Italy ransomware and cyber extortion policy

Italy's Ransom Payment Ban Is the Right Policy Bet — But the Six-Hour Clock Could Undermine It

PDL 2318 correctly targets ransomware's revenue model but risks pushing SME victims to go silent under an impossible notification deadline.

Italy's Ransomware Exposure People of Internet Research · Italy 3rd Italy EU Ranking Third most ransomware-targeted EU … 198 2024 ACN Incidents Ransomware incidents reported to I… 80+ Manufacturing Victims Documented ransomware victims in I… €3.55M Avg Breach Cost Average cost of a data breach for … peopleofinternet.com

Key Takeaways

The Bill That Draws a Line

On March 20, 2025, Democratic Party deputy Matteo Mauri introduced PDL 2318 in Italy's Chamber of Deputies — a delegation law that, if enacted, would instruct the government to produce comprehensive anti-ransomware decrees within six months. The core provision is blunt: entities within Italy's National Cybersecurity Perimeter would be prohibited from paying ransoms. Only the Prime Minister could authorise an exception, and only under circumstances amounting to a severe national security threat.

Italy would become one of the first EU member states to codify a statutory ransom payment ban. That ambition deserves serious analysis, because the proposal gets the incentive logic right — while carrying implementation risks that could flip its most important provisions from deterrent to trap.

Why Italy Needed to Act

The ACN (Agenzia per la Cybersicurezza Nazionale) is unambiguous about Italy's threat exposure: the country is the third most ransomware-targeted nation in the EU, after Germany and France, and sixth globally. In 2024, the agency recorded 198 ransomware incidents — a 20 percent year-on-year increase — and noted that figure almost certainly understates the true toll because many attacks go unreported. The ransomware.live threat intelligence database documents over 617 Italian victims in its tracking period, with manufacturing the hardest-hit sector at 80-plus documented incidents. SMEs account for approximately 75 percent of private-sector victims — companies with limited security teams, ageing infrastructure, and no 24/7 security operations centre.

The policy response was overdue. Italy's existing framework — Law 90/2024 (enacted June 2024 to strengthen national cybersecurity and expand cybercrime offences) and Legislative Decree 138/2024 (the NIS2 transposition, in force from October 2024) — imposes incident notification and risk management obligations but does not prohibit ransom payments. The criminal code's Article 629 can reach extortionists, but it has not historically been applied to suppress the payment side of the market.

What PDL 2318 Actually Proposes

The bill's delegation framework spans five interconnected pillars:

The Case for the Regulation

Proponents have a structurally sound argument. Ransomware is an economic enterprise: criminal groups operate ransomware-as-a-service platforms with affiliate networks, customer support desks, and service-level commitments. Every ransom paid recapitalises the next attack, funds infrastructure, and signals that Italy is a high-yield target. Postal Police Director Ivano Gabrielli has stated explicitly that companies hiring specialist brokers to pay ransoms are creating commercial intermediaries that sustain the criminal ecosystem. Cutting payment flows reduces the return on investment for attackers.

There is also a public administration dimension. Italian local government agencies have suffered repeated ransomware incidents with minimal cybersecurity maturity and a documented tendency to pay quietly and not disclose. A legal prohibition removes that escape valve and compels investment in resilience. From a sovereignty standpoint, intelligence officials have also flagged that ransomware operations increasingly serve dual purposes — criminal profit and state-sponsored espionage or infrastructure sabotage — giving the framing as a national security issue additional credibility.

The Implementation Risks

Three specific features of PDL 2318 could undermine its goals.

The six-hour notification window is narrower than the existing NIS2 standard for good reason. Legislative Decree 138/2024 already requires an initial incident alert to CSIRT Italy within 24 hours, a 72-hour detailed report, and a final report within one month — and that framework is considered ambitious by European peers. The proposed six-hour threshold may be achievable for large critical infrastructure operators with mature security teams, but the average Italian SME facing a ransomware event at midnight does not have staff on hand to triage, contain, and formally notify within six hours. If the risk of missing that window creates administrative liability on top of an active crisis, rational actors may delay disclosure to manage the penalty risk — the precise opposite of the policy's intent.

The national fund is conditioned on prior compliance, not on need. Organisations most likely to require financial support after a ransomware event are also those most likely to be under-resourced and therefore most likely to miss notification deadlines. Conditioning access to the recovery fund on compliance history effectively excludes the most vulnerable segment from the safety net designed for them.

Negotiator liability creates a chilling effect on legitimate incident response. There is an important distinction between a broker who passively arranges a payment and an incident response specialist who buys time through communication with attackers, collects intelligence, and works to limit damage. Extending criminal exposure broadly to cyber-negotiators risks deterring the legitimate security industry from providing services that reduce harm — and may push corporate incident response underground rather than into the open channels the legislation is trying to mandate.

Refinements Before Enactment

The ACN's national action plan and task force provisions reflect genuine operational thinking. The government has identified the right instruments. Three calibrations would strengthen the package:

The Stakes

Italy's ransomware exposure is structural, not incidental. Manufacturing — the backbone of Italy's export economy, dominated by family-owned SMEs — accounts for the largest share of documented victims. A two-week production halt from encryption can trigger layoffs, supply chain disruptions, and in some cases permanent closure. The bill's drafters understand this; the fund and task force provisions exist precisely because the prohibition without support would be unjust. But if the six-hour clock and negotiator criminalization land as written, the policy could produce the worst outcome: victims who neither pay nor disclose, suffering in silence while the extortion market continues uninterrupted.

Sources & Citations

  1. Italian Parliament — PDL 2318 Bill Page
  2. EU Digital Strategy — NIS2 Italy Transposition
  3. Il Sole 24 Ore — Cyber Extortion Crackdown on Negotiators
  4. DLA Piper Privacy Matters — Italy Ransomware Bill Analysis
  5. OpenIMT — Italy Ransomware Epidemic Statistics
  6. Ransomware.live — Italy Victim Tracker
  7. ICLG — Italy Cybersecurity Laws and Regulations Guide
  8. Aegister — ACN April 2025 Cyber Threat Summary