The Bill on Cyber Security and Computer Crimes has been definitively approved
in the Senate on 19 June 2024. This bill proposes new measures to strengthen the resilience of the
IT infrastructures of Public Administrations and financial institutions, modifying the
regulations on computer crimes and the related sanctions provided for by the Criminal Code, and affecting
also on the administrative liability of entities pursuant to Legislative Decree 231/01.
The final text maintains the same structure as the Cybersecurity Bill approved by the
Chamber of Deputies, and is divided into two chapters: the first identifies the necessary conduct
To develop national capacity for accident prevention, monitoring, detection and analysis
cyber security and cyber attacks, as well as the ability to respond to them, while the
second is dedicated to the review of the sanctioning treatment of computer crimes, to the amendments
procedural and those on the administrative liability of entities.
It therefore becomes essential to understand, in the construction of the 231 Organizational Model and in the
Development of an integrated compliance system, how to carry out the risk assessment and what are the
control measures to be put in place in order to contain the increase in IT risks, as well as
what role can the Supervisory Body appointed pursuant to Legislative Decree no.
231/2001.
As regards the most significant interventions on the Criminal Code – and consequently, also on the
Administrative liability of companies and entities – the new
Case added to paragraph 3 of art. 629 of the Criminal Code on the subject of extortion committed through the
Perpetration or threat of perpetration of certain specific types of computer crimes, aimed at
To counter the increasingly rampant phenomenon of hacker attacks against private companies and
Public Administrations aimed, most of the time, at obtaining the payment of large ransoms.
As regards the latter new case, it is not easy to identify the nature of the so-called “Criminal Attacks”.
Control measures that must be adopted for this purpose, i.e. the organisational and
procedures in addition to those that should already be provided for by the organisational model
to prevent the commission of crimes attributable by type to that of extortion through
instrumental conduct, i.e., specifically, through “the conduct referred to in articles 615-ter, 617-
quarter, 617-sexies, 635-bis, 635-quarter, and 635-quinquies.”
Only the conducts contemplated in the crime of “Falsification, alteration or suppression of the
computer or telematic communications”, which would seem to become part of ex
new, albeit indirectly, in the category of cases relevant for the purposes of prevention
of the predicate offences referred to in art. 24-bis of Legislative Decree no. 231/2001 (Computer crimes and unlawful processing
of data), may require additional measures.
As regards the activity that the Supervisory Body will be called upon to carry out, it is essential
The monitoring activity remains, as well as the function of impetus towards the managing body
(competent body, for the approval of the Organisational Model and related updates) and the
supervisory function on the actions to adapt the system made necessary by the initiatives carried out
by the new legislation.
