Digital operational resilience in the financial sector: analysis of Legislative Decree 23/2025 and the DORA sanctions framework.

The article provides an in-depth analysis of Legislative Decree No. 23 of March 10, 2025, which aligns Italian legislation with Regulation (EU) 2022/2554 DORA (Digital Operational Resilience Act), aimed at enhancing the digital operational resilience of the financial sector.

Key topics include:

• the designation of national competent authorities (Bank of Italy, Consob, IVASS, COVIP) and the allocation of supervisory responsibilities.
• the National Cybersecurity Agency (ACN)'s role in managing ICT incidents and supporting the financial regulators.
• the establishment of coordination protocols for technical support and incident response between authorities.

A central focus is the sanctions framework, divided into:

• severe violations (e.g., failure to implement risk management frameworks, insufficient backups, non-reporting of major incidents).
• lesser violations, concerning organizational and procedural obligations.

Sanctions are calibrated based on:

•  
• the type of financial entity (banks, insurers, investment firms, crypto providers, etc.),
• the severity of the breach,
• the annual turnover of the legal entity involved.

The decree also includes fines for individuals, non-pecuniary measures (e.g., suspension of unlawful practices), and mandatory publication of enforcement decisions by the supervising authority.
This article serves as a comprehensive legal and regulatory guide to understand the impact of Legislative Decree No. 23/2025 on digital governance, technical obligations, and regulatory risks within the banking, financial, and insurance sectors.