# DORA Reporting in Italy: Banca d'Italia, CONSOB and IVASS Guide Source: https://www.cyadviso.com/dora-italy-banca-ditalia-consob-ivass Last reviewed: 2026-05-01 Country: Italy (IT) Tags: DORA, Italy Italy DORA supervision across Banca d'Italia, CONSOB and IVASS: scope by entity type, INFOSTAT reporting, ICT incident evidence and 2026 evidence checklist. --- ## Short answer In Italy, DORA competent authority routing depends on the entity type. Banca d'Italia publishes the reporting process for major ICT-related incidents and significant cyber threats for its supervised entities, while CONSOB and IVASS cover securities-market and insurance-sector entities under their respective mandates. ## Competent authorities - **Banca d'Italia** (Banca d'Italia) — https://www.bancaditalia.it/ - **Commissione Nazionale per le Società e la Borsa (CONSOB)** (CONSOB) — https://www.consob.it/web/consob-and-its-activities - **Istituto per la Vigilanza sulle Assicurazioni (IVASS)** (IVASS) — https://www.ivass.it/homepage/index.html?com.dotmarketing.htmlpage.language=1 ## Entities in scope - Credit institutions (banks) - Payment institutions and electronic money institutions (PIs / EMIs) - Investment firms - Crypto-asset service providers (CASPs) authorised under MiCA - Insurance and reinsurance undertakings, where supervised in this jurisdiction - Other financial entities listed in DORA Article 2 ## Jurisdictional nuances - Banca d'Italia states that major ICT-related incidents and voluntary significant cyber-threat notifications are reported through its INFOSTAT platform for the listed supervised entities. - For banks, payment institutions, AISPs and EMIs, Banca d'Italia also notes that reporting obligations extend to operational or security payment-related incidents affecting them. - CONSOB, Banca d'Italia and IVASS have coordinated on DORA-aligned cyber-resilience and TIBER-IT materials; entities should still route notifications to the authority that supervises their licence. - Insurance undertakings and insurance intermediaries should verify IVASS-specific DORA materials instead of assuming the banking-sector INFOSTAT route applies. ## Primary sources - Banca d'Italia — Reporting of major ICT-related incidents and cyber threats — https://www.bancaditalia.it/compiti/vigilanza/dora-incidenti/index.html?com.dotmarketing.htmlpage.language=1&dotcache=refresh - CONSOB — DORA — https://www.consob.it/web/area-pubblica/dora - IVASS — DORA information for operators — https://www.ivass.it/operatori/dora/index.html?com.dotmarketing.htmlpage.language=1 - Regulation (EU) 2022/2554 — DORA, EUR-Lex — https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554 - European Banking Authority — Digital Operational Resilience Act (DORA) — https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act --- Canonical HTML: https://www.cyadviso.com/dora-italy-banca-ditalia-consob-ivass Authored by Andrey Gubarev — CISO for EU fintechs (CISM, CDPSE, SABSA). CyAdviso · DORA / ICT risk / vCISO programmes for EU-licensed fintechs.