the risk management and compliance functions are entrusted to a single structure, the ICT control function may also be assigned to that same structure.


In any case, the choice regarding the organizational placement of the ICT control function must not compromise the effective performance of all tasks assigned to it for the management and supervision of ICT risks as required by the DORA framework.


Since the DORA Regulation does not establish minimum standard levels by which a legal entity can be considered compliant in terms of preventing cyber-attack risks, it follows that events of civil, administrative or criminal liability cannot be excluded. This, therefore, appears to be the most critical and vulnerable aspect of the regulatory framework established by that Regulation. At the moment, this uncertainty is already taking the form of a race for consulting, which will not necessarily ensure uniformity of standards within the system, exonerating companies from liability for failure to provide digital resilience.


To avoid these harmful consequences, it is certainly desirable for European Public Supervisory authorities to progressively intervene with more detailed, clear, and unambiguous guidelines that can be followed by legal entities without undue effort. However, to ensure true enforceability of the law and prevent the Regulation from merely shifting the burden of protecting technological infrastructures from external attacks onto private entities, it is essential that the guidelines, reports, and, more generally, the standards issued by the Authorities serve as benchmarks for assessing compliance by domestic judges.


In this context, to avoid the imposition of strict liability on legal entities, it is essential that the judiciary, when evaluating incidents of ICT-related damages, focus primarily on determining whether the standards set forth by the relevant Authorities have been properly adhered to. Liability should be excluded where the entity can demonstrate adequate compliance with these guidelines, ensuring that no excessive burden is placed on the entity to achieve an unattainably high level of compliance or risk prevention, which would effectively impose a covert obligation to avert the damaging event entirely. In other words, the court’s role is to assess whether the entity has taken appropriate measures to mitigate digital vulnerability, rather than scrutinizing whether it could have definitively prevented the damage.


In a few words, if the domestic judge determines that the damages and data breach occurred despite the legal entity having implemented a consistent and adequate compliance program on digital resilience according to the requirements set forth by the Regulation and the guidelines issued by the Authorities, any liability profiles should remain. Otherwise, the risk is precisely that of having merely established a regulatory system assigning legal entities the task of protecting consumers, citizens and other financial market operators from external attacks. A task that, first and foremost, should always fall under the responsibility of public institutions.


That is why guidelines should, at least, become a tool for validating corporate compliance in matters of digital resilience (De Santis, 2023). Otherwise, there is a risk of witnessing a fragmentation of the compliance system across the 27 EU Member States, with negative consequences both in terms of the enforceability of the European Regulation and with indirect repercussions on digital security and the safety of commercial exchanges within the European Single Market.


In this regard, protocols and procedures defined by the guidelines should establish the minimum level of compliance required from the entity, which, once fulfilled, would allow the presumption of compliance with the applicable regulations in favour of the company. Furthermore, the guidelines should aim to standardize key aspects related to the implementation of the Regulation. For example, it would be desirable to clarify which body should be responsible for overseeing ICT risk events, ideally assigning this role to an independent and third-party body, rather than to the management, whose business decisions may conflict with preventive measures that inevitably incur costs.


4.    Concluding Remarks: Towards a Compliance Integration Beyond Risk Privatization


Currently, waiting for a better understanding of the developments in the application of the European legislation and the ways in which the judiciary institutions of the member countries will assess and interpret the digital compliance capacity of financial sector companies, in order to prevent these compliance obligations turning into nothing more than a de facto cost for companies and in a form of strict liability ICT damages coming from cyber-attacks, the only way is acting on corporate compliance, that means working on effective prevention strategies.


Therefore, that means, early at this stage, setting up an effective integration of the various compliance systems requested by companies in preventing ICT damages, so as to endow the company itself with a homogeneous and unique system of business risk controls that can be activated according to the specific critical event to respond effectively in a multi-level perspective.

Taking the example of the Italian compliance system, for example, this means providing integration between the compliance program adopted for the prevention of informatic crime risk, ex D.Lgs. n. 231/2001, the compliance model required by the GDPR Regulation for data protection and the internal framework, regulated by the DORA for the prevention of ICT damages and cyber-attacks.


About that, it is sufficient to think about computer offences, which may transversally affect both the integrity of corporate ICTs, that is digital resilience, and at the same time, data protection, as well as determining a form of administrative or criminal liability of the entity, for the case in which the computer offence has been committed in its interest or to its advantage and due to insufficient internal management organization.


More specifically, this entails the implementation of standardized digital resilience protocols and procedures across these three distinct tiers of protection, along with an integrated information flow system that enables the governing or supervisory bodies responsible for risk mitigation to operate with increased agility and informed decision-making. While the responsibility frameworks within the compliance model for preventing cybercrime by the entity (pursuant to Legislative Decree no. 231/2001), the General Data Protection Regulation (GDPR), and the internal framework set forth by the Digital Operational Resilience Act (DORA) remain distinct, the adoption of an integrated compliance approach would facilitate enhanced resilience for entities within the financial sector against external cyber threats. Moreover, this would augment their capacity for a more robust and coordinated response, ultimately resulting in a more efficient and adaptable organizational structure.


In light of the above, DORA surely introduces important measures, essential for the proper functioning of the financial and technological sector and for the overall safety of citizens and businesses within the EU. At the same time, however, it is desirable that the European legislator should stimulate a process of gradual integration between the European legislation in the sector of compliance, through additional clear, safe and specific regulations and guidelines that can facilitate a process of integration between corporate compliance systems and provide an objective benchmark for national authorities and courts to exclude residual accountabilities even when the legal entity acted, by organizing its structure properly, in accordance with what is required by the legislation.


Otherwise, there is a concrete risk of pursuing a further "privatisation" of the mechanisms for managing the protection of individual freedoms of the citizens, of the fundamental values of the unique European market but, especially in this critical political season, of the strategic security of financial assets, essential for the defence of the economic European area against external constraints. In short, the aim is to prevent a fragmented proliferation of corporate self-regulation tools, implementing a public regulation framework that is potentially more suitable for ensuring effective standard levels of security across Europe. Endnotes [i] On the effectiveness of the ompliance program in preventing the risk of criminal offense commission in the italian system, Antonio Gullo ‘I modelli organizzativi’ in Giorgio Lattanzi and Paola Severino (eds) Responsabilità da reato degli enti (Giappichelli 2021) 267; Stefano Manacorda ‘L’idoneità preventiva dei modelli di organizzazione nella responsabilità da reato degli enti: analisi critica e linee evolutive [2017] 1 Riv. Trim. Dir. Pen. econ. 49; Giuseppe Amato ‘Il modello di organizzazione nel sistema di esonero della responsabilità: le ragioni di una scelta prudenziale’ [2015] 2 Resp. Amm. soc. enti. 55; Maria Novella Masullo ‘Colpa penale e precauzione nel segno della complessità’ (ESI 2012) 230,285; Vincenzo Mongillo ‘Il giudizio di idoneità del Modello di Organizzazione ex d.lgs. 231/2001: incertezza dei parametri di riferimento e prospettive di soluzione [2011] 3 La resp. Amm. soc. ed enti 69; Giorgio Fidelbo ‘La valutazione del giudice penale sull'idoneità del modello organizzativo’, in D.lgs. 231: dieci anni di esperienze nella legislazione e nella prassi (Ipsoa 2011) 55; Carlo Enrico Paliero ‘Dieci anni di “corporate liability” nel sistema italiano: il paradigma imputativo dell’ente nell’evoluzione della legislazione e della prassi’, in cit., 5; Carlo Piergallini ‘Il modello organizzativo alla verifica della prassi’ in cit., 46.


Download the article in pdf format:



References

  • Ayers Michael D., McCaughey Martha, Cyberactivism: Online Activism in Theory and Practice (1st edition, Routledge 2003);

  • Amato Giuseppe ‘Il modello di organizzazione nel sistema di esonero della responsabilità: le ragioni di una scelta prudenziale’ [2015] 2 Resp. Amm. soc. enti. 55;

  • Brkan Maja, ‘The essence of the Fundamental Rights to Privacy and Data Protection: Finding Way Through the Maze of the CJEU’s Constitutional Reasoning’ [2019] German Law Journal 864;

  • Candito Alessia ‘Nuova ondata di attacchi hacker filorussi. Colpiti istituti finanziari e industria delle armi’ (Repubblica.it 19 febbraio 2025) <https://www.repubblica.it/cronaca/2025/02/19/news/attacchi_hacker_russi_italia_noname-424013494/ > accessed 3 March 2025.

  • De Santis Vincenzo ‘Le line guida nel “Sistema” delle fonti del diritto (ES 2023).

  • Fidelbo Giorgio ‘La valutazione del giudice penale sull'idoneità del modello organizzativo’, in D.l.gs. 231: dieci anni di esperienze nella legislazione e nella prassi (Ipsoa 2011) 55;

  • Flor Roberto ‘Cybersecurity ed il contrasto ai cyber-attaks a livello europeo: dalla CIA-Triad Protection ai più recenti sviluppi’ [2019] 3 Diritto di Internet 443.

  • Gullo Antonio ‘I modelli organizzativi’ in Giorgio Lattanzi and Paola Severino (eds) Responsabilità da reato degli enti (Giappichelli 2021) 267;

  • Longo Erik ‘Il diritto costituzionale e la cybersicurezza’ [2024] 2 Rassegna Parlamentare 313;

  • Manacorda Stefano ‘L’idoneità preventiva dei modelli di organizzazione nella responsabilità da reato degli enti: analisi critica e linee evolutive [2017] 1 Riv. Trim. Dir. Pen. econ. 49;

  • Masullo Maria Novella ‘Colpa penale e precauzione nel segno della complessità’ (ESI 2012) 230,285;

  • Michieli Nicoletta ‘Cybersecurity e gestione del rischio ICT: impatto sulla “corporate governance” [2024] 2 Banca, Impresa, Società 243;

  • Mongillo Vincenzo ‘Il giudizio di idoneità del Modello di Organizzazione ex d.lgs. 231/2001: incertezza dei parametri di riferimento e prospettive di soluzione [2011] 3 La resp. Amm. soc. ed enti 69;

  • Naddeo Giovanna ‘Il difficile bilanciamento tra sicurezza nazionale e tutela dei diritti fondamentali nella “data retention saga” dinanzi alla Corte di Giustizia’ [2022] Freedom,Security and Justice: European Legal Studies 188;

  • Paliero Carlo Enrico ‘Dieci anni di “corporate liability” nel sistema italiano: il paradigma imputativo dell’ente nell’evoluzione della legislazione e della prassi, in D.l.gs. 231: dieci anni di esperienze nella legislazione e nella prassi (Ipsoa 2011) 5;

  • Piergallini Carlo ‘Il modello organizzativo alla verifica della prassi’ D.l.gs. 231: dieci anni di esperienze nella legislazione e nella prassi (Ipsoa 2011) 46;

  • Romeo Marianna ‘Allarme su cinque banche italiane attaccate da hacker russi. Anche MpS e IntesaSanPaolo’(TgLa7, 1st August 2023) <https://tg.la7.it/cronaca/allarme-su-5-banche-italiane-attaccate-da-hacker-russi-anche-mps-e-intesa-sanpaolo-01-08> accessed 1 March 2025;

  • Scaffardi Lucia ‘Data Retention e diritti della persona’ (2017) 2 Costituzionalimo.it <https://www.costituzionalismo.it/download/Costituzionalismo_201702_630.pdf> accessed 4th March 2025;

  • Schneider Giulia ‘La resilienza operative digitale come materia di “corporate governance”: prime riflessioni a partire dal DORA’ [2022] 4 Corporate Governance 553;

  • Simonetta Biagio ‘Unicredit: violate dati di 3 milioni di clienti. «Non erano sensibili»’ IlSole24Ore (Roma, 28 October 2019).


Suggested citation:

Bluebook: Pietro Maria Sabella, The EU’s Cyber Shield: Unpacking the Digital Operational Resilience Act (DORA) – Lessons from Italy, CORPORATE CRIME OBSERVATORY, (March 18, 2025), https://www.corporatecrime.co.uk/post/dora-cybercrime-italy

 

Harvard: Sabella, P. M. (2025) ‘The EU’s Cyber Shield: Unpacking the Digital Operational Resilience Act (DORA) – Lessons from Italy’. Corporate Crime Observatory. Available at: https://www.corporatecrime.co.uk/post/dora-cybercrime-italy

 

OSCOLA: Pietro Maria Sabella, ‘The EU’s Cyber Shield: Unpacking the Digital Operational Resilience Act (DORA) – Lessons from Italy,’ (Corporate Crime Observatory, 18 March 2025), https://www.corporatecrime.co.uk/post/dora-cybercrime-italy


Disclaimer

The views, opinions, and positions expressed within all posts are those of the author(s) alone and do not represent those of the Corporate Crime Observatory or its editors. The Corporate Crime Observatory makes no representations as to the accuracy, completeness, and validity of any statements made on this site and will not be liable for any errors, omissions, or representations. The copyright of this content belongs to the author(s) and any liability concerning the infringement of intellectual property rights remains with the author(s).



Comments


Commenting on this post isn't available anymore. Contact the site owner for more info.

© 2021 The Corporate Crime Observatory
To contact us and for any general inquiries, please fill in the
contact form at the bottom of the homepage.

  • LinkedIn Social Icon
bottom of page