Every year, the CLUSIT report arrives with fresh data confirming what most practitioners already know. In 2025, Italy accounted for 9.6% of all global cyberattacks, even though the country has roughly 0.75% of the world’s population. In other words, it absorbed nearly one in ten significant incidents worldwide. The 2026 report, published in March, documents 5,265 cyber incidents in 2025, a 48.7% increase over 2024. The monthly average of attacks has gone from 171 in 2021 to 439 in 2025, a 256% increase in five years. And yet the dominant narrative in the Italian security community still circles back to the same question: why don’t companies take security seriously?

cover

The question is not wrong, but it is aimed at the wrong target. The people who take security seriously, including CISOs, incident responders, and blue team analysts working weekend shifts, are not the problem. The problem is the system in which they operate.

Three numbers that define the gap

If the structural problem has to be reduced to a few metrics, these are the ones worth remembering.

  1. 9.6% of global attacks hit Italy in 2025, from a country that represents under 1% of world population, making it the most disproportionately targeted nation in the CLUSIT dataset.
  2. 55 out of 100 is the average SME cyber maturity score, while risk identification stops at 47 out of 100, showing that many firms still struggle to map their own exposure.
  3. 38% of Italian incidents hit government and military entities, a concentration that says as much about institutional fragility as it does about attacker intent.

The industrial fabric problem

Italy’s economy is famously built on small and medium enterprises. This is not a recent development; it is a structural feature that has persisted through decades of industrial policy. The SME backbone generates employment, exports, and cultural identity. It also generates an attack surface that is, almost by definition, unmanageable at scale.

The Cyber Index PMI 2025, promoted by Confindustria and Generali with support from the Milan Polytechnic and the National Cybersecurity Agency, puts the average cybersecurity maturity score of Italian SMEs at 55 out of 100: three points up from 2024, yet still below the 60-point sufficiency threshold. The report, based on a sample of over 1,500 companies, documents sharp polarisation: a core of relatively prepared firms and a large mass without the tools to manage digital risk effectively. More telling still, the capacity to identify cyber risks stops at 47 out of 100, meaning that most Italian SMEs cannot even map their own exposure, let alone address it.

The deeper issue is structural. An SME with fifteen employees and a part-time IT generalist is not going to hire a dedicated security team. It is not going to run tabletop exercises or deploy an EDR platform with 24/7 monitoring. It is going to run whatever software it has been running for years, patched when someone remembers to do it, protected by whatever firewall came bundled with the router. This is not negligence but resource allocation under constraint. The Italian manufacturing sector, which represented 13% of Italian incidents in 2025 according to the Clusit 2026 analysis published by Axitea, is particularly exposed because of the convergence between IT and OT environments, where legacy industrial systems connect to modern networks without the architectural separation that sound design would require.

The CLUSIT data confirms what anyone who has walked a factory floor already suspects: the attack surface in Italian manufacturing is vast, poorly mapped, and defended by people who were hired to keep the machines running, not to think about lateral movement and persistence mechanisms.

The public sector paradox

The most striking number in the 2025 data is not the total attack count. It is the sector distribution. Government and military entities account for 38% of all Italian incidents, with a reported 600% growth in incidents compared to the previous year. This is less a cybersecurity failure in isolation than a symptom of decades of underinvestment in digital infrastructure, compounded by procurement cycles designed for a different era and governance structures that were never built for operational security.

The CNAIPIC (Centro Nazionale Anticrimine Informatico per la Protezione delle Infrastrutture Critiche) registered 9,250 cyberattacks against critical infrastructure in 2025, issuing more than 49,000 security alerts throughout the year, as documented in the Italy 2025 cybercrime report. These numbers suggest a defensive apparatus working at capacity. What they cannot capture is what happens downstream, in the thousands of municipal offices, regional health authorities, and national agencies that receive those alerts and have neither the budget nor the technical staff to act on them.

According to a Tallinn University case study on Italy’s public administration cyber resilience, only a fraction of Italian public administrations currently comply with the strict perimeter controls mandated by the National Cybersecurity Agency for essential service providers. Better awareness campaigns will not fix this. The roots are institutional, embedded in procurement law, administrative culture, and the chronic underfunding of technical roles in public employment. A public sector security officer earns, on average, significantly less than their private sector counterpart, with career progression structures designed in an era when “information systems” meant a server room and an Excel spreadsheet.

The Italy cyber perimeter and institutional breaches analysis published earlier this year documents the gap between declared compliance and operational reality in several critical sectors. The pattern is consistent: frameworks exist, agencies publish determinations, organizations register in portals, and then the actual security posture does not materially change because the resources to change it have not been allocated.

The compliance theatre trap

NIS2 was supposed to change things. Italy’s national implementation, driven by the Agenzia per la Cybersicurezza Nazionale (ACN), has produced a cascade of determinations, registration portals, and compliance calendars. The ACN Determinations n. 127434/2026 and n. 127437/2026 of April 13, 2026 introduced binding deadlines, mandatory supplier mapping, and a structured timeline: organizations newly inscribed in the NIS2 perimeter in 2026 must designate a CSIRT referent by end of 2026, adopt baseline security measures by July 2027, and begin mandatory incident notification from January 1, 2027. By October 31, 2026, the compliance machinery is supposed to be operational for over twenty thousand Italian organizations brought into the NIS2 scope, as outlined in the NIS2 deadline tracker published by fasolaw.it.

The risk, which practitioners can see clearly from where they sit, is that this becomes compliance theatre. Organizations check the boxes, complete the portal registrations, designate a CSIRT referent, and file the required documentation, without building the operational capability that the regulation was designed to mandate. This is pattern recognition, not cynicism. The same dynamic played out with GDPR: an initial scramble for compliance, a wave of consulting engagements, and then a slow regression toward business as usual once the initial audits were complete.

The audit-proofing NIS2 training plan analysis explored how organizations can build training programs that survive scrutiny. The harder question is whether organizations going through this process understand the difference between a training program that satisfies Article 21 and one that actually changes behavior under stress. Most of the time, they do not, and the reason is not that CISOs are incompetent. It is that the CISO was brought in after the compliance deadline was announced, given a budget insufficient for the scope of the work, and asked to produce documentation that the board can point to if an auditor asks.

The Cloudflare, AWS, and DORA analysis explored a related tension: major cloud providers positioning themselves as compliance infrastructure while regulators struggle to maintain meaningful oversight of concentrated technical dependencies. For Italian banks, insurers, and investment firms, this tension is compounded by the Digital Operational Resilience Act, which has applied directly since January 2025. DORA introduces obligations that overlap with but are distinct from NIS2: mandatory ICT risk management frameworks, granular incident classification, binding third-party provider oversight, and annual resilience testing. Italian financial institutions are now operating under dual compliance obligations, and the intersection between DORA’s prescriptive requirements on critical ICT providers and the broader market’s accelerating cloud adoption creates practical complexity that many institutions are still working through. For smaller banks and regional credit institutions, the resource demands are similar to those facing NIS2-scope SMEs: the obligations are real, the deadlines are fixed, and the internal capacity to meet them without shortcuts is frequently not there.

The investment gap and the skills shortage

Italy spends less on cybersecurity, per capita and as a percentage of GDP, than France, Germany, or the Netherlands. With a cybersecurity market of approximately USD 4.12 billion for a population of 60 million, Italy’s per-capita spend sits at roughly USD 69 per person. French and German markets, proportionally larger and reflecting sustained public investment over the past decade, are estimated at two to three times that figure per capita. The Italian market is also heavily skewed toward large enterprise, with 68.65% of spend concentrated there, meaning the density of investment in the SME segment is even lower than the headline number suggests. The skills gap compounds the investment problem. Cybersecurity roles in Italy, as across Europe, are chronically understaffed, but the Italian market has additional friction: the gap between private sector and public sector compensation is wider than in most northern European countries. Talent concentrates in a small number of large organizations and consultancies, while the vast majority of the economy operates with no meaningful security expertise in-house.

The Chambers Global Practice Guide on Cybersecurity 2026 for Italy documents the regulatory trajectory accurately but notes that implementation pace remains the central challenge. The Polizia Postale’s 2025 data tells the same story from a different angle: 51,560 cases handled and 293 arrests, a ratio that reflects not investigative failure but the structural mismatch between the speed and borderlessness of digital crime and the territorial constraints of law enforcement.

The Clusit 2026 data on attack techniques is instructive on where the exposure really sits. DDoS accounts for 54% of Italian incidents, versus 9% globally. The disproportion is striking, but it has a structural explanation. DDoS attacks are cheap, effective against underprotected infrastructure, and often tied to geopolitical signaling rather than financial crime. Italy’s specific vulnerability to volumetric attacks reflects a combination of factors: many government and institutional networks lack enterprise-grade upstream scrubbing capacity, ISP-level mitigation is uneven outside major providers, and a significant portion of public sector infrastructure runs on budget allocations that were not designed to accommodate always-on DDoS protection. A country where government and military entities have inadequate protection against volumetric attacks becomes a soft target for politically motivated actors looking for visible impact with minimal operational investment. The TIM Cyber Security Report 2025 reinforces this picture, documenting persistent exposure across critical national infrastructure sectors that cuts across multiple ministries and regulatory perimeters.

What would actually help

The honest answer is not a new framework. Italy has frameworks. More awareness campaigns will not move the needle either. Italian organizations are, at this point, quite aware that they are being attacked. What would help is a sustained, multi-year commitment to measures that are politically unglamorous and operationally difficult.

Permanent technical roles in public administration. The ACN has made genuine progress in building national-level capability, as reflected in its 2024–2026 National Cybersecurity Strategy. National-level capability does not automatically translate into security at the municipal hospital or the regional transportation authority, though. Closing that gap requires not just consulting contracts and compliance tooling, but permanent technical roles with market-aware compensation bands, faster hiring cycles, and promotion criteria tied to technical capability rather than administrative seniority alone.

Shared security services for SMEs. Most small firms will never sustain an internal SOC, dedicated detection engineering, or mature vulnerability management on their own. Sector-based shared services, tax incentives, and regional procurement frameworks would be more realistic than expecting each company to build full-stack capability independently. The Cyber Index PMI data consistently shows a large mass of firms below the sufficiency threshold; reaching them requires a model that does not assume resources they do not have.

Supply chain visibility in manufacturing and critical sectors. The manufacturing sector’s vulnerability is partly a legacy technology problem, but also a supply chain visibility problem. Most Italian manufacturers do not know what software is running in their OT environments, who supplied it, and what vulnerabilities it contains. The SBOM analysis published in April laid out why software transparency matters under the EU Cyber Resilience Act. For Italian manufacturing, the argument is not theoretical: it is the difference between knowing your exposure and discovering it during an incident, at 2 AM, with production lines down. Asset inventory, segmentation, and software transparency in OT environments should be treated as national resilience measures, not optional best practices.

Compliance tied to evidence of operational readiness. The vulnerability management failure analysis made the case that patching the wrong holes is often worse than patching nothing, because it creates a false sense of security. The same logic applies to NIS2 compliance: an organization that has met every ACN deadline and still has unpatched systems, no tested incident response capability, and no verified backup procedure is not secure. It is merely documented, and that difference matters most at the moment when everyone would rather it did not. NIS2 implementation should reward tested backups, exercised incident response, supplier visibility, and measurable remediation capacity, not just completed forms and designated contacts.

The CISOs working in Italian organizations understand this distinction instinctively. Their frustration is not with the regulation, which is at least directionally correct. It is with being asked to build a security program with a compliance budget, inside a market that does not produce enough qualified people, within organizations where security remains structurally subordinate to operational continuity. That is a system problem, not a failure of individual competence, and it requires a system-level answer.