The Bill That Draws a Line
On March 20, 2025, Democratic Party deputy Matteo Mauri introduced PDL 2318 in Italy's Chamber of Deputies — a delegation law that, if enacted, would instruct the government to produce comprehensive anti-ransomware decrees within six months. The core provision is blunt: entities within Italy's National Cybersecurity Perimeter would be prohibited from paying ransoms. Only the Prime Minister could authorise an exception, and only under circumstances amounting to a severe national security threat.
Italy would become one of the first EU member states to codify a statutory ransom payment ban. That ambition deserves serious analysis, because the proposal gets the incentive logic right — while carrying implementation risks that could flip its most important provisions from deterrent to trap.
Why Italy Needed to Act
The ACN (Agenzia per la Cybersicurezza Nazionale) is unambiguous about Italy's threat exposure: the country is the third most ransomware-targeted nation in the EU, after Germany and France, and sixth globally. In 2024, the agency recorded 198 ransomware incidents — a 20 percent year-on-year increase — and noted that figure almost certainly understates the true toll because many attacks go unreported. The ransomware.live threat intelligence database documents over 617 Italian victims in its tracking period, with manufacturing the hardest-hit sector at 80-plus documented incidents. SMEs account for approximately 75 percent of private-sector victims — companies with limited security teams, ageing infrastructure, and no 24/7 security operations centre.
The policy response was overdue. Italy's existing framework — Law 90/2024 (enacted June 2024 to strengthen national cybersecurity and expand cybercrime offences) and Legislative Decree 138/2024 (the NIS2 transposition, in force from October 2024) — imposes incident notification and risk management obligations but does not prohibit ransom payments. The criminal code's Article 629 can reach extortionists, but it has not historically been applied to suppress the payment side of the market.
What PDL 2318 Actually Proposes
The bill's delegation framework spans five interconnected pillars:
- Ransom payment prohibition for entities in the National Cybersecurity Perimeter — critical infrastructure operators, public administration bodies, and entities covered under Law 90/2024 — with a narrow Prime Ministerial override.
- Six-hour notification to CSIRT Italy upon discovering a ransomware attack, with administrative penalties for non-compliance.
- National Fund for Response to Ransomware Attacks — partial financial restitution for victims who notified properly and followed ACN operational guidelines.
- Anti-ransomware task force within CSIRT Italy, providing operational response, containment assistance, and alternatives to payment.
- Criminal exposure for cyber-negotiators who facilitate ransom payments, potentially prosecutable under the existing extortion framework.
The Case for the Regulation
Proponents have a structurally sound argument. Ransomware is an economic enterprise: criminal groups operate ransomware-as-a-service platforms with affiliate networks, customer support desks, and service-level commitments. Every ransom paid recapitalises the next attack, funds infrastructure, and signals that Italy is a high-yield target. Postal Police Director Ivano Gabrielli has stated explicitly that companies hiring specialist brokers to pay ransoms are creating commercial intermediaries that sustain the criminal ecosystem. Cutting payment flows reduces the return on investment for attackers.
There is also a public administration dimension. Italian local government agencies have suffered repeated ransomware incidents with minimal cybersecurity maturity and a documented tendency to pay quietly and not disclose. A legal prohibition removes that escape valve and compels investment in resilience. From a sovereignty standpoint, intelligence officials have also flagged that ransomware operations increasingly serve dual purposes — criminal profit and state-sponsored espionage or infrastructure sabotage — giving the framing as a national security issue additional credibility.
The Implementation Risks
Three specific features of PDL 2318 could undermine its goals.
The six-hour notification window is narrower than the existing NIS2 standard for good reason. Legislative Decree 138/2024 already requires an initial incident alert to CSIRT Italy within 24 hours, a 72-hour detailed report, and a final report within one month — and that framework is considered ambitious by European peers. The proposed six-hour threshold may be achievable for large critical infrastructure operators with mature security teams, but the average Italian SME facing a ransomware event at midnight does not have staff on hand to triage, contain, and formally notify within six hours. If the risk of missing that window creates administrative liability on top of an active crisis, rational actors may delay disclosure to manage the penalty risk — the precise opposite of the policy's intent.
The national fund is conditioned on prior compliance, not on need. Organisations most likely to require financial support after a ransomware event are also those most likely to be under-resourced and therefore most likely to miss notification deadlines. Conditioning access to the recovery fund on compliance history effectively excludes the most vulnerable segment from the safety net designed for them.
Negotiator liability creates a chilling effect on legitimate incident response. There is an important distinction between a broker who passively arranges a payment and an incident response specialist who buys time through communication with attackers, collects intelligence, and works to limit damage. Extending criminal exposure broadly to cyber-negotiators risks deterring the legitimate security industry from providing services that reduce harm — and may push corporate incident response underground rather than into the open channels the legislation is trying to mandate.
Refinements Before Enactment
The ACN's national action plan and task force provisions reflect genuine operational thinking. The government has identified the right instruments. Three calibrations would strengthen the package:
- Tiered notification timelines: six hours for critical infrastructure already subject to NIS2's strictest obligations; 24–48 hours for SMEs and local public administration.
- Decoupled fund access: emergency financial support should be assessed on impact and victim status, with notification failures addressed via separate administrative process — not by barring the worst-hit organisations from recovery assistance.
- Explicit carve-out for incident response specialists: draw a statutory line between ransom facilitation and active incident management. The former should be penalised; the latter should be protected.
The Stakes
Italy's ransomware exposure is structural, not incidental. Manufacturing — the backbone of Italy's export economy, dominated by family-owned SMEs — accounts for the largest share of documented victims. A two-week production halt from encryption can trigger layoffs, supply chain disruptions, and in some cases permanent closure. The bill's drafters understand this; the fund and task force provisions exist precisely because the prohibition without support would be unjust. But if the six-hour clock and negotiator criminalization land as written, the policy could produce the worst outcome: victims who neither pay nor disclose, suffering in silence while the extortion market continues uninterrupted.