This article is the first in a series of three articles exploring the delicate relationship between cybersecurity professionals and the current regulatory framework. In this first installment, we will analyze the criminal liability that various cybersecurity professionals may incur in light of recent legislative reforms.
The rapid and unstoppable evolution of information technology has led to a profound transformation of the paradigms for protecting legal assets. In a context where digital sovereignty and the systemic robustness of critical infrastructures have become national security priorities, the cybersecurity professional emerges as a key player. This professional is invested with responsibilities that transcend the purely technical sphere and extend into the legal and criminal sphere. The Italian regulatory framework, recently strengthened by Law 90/2024 and the implementation of the NIS 2 Directive through Legislative Decree 138/2024, outlines a complex system of sanctions in which IT operators are not only the defenders of the system but can also become legally liable for their actions or omissions.
The Italian National Cybersecurity Agency (ACN) has adopted the European Cybersecurity Skills Framework (ECSF) defined by ENISA to classify professional figures in the sector. This classification serves as a benchmark for identifying the position of guarantee and the scope of due diligence required in legal proceedings.
The Chief Information Security Officer (CISO) represents the top management level and assumes a guarantor role pursuant to Article 40, paragraph 2, of the Italian Criminal Code. This provision establishes the equivalence between failing to prevent an event one has a legal obligation to avoid and directly causing it. If the CISO fails to report critical vulnerabilities or request necessary investments despite being aware of the imminent risk, he or she may be held liable for the damaging effects of a potential attack.
Similarly, the Cybersecurity Risk Manager is liable for negligently underestimating threats, which could lead to professional negligence in the event of an incident. This responsibility also extends to operational roles such as the Cyber Incident Responder and the Digital Forensics Investigator. While the former must mitigate the attack without damaging data or breaching confidentiality, the latter must ensure the integrity of digital evidence to avoid exposing the professional to charges of forgery or evidence tampering.
Article 615-ter of the Italian Code of Criminal Procedure constitutes the cornerstone of criminal protection of cybersecurity and punishes anyone who enters or remains in a protected system against the owner’s will. For security professionals, the issue often concerns the exceeding of internal authorization limits. The Court of Cassation, with ruling no. 41210 of 2017, established that access is unauthorized whenever the authorized party violates the owner’s explicit instructions or acts for purposes that are ontologically unrelated to the purposes for which the authority was granted.
This principle has direct implications for system administrators. A technician who accesses a colleague’s browsing logs out of personal curiosity, or an administrator who extracts company databases to benefit a competitor, commits a crime even if their passwords would technically allow it. Abuse of the status of system operator also constitutes an aggravating circumstance that increases the penalty and transforms the prosecution from a complaint to an ex officio proceeding. The possession of dual-use or offensive tools also falls under Article 615-quater of the Criminal Code, and their lawfulness lies exclusively in their defensive purpose and contractual authorization.
Professional penetration testing is a simulated activity whose legality depends entirely on a legal framework based on consent and contract. Pursuant to Article 50 of the Italian Criminal Code, anyone who violates a right with the consent of the person who can validly exercise it is not punishable. However, consent must be prior, informed, and specific regarding the scope and techniques. A tester who independently decides to extend the test to network segments not included in the contract commits the crime of unauthorized access.
A similar risk arises in the monitoring of SOCs, which may conflict with the protection of communications confidentiality guaranteed by Article 617-quater of the Criminal Code. Case law distinguishes between traffic data and content data. While processing of the former is generally permitted for security purposes, intercepting content requires compliance with the guarantees of the Code of Criminal Procedure or the Workers’ Statute.
During incident response, casual access to sensitive data may rule out intent, but retaining or disclosing such data constitutes a separate crime. Even active defense or hackback are controversial practices, as in Italy the state has a monopoly on the use of force, and legitimate cyber defense is difficult for private individuals to invoke.
Law 90/2024 introduced structural changes to the Criminal Code to combat organized cybercrime. Penalties for unauthorized access have been increased to up to ten years, rising to twelve for systems of public interest. A specific aggravating circumstance has been introduced for cyber extortion related to ransomware, requiring CISOs to coordinate all ransom negotiations with judicial authorities to avoid charges of aiding and abetting. The reform also strengthened the sanctioning system established by Legislative Decree 231/2001 for companies.
If an analyst steals data from a competitor for the company’s benefit, the organization faces fines that can exceed one million euros. Even managing vulnerabilities through bug bounties or disclosure now requires rigorous protocols to avoid accusations of damage. Finally, the advent of artificial intelligence has prompted legislators to intervene preemptively by incorporating into the Criminal Code provisions related to the misuse of algorithms, such as Article 612-quater of the Criminal Code against the illicit dissemination of deepfakes. In this scenario, technical expertise must always be accompanied by legal compliance. Documenting every decision through the principle of accountability and clearly defining the Rules of Engagement are the only tools to mitigate the risk of turning from defenders into defendants.
Cybersecurity can no longer be considered a purely technical discipline, uninfluenced by legal consequences. The complexity of the current regulatory framework requires modern professionals to have a solid understanding of their duties and the limitations imposed by criminal law.
Excellence in the execution of technical interventions must always be accompanied by rigorous traceability of the actions performed, since in legal proceedings, the ability to document that operations were performed according to industry best practices will be the only true shield against accusations of negligence or professional misconduct. Only through the integration of secure operational protocols and transparent contractual management can the systems defender protect themselves, preventing the fulfillment of a duty or the management of an emergency from turning into a legal paradox.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
