Table of contents
- The new cyber DPCM: legal context and scope
- Cyber security requirements: high standards, lower risks
- Vulnerability management: continuous monitoring and transparency
- Digital supply chain: traceability and security
- Which ICT goods and services are affected?
- Safe countries and strategic technologies
- A new era for Italy’s digital security
The new cyber DPCM: legal context and scope
The DPCM of April 30, 2025, published in the Official Gazette on May 5, will enter into force on May 21, 2025. It marks a turning point in how public administrations acquire ICT goods and services.
This is a major step in Italy’s national cyber security strategy, aiming to protect strategic interests and strengthen digital sovereignty.
In compliance with Article 14 of Law No. 90 of June 28, 2024, the decree introduces uniform cyber security requirements for all ICT procurement processes in sensitive sectors, with preference for technologies from EU or safe countries.
Cyber security requirements: high standards, lower risks
The DPCM defines a clear set of mandatory cyber security requirements. Every ICT component — from VPNs to software — must be secure by design and by default, protect sensitive data, and prevent unauthorized access.
Security updates, vulnerability management, and resilience against cyberattacks become essential. Critical systems must remain functional even under denial-of-service (DoS) attacks. Only products that meet these standards will be considered for public tenders.
Vulnerability management: continuous monitoring and transparency
Vulnerability management becomes a strategic obligation. Public bodies must continuously monitor their systems, while providers are required to offer prompt, well-documented updates.
Each patch must include clear explanations: what’s fixed, why it matters, and what users must do.
Suppliers must also set up vulnerability disclosure channels and guarantee free, accessible updates — even for third-party components.
Digital supply chain: traceability and security
The DPCM introduces strict evaluation of the ICT supply chain. Public administrations must map all suppliers and assess their cyber risk exposure.
Reliability and transparency will be decisive.
This aims to prevent backdoors or malware introduced through insecure components and promotes collaboration only with trusted tech partners.
Which ICT goods and services are affected?
Annex 2 of the decree lists all covered technologies, including:
- Identity management systems
- Anti-malware software
- VPNs, firewalls, SIEM, PKI
- Encryption, monitoring, and secure logging solutions
Only solutions meeting updated standards will be eligible for public contracts.
Safe countries and strategic technologies
Annex 3 defines a list of “safe countries”, including Australia, South Korea, Japan, Israel, Switzerland, and New Zealand — all bound to Italy through cyber security cooperation agreements.
ICT solutions from these countries will be awarded bonus points in public tenders, encouraging partnerships with internationally trusted tech providers.
A new era for Italy’s digital security
This decree marks a major shift in Italy’s approach to digital defense. Not only does it raise the bar for public sector procurement, but it also challenges ICT providers to upgrade their products and practices.
Those who adapt will not only access public contracts, but position themselves as strategic cyber security allies for the Italian State.
The message is clear: cyber security is no longer a constraint, but a strategic growth opportunity for innovation and digital trust.
