Check Point's April 2026 Global Threat Index put Italy fourth on the list of the world's most ransomware-targeted nations, absorbing 4.0% of reported attacks behind the United States (41.6%), Germany (5.0%) and Canada (4.8%). It was a busy month for extortion crews: 707 attacks were logged globally, a 5% rise month-on-month and 12% year-on-year, concentrated in business services (33.8% of victims), consumer goods and industrial manufacturing. Italy's persistence near the top is not a one-month artefact — Check Point's Q1 2026 ransomware report, which counted 2,122 victims on data-leak sites (the second-highest first quarter on record), again placed Italy among the ten most-hit countries.
That backdrop has given fresh urgency to a bill already moving through Parliament. DDL S. 1441, presented to the Senate on 3 April 2025 and assigned to the Constitutional Affairs Commission on 23 April (with a companion text filed in the Chamber by Deputy Matteo Mauri on 20 March), would prohibit entities inside Italy's National Cyber Security Perimeter — energy, transport, banking, telecoms and critical public administrations — from paying ransoms after a ransomware attack. It pairs the ban with a six-hour duty to notify CSIRT Italia, a national anti-ransomware task force, and a National Fund for Response to Ransomware Attacks offering partial compensation to victims who follow official security guidance.
The case for a ban is genuinely strong
It is worth stating the regulators' argument at full strength, because it is not frivolous. Ransomware is a business, and its revenue line is the ransom. Every payment funds the next campaign, sharpens affiliate recruitment, and signals that a given sector pays. A credible, sector-wide ban on payments by the most systemically important organisations attacks the criminal model at its economics rather than chasing individual infections. It also removes a corrosive collective-action problem: today each firm rationally pays to restore operations, while the aggregate effect of all those payments is a larger, better-capitalised criminal ecosystem that comes back for everyone. Concentrating the ban on Perimeter entities — the organisations whose downtime is a national-security matter, not merely a balance-sheet one — is a defensible way to target the firms most able to absorb the cost of resilience.
The accompanying carrots matter too. A compensation fund and a state task force acknowledge that you cannot ban payment without giving victims a credible path to recovery. That is more honest than jurisdictions that moralise about payments while leaving breached hospitals to fend for themselves.
Where the design tips from deterrence into rigidity
The problem is not the goal but the default. As drafted, DDL 1441 is essentially a single delegating article that hands the government nine guidelines and six months to write implementing decrees — so the operational detail that will decide whether this works does not yet exist. Two design choices deserve scrutiny before those decrees are written.
First, the exception is too narrow and too slow. The only escape valve is authorisation by the Prime Minister in cases of serious national-security risk. That is the right instrument for a gas grid, but ransomware decisions are made in hours, not in the time it takes to reach a head of government. A water utility facing irreversible data destruction, or a hospital where downtime is measured in lives rather than euros, needs a fast, accountable derogation pathway — ideally adjudicated by CSIRT Italia or ACN against published criteria — not a single political bottleneck. A ban with no realistic emergency valve does not eliminate payments; it pushes them into opacity, routed through intermediaries and foreign subsidiaries, which is precisely the behaviour the law should be surfacing.
Second, the bill's implicit threat to ransom negotiators risks destroying capacity Italy actually needs. Coverage in Il Sole 24 Ore notes that brokers who negotiate with attackers could face exposure for complicity in extortion, with the head of the Postal Police observing that their role "can be assessed in terms of liability." Legitimate incident-response negotiators do more than haggle over price — they buy time, gather attribution intelligence, and verify whether decryption is even possible. Criminalising the function rather than the payment throws out forensic value alongside the abuse.
Build on Law 90/2024, don't bolt on to it
Italy is not starting from zero. Law 90/2024, in force since 17 July 2024, already imposes a 24-hour early-warning and 72-hour full-report regime on public operators, with a tighter six-hour duty for ransomware specifically and administrative fines from €25,000 to €125,000 for repeat non-reporting. The new six-hour notification duty in DDL 1441 largely duplicates this; legislators should harmonise the two rather than stack overlapping clocks that compliance teams must reconcile under attack conditions. The same applies at EU level, where the NIS2 Directive already sets incident-reporting baselines for essential entities — divergent national timelines raise cost without raising security.
The most effective parts of the bill are the ones that build capacity: the response fund, the task force, and the SME-support measures in the national action plan. Italy's exposure is driven less by under-regulation than by a long tail of municipalities and mid-sized firms that lack basic backup and segmentation. Money spent making those organisations un-extortable in the first place will do more to move Italy off Check Point's leaderboard than a payment ban whose main effect, absent a workable exception, may be to drive the same payments underground.
The instinct behind DDL 1441 is correct: you cannot defund a criminal industry while quietly financing it. But a ban is a blunt instrument, and bluntness in a six-hour crisis is its own kind of risk. Pass the fund and the task force now; write the exception and the negotiator carve-out carefully; and measure success by resilience built, not payments formally prohibited.