1.1 Would any of the following activities constitute a criminal or administrative offence in your jurisdiction? If so, please provide details of the offence, the maximum penalties available, and any examples of prosecutions in your jurisdiction:
Hacking (i.e. unauthorised access)
Yes, article 615ter of the Italian Penal Code (IPC) provides for the punishment of unauthorised access to computers and IT systems. In fact, provided that such systems are protected by security measures, those who access the systems without authorisation or fail to leave the systems after being authorised to access them may be sentenced to up to three years in prison. In order for the access to be considered criminal under article 615ter of the IPC, the relevant computer or IT systems must be protected by way of adequate security measures.
If the unauthorised access is carried out in certain specific circumstances, the statutory punishment may be increased to up to five years. Such harsher punishment is applied if:
- the unauthorised access is carried out by a public servant or by a system administrator;
- the hacker acts violently to the detriment of assets or individuals or if he/she is armed; or
- as a result of the unlawful access, the computer or system is damaged or its functioning interrupted.
Punishments are also greater if computers or IT systems relevant or instrumental to public health or national security are targeted.
Also, corporates can be punished if the hacking is carried out in their interest or to their advantage. Indeed, pursuant to Legislative Decree no. 231 of 2001, legal persons are subject to “administrative liability” if their managers commit certain crimes, unless appropriate compliance programmes are adopted beforehand and appropriately implemented, and it can be proved that the relevant managers could only commit the crime(s) by eluding the programme. Hacking is among the crimes that may trigger a legal person’s liability and financial penalties between 100 and 500 units (each unit may be between 258 and 1,549 Euros, depending on a number of criteria, including the legal person’s financials, the seriousness of the offence, etc.)
Denial-of-Service (DoS) attacks are punishable under article 635quater of the IPC. Under this statutory provision, those who destroy, damage, make unusable by “introducing or transmitting” data, information or programmes or severely impair their working of other people’s computers or IT systems are subject to punishment of imprisonment from one to five years.
The punishment is increased if the relevant conduct is carried out by exploiting one’s role as system administrator.
Article 635quater of the IPC provides that if the DoS attack intends to destroy or damage computers or IT systems that are used by the Government, or instrumental to the public interest, the punishment is imprisonment of one to four years; however, if the DoS attack causes the destruction of data, information or programmes, the perpetrators are subject to imprisonment from three to eight years.
DoS attacks are among the crimes that may trigger a legal person’s liability and financial penalties between 100 and 500 units (each unit may be between 258 and 1,549 Euros, depending on the aforementioned criteria).
Phishing is regarded as a type of IT fraud and, therefore, punishable pursuant to article 640ter of the IPC, i.e. conduct by which an individual, by altering the normal working of a computer or IT system or tampering with data, information or programmes contained therein, reaps an unjust profit for himself/herself and causes damage to a third party. Article 640ter, paragraph 3, provides that if IT fraud is carried out by stealing or using without authorisation a third party’s digital identity, the perpetrator is subject to imprisonment for two to six years and a fine from 600 to 3,000 Euros.
If the phishing is carried out by its managers to the detriment of the Government, the relevant legal person’s administrative liability will be up to 500 units.
Infection of IT systems with malware (including ransomware, spyware, worms, trojans and viruses)
Pursuant to article 615quinquies IPC, those who receive, produce, copy, import or divulge equipment or malware are subject to up to two years’ imprisonment and a fine not exceeding 10,329 Euros.
If the phishing is carried out by its managers to the detriment of the Government, the relevant legal person’s administrative liability will be up to 300 units.
Distribution, sale or offering for sale of hardware, software or other tools used to commit cybercrime – Possession or use of hardware, software or other tools used to commit cybercrime
Article 615quater of the IPC punishes two types of conduct: conduct that makes keywords (passwords), access codes or other means (software or technical devices) available and conduct that involves making the same material objects available to third parties.
The crime is punished by imprisonment of up to one year and a fine of up to 5,164 Euros.
Article 24bis, paragraph 2 of Italian Legislative Decree no. 231 of 2001 provides for the application of a fine of up to 300 units.
Article 617quinquies of the IPC punishes the conduct of those who install equipment (including spyware-type computer programmes) designed to intercept, prevent or interrupt communications relating to a computer or telecommunications system with imprisonment from one to four years. Financial penalties for the relevant legal person’s administrative liability are between 100 and 500 units.
Identity theft or identity fraud (e.g. in connection with access devices)
Article 494 of the IPC punishes anyone who, in order to obtain an advantage for himself/herself or others, misleads someone by impersonating another, by imprisonment of up to one year.
Those who use phishing techniques to obtain the authentication credentials necessary to illegally access the owner’s exclusive computer spaces (for example relating to the management of online current accounts) and to carry out banking and financial transactions without authorisation, can be liable for the crime referred to in article 494 of the IPC and for unauthorised access of a computer system and fraud.
Electronic theft (e.g. breach of confidence by a current or former employee, or criminal copyright infringement)
The conduct is the disclosure of scientific or commercial secrets provided for by article 623 of the IPC, according to which anyone who becomes aware of trade secrets or information destined to remain secret for reasons of his/her profession and discloses or uses them for his/her own or someone else’s profit, is punished with imprisonment of up to two years.
The punishment is harsher if the crime is committed with the use of any computer tool.
Secondarily, article 624 of the IPC, which punishes theft, may be applied, with a penalty of imprisonment from six months to three years and a fine from 154 to 516 Euros.
Unsolicited penetration testing (i.e. the exploitation of an IT system without the permission of its owner to determine its vulnerabilities and weak points)
This conduct can be traced back to the crime of unauthorised access of a computer system provided for by article 615ter of the IPC.
Any other activity that adversely affects or threatens the security, confidentiality, integrity or availability of any IT system, infrastructure, communications network, device or data
Article 617quater of the IPC punishes the conduct of anyone who fraudulently intercepts communications relating to a computer or telecommunication system, or interrupts or prevents them, or discloses their content, by imprisonment from six months to four years; article 617quinquies of the IPC punishes the installation of equipment designed to intercept, prevent or interrupt communications relating to an IT or telematic system by imprisonment from one to four years; article 617sexies of the IPC punishes the conduct of anyone who, with a view to procuring an advantage or causing damage to others, falsifies or alters or suppresses the content of communications relating to an IT or telematic system, by imprisonment from one to four years.
1.2 Do any of the above-mentioned offences have extraterritorial application?
According to the Italian penal system, anyone who commits a crime in Italian territory is punished according to Italian law. The crime is considered committed in Italian territory when the action or omission, or event consequence have occurred or occur, even in part, on the territory of the State.
In the context of Cybercrime in general, in order for Italian law to apply, it is sufficient that only part of the harmful action or event occurs in Italy.
1.3 Are there any factors that might mitigate any penalty or otherwise constitute an exception to any of the above-mentioned offences (e.g. where the offence involves “ethical hacking”, with no intent to cause damage or make a financial gain)?
The Italian legislator has not provided for special mitigating circumstances or grounds for non-punishment for Cybercrime.
Therefore, the general principles must be applied whereby, for example, acting: in the exercise of a right or fulfilment of a duty; with the consent of the person entitled; or in a state of necessity, is grounds for justification.
On the other hand, cases that involve: acting out of regard for moral or ethical values; and committing a less severe offence, constitute mitigating circumstances that can reduce the punishment.
2. Cybersecurity Laws
2.1 Applicable Law: Please cite any Applicable Laws in your jurisdiction applicable to cybersecurity, including laws applicable to the monitoring, detection, prevention, mitigation and management of Incidents. This may include, for example, data protection and e-privacy laws, intellectual property laws, confidentiality laws, information security laws, and import/export controls, among others.
The sources of law on the subject are:
- Italian Legislative Decree no. 65/2018, adopted in the implementation of European Directive EU/2016/1148 (known as Network and Information Security (NIS) Directive), defines the object and scope of application, the obligations incumbent on operators of essential services (OESs) and digital service providers (DSPs) to guarantee the security of their networks and IT systems, as well as the rules regarding incidents and notification obligations.
- Italian Legislative Decree no. 105/2019, with which the national cybersecurity perimeter was defined. In the implementation of the same, the following have been adopted:
- Italian Ministerial Decree no. 131/2020, containing the regulation on the perimeter of national cybersecurity;
- Italian Presidential Decree no. 54/2021, containing the regulation that defines the procedures, methods and terms of evaluation of the acquisitions of goods, systems and services by the individuals included in the information and communication technology cybersecurity perimeter (ICT); and
- Italian Ministerial Decree no. 81/2021, containing the regulation governing the procedures for notifications in the event of incidents having an impact on networks, information systems and IT services, as well as measures aimed at guaranteeing high security models.
- Italian Legislative Decree no. 82/2021, containing urgent provisions on Cybersecurity, the definition of the national cybersecurity architecture and establishment of the National Cybersecurity Agency.
- As for the protection of personal data:
- EU Regulation 2016/679 of 27 April 2016, better known as the General Data Protection Regulation (GDPR); and
- Italian Legislative Decree no. 101/2018, containing provisions for the adaptation of national legislation to the provisions of EU Regulation 1016/679, which integrated the Italian Privacy Code.
2.2 Critical or essential infrastructure and services: Are there any cybersecurity requirements under Applicable Laws (in addition to those outlined above) applicable specifically to critical infrastructure, operators of essential services, or similar, in your jurisdiction?
Italian Legislative Decree no. 65/2018 identifies specific obligations regarding safety and notification of incidents, to be borne by:
- OESs, i.e. the individuals that provide a service essential for the maintenance of fundamental social and/or economic activities that is offered by the network and information systems on which an incident would have relevant negative effects. The sectors in which they operate are: energy, transport, banking, financial market infrastructures, healthcare and digital infrastructures; and
- DSPs, i.e. those active in the online market, online search engines and cloud computing services.
2.3 Security measures: Are organisations required under Applicable Laws to take measures to monitor, detect, prevent or mitigate Incidents? If so, please describe what measures are required to be taken.
According to the provisions of Italian Legislative Decree no. 65/2018, OESs and DSPs must adopt:
- adequate and proportionate technical and organisational measures for managing the risks posed to the security of the network and the information systems; and
- adequate measures to prevent and minimise the impact of incidents affecting the security of the network and systems used.
Italian Ministerial Decree no. 81/2021 identifies the specific security measures to be adopted by individuals falling within the national cybersecurity perimeter.
These are measures aimed at guaranteeing high levels of network, information systems’ and IT services’ security, considering the standards defined at international level.
These specific measures are set out in Annex B to the aforementioned regulation. Annex C identifies the minimum measures for the physical and logical protection of data, and integrity of networks and information systems.
The GDPR also makes it incumbent on the data controller and data processor to implement adequate technical and organisational measures that ensure a level of security appropriate to the corresponding risk, which include, for example: pseudonymisation and the encryption of personal data; the ability to ensure the confidentiality; the integrity and resilience of processing systems and services on a permanent basis; and a procedure for testing and evaluating the effectiveness of the measures.
2.4 Reporting to authorities: Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, to report information related to Incidents or potential Incidents (including cyber threat information, such as malware signatures, network vulnerabilities and other technical characteristics identifying a cyber-attack or attack methodology) to a regulatory or other authority in your jurisdiction? If so, please provide details of: (a) the circumstance in which this reporting obligation is triggered; (b) the regulatory or other authority to which the information is required to be reported; (c) the nature and scope of information that is required to be reported; and (d) whether any defences or exemptions exist by which the organisation might prevent publication of that information.
According to the provisions of Italian Legislative Decree no. 85/2018, both OESs and DSPs have specific obligations regarding the notification of incidents.
Both must notify the Computer Security Incident Response Team (CSIRT Italy), without delay, of any incidents having a significant impact on the continuity of the essential services provided, including information that makes it possible to identify any cross-border impact of the incident. CSIRT Italy provides the notifying operator with information that can facilitate effective treatment of the incident.
As regards DSPs, the notification obligation applies only when the provider has access to the information necessary to assess the impact of an incident (number of users affected, duration of the incident, geographical spread, extent of the disturbance on the functioning of the service).
Italian Ministerial Decree no. 81/2021 has adopted a taxonomy of incidents, understood as any event of an accidental or intentional nature that determines the malfunction, interruption (even partial) or improper use of networks, information systems or information services, divided into two categories depending on the severity.
The notification must be made within six hours or one hour depending on the severity of the incident.
Pursuant to article 32 of the GDPR, where personal data have been violated, the data controller is required to notify the competent supervisory authority (the Guarantor for the Protection of Personal Data (GPPD)) of the violation without undue delay and, if possible, within 72 hours of becoming aware of the event, except where it is unlikely that the data breach poses a risk to individuals’ rights.
2.5 Reporting to affected individuals or third parties: Are organisations required under Applicable Laws, or otherwise expected by a regulatory or other authority, to report information related to Incidents or potential Incidents to any affected individuals? If so, please provide details of: (a) the circumstance in which this reporting obligation is triggered; and (b) the nature and scope of information that is required to be reported.
Italian Legislative Decree no. 85/2018 provides that:
- CSIRT Italy shall inform any other Member States that may be affected by the effects of the incident;
- the NIS competent authority may inform the public of the individual incident where it deems it necessary, to raise management’s awareness of the incident;
- if the incident involves the violation of personal data, the NIS competent authority shall inform the GPPD; and
- if the OESs depend on a third party providing digital services for the provision of a service essential for the maintenance of fundamental economic and social activities, the operator shall also be informed of the incident.
Furthermore, the GDPR provides in article 34 that, in the event the violation of personal data is likely to present a high risk for the rights and freedoms of individuals, the data controller shall notify the injured party without delay. This notification is not required where the data controller has put in place adequate technical measures to protect the data subject to violation.
2.6 Responsible authority(ies): Please provide details of the regulator(s) or authority(ies) responsible for the above-mentioned requirements.
The national authority responsible for the security of networks and information systems (according to the NIS Directive) is the National Cybersecurity Agency, which was established by Italian Legislative Decree no. 82/2021. It ensures coordination between the public entities involved in cybersecurity at a national level, prepares the national cybersecurity strategy and is responsible for verifying violations and imposing administrative sanctions.
CSIRT Italy carries out the tasks and functions of the national Computer Emergency Response Team, defining the procedures for the prevention and management of IT incidents.
The GPPD is the designated authority for checking the processing of personal data, in accordance with the GDPR, and is tasked with receiving notifications of the violations involving the processing of personal data.
2.7 Penalties: What are the penalties for not complying with the above-mentioned requirements?
According to the provisions of article 21 of Italian Legislative Decree no. 65/2018, OESs who do not adopt adequate and proportionate technical and organisational measures to manage the risk for the security of the network and information systems are subject to a fine of between 12,000 and 120,000 Euros. The fine is reduced by one-third if the same act is committed by DSPs.
In the event of failure to notify an incident affecting the continuity of the service, unless the fact constitutes a crime, the operator is subject to a fine of between 25,000 and 125,000 Euros.
Italian Legislative Decree no. 105/2019 provides for further penatlties in the event of:
- failure to prepare, update and transmit the list of networks of information systems and IT services used (fine of between 200,000 and 1,200,000 Euros);
- failure to adopt security measures (fine of between 250,000 and 1,500,000 Euros); and
- failure to comply with notification obligations (fine of between 250,000 and 1,500,000 Euros).
Where the provisions relating to the obligations of the data controller have been violated, article 85 of the GDPR provides for the application of fines of up to 20,000,000 Euros or, for companies, up to 4% of the total annual worldwide turnover of the previous year. The amount of the fine is determined by considering the nature, seriousness and duration of the violation, the measures adopted, the degree of liability of the data controller, etc.
2.8 Enforcement: Please cite any specific examples of enforcement action taken in cases of non-compliance with the above-mentioned requirements.
The sanctioning framework introduced by the GDPR is characterised by a rigorous set of financial sanctions. In order to be correctly applied, the European Data Protection Committee, in accordance with article 70 letter k) of the GDPR, has adopted Guidelines concerning the application of the financial sanctions, as well as the exercise of other powers conferred with the supervisory authority, including corrective ones (sending warnings or admonitions to the data controller or data processor, requiring them to comply with the regulation or to notify the interested party of the violation, imposing a temporary or definitive limitation on the processing, and ordering the cancellation or rectification of personal data).
3. Preventing Attacks
3.1 Are organisations permitted to use any of the following measures to protect their IT systems in your jurisdiction (including to detect and deflect Incidents on their IT systems)?
Beacons (i.e. imperceptible, remotely hosted graphics inserted into content to trigger a contact with a remote server that will reveal the IP address of a computer that is viewing such content)
The annex to Italian Ministerial Decree no. 81/2021 indicates the characteristics of the measures aimed at guaranteeing high levels of safety. Although not mentioned, the “beacons” can be used to protect IT systems.
Honeypots (i.e. digital traps designed to trick cyber threat actors into taking action against a synthetic network, thereby allowing an organisation to detect and counteract attempts to attack its network without causing any damage to the organisation’s real network or data)
“Honeypots” can also be used to protect IT systems.
Sinkholes (i.e. measures to re-direct malicious traffic away from an organisation’s own IP addresses and servers, commonly used to prevent DDoS attacks)
“Sinkholes” can also be used to protect IT systems.
3.2 Are organisations permitted to monitor or intercept electronic communications on their networks (e.g. email and internet usage of employees) in order to prevent or mitigate the impact of cyber-attacks?
Annex B of Italian Ministerial Decree no. 81/2021 lists security measures that allow the continuous monitoring of information systems and assets of individuals involved in the identification of Cybersecurity events, and verifies the effectiveness of the measures themselves, as well as those that allow for the detection of unauthorised personnel, connections or devices.
The use of these tools is also permitted by article 4 paragraph 1 of the Workers’ Statute (Italian Law no. 300/1970), which authorises control over the worker in the context of carrying out the so-called “defensive controls”, e.g. for safety reasons.
3.3 Does your jurisdiction restrict the import or export of technology (e.g. encryption software and hardware) designed to prevent or mitigate the impact of cyber-attacks?
No, there are no restrictions on the use of technology to prevent or mitigate the impact of cyber-attacks.
4. Specific Sectors
4.1 Does market practice with respect to information security vary across different business sectors in your jurisdiction? Please include details of any common deviations from the strict legal requirements under Applicable Laws.
It has been said that the measures indicated in Legislative Decree no. 65/2018 apply to OESs and DSPs.
The sectors of activity in which, on the other hand, the individuals included in the national cybersecurity perimeter referred to in Italian Legislative Decree no. 105/2019 operate are those of the State administration, defence, aerospace, energy, telecommunications, economy and finance, transport, and digital services.
4.2 Excluding requirements outlined at 2.2 in relation to the operation of essential services and critical infrastructure, are there any specific legal requirements in relation to cybersecurity applicable to organisations in specific sectors (e.g. financial services or telecommunications)?
With regards to IT security in the financial sector, the Bank of Italy’s Circular no. 285 of 17 December 2013 imposes obligations of timely notification of a violation of the rules on information security directly to the Bank of Italy. The credit institution must send a summary report containing a description of the incident and the inefficiencies caused to customers, and technical information regarding the activities carried out by the bank, immediately after the incident.
Article 3 of Italian Legislative Decree no. 105/2019 extends the application of the decree’s provisions, which are aimed at ensuring a high level of security of: networks, information systems and IT services of public administrations; and public and private entities, to the operators who manage broadband electronic telecommunication networks with 5G technology.
5. Corporate Governance
5.1 In what circumstances, if any, might a failure by a company (whether listed or private) to prevent, mitigate, manage or respond to an Incident amount to a breach of directors’ or officers’ duties in your jurisdiction?
The sector regulations do not provide for specific obligations (and consequent liabilities) for the company’s directors; however, if they fail to adopt adequate security measures or comply with the obligations imposed by the aforementioned laws, they may be liable for the breach of duty of care set out in article 2392 of the Italian Civil Code (ICC).
Complementary to the duty of care is the obligation set out in article 2381 paragraph 6 of the ICC, which imposes on directors the duty to take informed action, as well as that provided for by article 2381 paragraph 5 of the ICC, which ensures that the organisational, administrative and accounting structure is adequate.
5.2 Are companies (whether listed or private) required under Applicable Laws to: (a) designate a CISO (or equivalent); (b) establish a written Incident response plan or policy; (c) conduct periodic cyber risk assessments, including for third party vendors; and (d) perform penetration tests or vulnerability assessments?
Neither European legislation nor the Italian legislation specifically impose the designation of a Chief Information Security Officer (CISO) for the Company; however, both EU Directive 2016/1148 and Italian Legislative Decree no. 65/2018 highlight the need (or at least the opportunity) to equip themselves with highly qualified specific figures.
The Ministerial Decree no. 81/2021 identifies the security measures that the subjects included in the national cybersecurity perimeter must adopt. The section called “protection” refers to the necessary training of personnel and third parties for the fulfilment of the tasks and roles assigned.
With reference to the regulations on the processing of personal data, the GDPR identifies the Data Protection Officer (DPO) in article 37 as a person nominated by the data controller or data processor to perform support, control, training and information functions.
5.3 Are companies (whether listed or private) subject to any specific disclosure requirements (other than those mentioned in section 2) in relation to cybersecurity risks or Incidents (e.g. to listing authorities, the market or otherwise in their annual reports)?
The implementation and control policy adopted by the Italian legislation provides that OESs are required to provide the NIS competent authority with: a) the information necessary to assess the security of their networks and information systems; b) evidence of effective implementation of security policies, such as the results of a security audit performed by the NIS competent authority or a licenced auditor.
DSPs are also required to provide the information necessary to the competent authorities for the aforementioned assessment, as required by Italian Legislative Decree no. 65/2018.
Italian Ministerial Decree no. 131/2021 provides for the individuals included in the national cybersecurity perimeter to prepare and update, at least annually, the list of relevant ICT assets.
6.1 Please provide details of any civil or other private actions that may be brought in relation to any Incident and the elements of that action that would need to be met.
Failure to comply with the legislation on IT security and the processing of personal data constitutes a source of civil liability, and those who have suffered financial and non-financial damage due to the harmful event have the right to compensation.
Article 82 of the GDPR provides that anyone who suffers damage due to a violation of the regulation has the right to obtain compensation from the data controller or data processor.
Article 140bis et seq. of the Italian Privacy Code regulates an alternative form of protection for the injured party from the unlawful processing of data.
6.2 Please cite any specific examples of published civil or other private actions that have been brought in your jurisdiction in relation to Incidents.
Please see the Order of the Court of Cassation no. 4475 of February 19, 2021; this considered that a damage claim brought by the injured parties for unlawful disclosure of their banking data was well-founded against the insurance company that had compensated them after an accident, because the insurance company had indicated such data at the bottom of the settlement deed sent to its policy holder, who had in turn disclosed the data during a condominium meeting.
6.3 Is there any potential liability in tort (or equivalent legal theory) in relation to failure to prevent an Incident (e.g. negligence)?
There is no statutory liability in tort for the failure to prevent an incident per se. However, if a third party’s data is unlawfully processed as a consequence of the failure to prevent an incident and provided that such third party can prove to have suffered an actual damage as a result, the data controller and/or data processor could be held liable and ordered to pay damages. Under article 82 of the GDPR, in order not to incur such liability, the data controller and/or data processor must prove that the incident could not be attributable to them, i.e. that it would have occurred regardless of the appropriateness of the security measures.
7.1 Are organisations permitted to take out insurance against Incidents in your jurisdiction?
Yes, they are. The use of insurance solutions has become more frequent, especially in the aftermath of the COVID-19 pandemic.
7.2 Are there any regulatory limitations to insurance coverage against specific types of loss, such as business interruption, system failures, cyber extortion or digital asset restoration? If so, are there any legal limits placed on what the insurance policy can cover?
No, there are no insurance coverage limits established by law.
8. Investigatory and Police Powers
8.1 Please provide details of any investigatory powers of law enforcement or other authorities under Applicable Laws in your jurisdiction (e.g. antiterrorism laws) that may be relied upon to investigate an Incident.
The investigative activity is entrusted to the Public Prosecutor, who makes use of judicial police officers specialising in computer crimes.
The inspection and verification activity in the field of cybersecurity is entrusted to the newly established National Cybersecurity Agency, which can acquire all the information useful from the affected parties for managing the incident.
Regarding the processing of personal data, the GPPD has extensive powers thanks to article 58 of the GDPR, such as ordering the data controller and the data processor to provide all useful information, conducting investigations, obtaining access to all personal data.
8.2 Are there any requirements under Applicable Laws for organisations to implement backdoors in their IT systems for law enforcement authorities or to provide law enforcement authorities with encryption keys?
There are no legal provisions requiring the adoption of backdoor systems in IT systems.
Regarding the investigative activity aimed at verifying crimes, remote control systems (RCS) must be mentioned. These include the so-called “computer detector”, consisting of malware that creates a backdoor, opening a hidden communication port between the monitored device and the remote listening centre, thus allowing remote control of the device. The problematic relationship between the IT sensor and the right to privacy was recently also addressed by the GPPD in the aftermath of the enormous concern aroused in public opinion by the Exodus case; malware acquired by the Ministry of the Interior to be used as a computer detector by the Italian Public Prosecution.