Compliance & Risk Management – Cyber risk & businesses

In this sixth edition of the Compliance & Risk Management Newsletter, professionals from Andersen’s 231/Privacy Service Line explore the topic of cyber risk, highlighting the growing importance for companies to adopt appropriate technical and organizational measures to mitigate this risk, thereby improving their governance and resilience.

Cybercrimes and corporate liability

Italian legislation has recently strengthened the framework of predicate offenses by including new scenarios related to artificial intelligence. In particular, Law 132/2025 introduced offenses and aggravating circumstances related to the use of AI systems, such as the unlawful dissemination of content generated or altered by AI and the aggravation of existing offenses (e.g., market manipulation if committed with AI).

Although not all of the new offenses are formally included in the catalog of predicate offenses under Legislative Decree 231/2001, the unlawful use of intelligent systems increases risk exposure and may result in penalties and disqualification measures if the entity fails to prove that it has adopted effective prevention measures. To manage these risks, it is crucial to update processes and controls: digital risk analysis, specific protocols, dedicated training, and continuous monitoring become essential tools. A proactive approach to cybersecurity and the responsible use of AI not only protects regulatory compliance, but also protects the reputation and value of the organization in the long term.

NIS2: requirements and deadlines for 2026

2026 marks the beginning of a crucial phase for companies falling within the scope of the NIS2 Directive. Italian companies are now required to implement the measures provided for by the legislation in order to be compliant and avoid penalties. From January 2026, the obligations to report significant incidents will become fully effective. This means that companies must be able to recognise and manage a security incident, preferably according to a clear procedure that defines roles, responsibilities and how to respond to an incident. By October 2026, basic security measures must be effectively implemented, meaning they must be part of business processes.

That being said, it is not enough to simply adopt policies to comply with NIS2. It is necessary to take a risk-based approach to managing cyber risk, a logic based on resilience and emergency response. This is the effort required of companies to ensure that data (the new oil) is truly protected!

The importance of cyber risk insurance

Cyber insecurity is a real perceived risk and is linked both to the progressive development of new technologies and to the increasing frequency and sophistication of cyberattacks.

The state of the organization’s IT/cyber security structure is what makes the difference in facing cyber-attacks, which could generate losses and damages (including in terms of reputation and penalties) far exceeding the annual insurance premium. Every entrepreneur should therefore identify their level of exposure to digital risk and then assess whether to use cyber-risk insurance as a strategic tool to ensure business continuity.