How to Report a Data Breach in Italy (information Technology), 72‑hour Rule and Garante Online Process

Understanding how to report a data breach in Italy information technology online is now a front-line compliance priority for every organisation that collects or processes personal data in the country. Under GDPR Article 33, controllers must notify Italy’s data protection authority, the Garante per la protezione dei dati personali, within 72 hours of becoming aware of a qualifying breach. The 2025–2026 period has brought heightened enforcement scrutiny, with the Garante intensifying its focus on notification timeliness while Italy’s transposition of the NIS2 Directive introduces parallel cybersecurity-reporting obligations for essential and digital service providers.

This guide provides the complete operational workflow: the threshold decision, the controller-versus-processor matrix, exact timing calculations, a step-by-step walkthrough of the Garante’s online databreach service, cross-reporting requirements, practical templates, and post-notification remediation steps.

1. The Primary Compliance Decision: Do You Need to Notify?

Not every security incident triggers a mandatory notification. Under GDPR Article 33(1), a controller must report a data breach to the Garante only where the breach “is likely to result in a risk to the rights and freedoms of natural persons.” If, after a documented risk assessment, the organisation concludes that the breach is unlikely to pose any risk, for example, encrypted data was exposed but the encryption key was not compromised, the notification obligation does not arise. The critical word is “likely”: the threshold is not certainty of harm but a reasonable probability of risk.

Even when notification is not required, GDPR Article 33(5) demands that every breach, regardless of severity, be logged in an internal breach register. The Garante may request access to this register at any time, and a failure to maintain it is itself an enforceable violation.

Quick Threshold Checklist

• Identify the breach type. Was there unauthorised access, loss, alteration, or disclosure of personal data?
• Assess risk to individuals. Could the breach lead to identity theft, financial loss, discrimination, reputational damage, or loss of confidentiality of data protected by professional secrecy?
• Check data sensitivity. Does the breach involve special-category data (health, biometric, genetic), data of minors, or large-scale processing?
• Evaluate mitigation already in place. Were technical measures such as encryption or pseudonymisation effective at the time of the breach?
• Document the decision. Whether you notify or not, record the reasoning, the individuals involved in the assessment, and the timeline of your analysis.

If the answer to the risk assessment is affirmative, even marginally, proceed immediately to notification. Industry observers expect the Garante to continue treating late or absent notifications as an aggravating factor in penalty calculations, making a “when in doubt, notify” posture the safest operational default for organisations in Italy.

2. Who Notifies: Controller vs Processor When You Report a Data Breach in Italy

The obligation to report a data breach in Italy falls, in the first instance, on the data controller, the entity that determines the purposes and means of processing. Data processors have a different but equally time-critical duty: they must alert the controller “without undue delay” after becoming aware of a breach, as required by GDPR Article 33(2). Processors do not, under the standard GDPR framework, notify the Garante directly.

Controller Obligations

The controller must assess whether the breach meets the notification threshold, prepare and submit the notification to the Garante within 72 hours, and, where the breach is likely to result in a high risk, communicate it to affected data subjects under GDPR Article 34. The controller retains full accountability for the completeness and timeliness of every filing.

Processor Obligations and Necessary Coordination

Processors must provide the controller with all information necessary to fulfil the controller’s Article 33 obligations. This includes the nature of the breach, categories and approximate number of affected records, and any containment measures already taken. The processor’s notification to the controller should be in writing, typically by secure email or a pre-agreed incident-reporting channel, and must include enough detail for the controller to begin its own risk assessment immediately.

Contractual Steps to Trigger Notification

Data processing agreements (DPAs) governed by GDPR Article 28 should specify exact escalation timelines, a named contact point at the processor, the minimum data fields to be included in the initial alert, and any obligation for the processor to assist with the Garante submission. Organisations should audit these clauses annually to ensure they remain aligned with evolving Garante expectations.

3. Timing: The 72‑Hour Rule Explained for Italy (Practical Examples)

The 72-hour rule GDPR Italy compliance teams must follow is one of the most operationally demanding deadlines in European data protection law. Under GDPR Article 33(1), the clock begins to run the moment the controller “becomes aware” of the breach. The EDPB has clarified that “awareness” means the point at which the controller has a reasonable degree of certainty that a security incident has compromised personal data, not when a full forensic investigation has concluded.

Crucially, the 72 hours are counted in calendar hours, not business hours. Weekends, public holidays, and overnight hours all count. If an IT security team detects an intrusion at 22:00 on a Friday evening, the 72-hour deadline expires at 22:00 the following Monday, regardless of office operating hours.

Worked Examples

• Example 1, weekday discovery. A controller’s security operations centre confirms a ransomware exfiltration at 09:00 on Tuesday. The notification must reach the Garante by 09:00 on Friday at the latest.
• Example 2, weekend discovery. A processor alerts the controller at 17:30 on Saturday that a misconfigured cloud bucket exposed customer records. The controller verifies the breach by 20:00 on Saturday. The 72-hour deadline is 20:00 on Tuesday.

Where the full scope of the breach cannot be determined within 72 hours, a common scenario in complex IT environments, GDPR Article 33(4) permits a phased approach. The controller submits an initial notification containing all information available at that point and follows up with supplementary details “without undue delay.” The Garante expects clear reasons for the delay and a commitment to provide updates.

Exceptions and Practical Extension Considerations

There is no formal extension mechanism under the GDPR for the 72-hour window. However, if a notification is submitted after the deadline, the controller must accompany it with an explanation of the reasons for the delay (GDPR Article 33(1), second sentence). The likely practical effect is that a well-documented justification, for instance, genuinely complex technical forensics, can mitigate enforcement consequences, though it does not eliminate liability.

Record-Keeping Even When No Notification Is Made

Every breach must be recorded internally under GDPR Article 33(5), including breaches assessed as not reaching the notification threshold. The register should capture the facts of the breach, its effects, the remedial action taken, and the reasoning behind the decision not to notify. The Garante may audit these registers, and a gap between an incident and a corresponding record is itself a compliance failure.

4. The Garante Online Process: How to Submit Your Report a Data Breach Italy Notification

The Garante accepts breach notifications through its dedicated online databreach service. This is the primary method for organisations to report a data breach in Italy information technology online, and it is the channel the Garante expects most controllers to use. The platform requires SPID (Sistema Pubblico di Identità Digitale), CIE (Carta d’Identità Elettronica), or CNS (Carta Nazionale dei Servizi) authentication for the submitting user.

Step-by-Step Submission Workflow

1. Authenticate. Access the Garante databreach service portal and log in using SPID, CIE, or CNS credentials. Ensure the credentials belong to an individual authorised to submit on behalf of the controller.
2. Select notification type. Choose whether this is an initial notification, a supplementary/follow-up notification, or a withdrawal of a previous notification.
3. Identify the controller. Enter the legal name, registered address, fiscal code (codice fiscale) or VAT number, and DPO contact details (name, email, phone) of the data controller.
4. Describe the breach. Complete the required fields:
   • Nature of the breach, confidentiality, integrity, availability, or a combination.
   • Date and time of discovery, the precise moment the controller became aware.
   • Date and time the breach occurred (if known or estimated).
   • Categories of data subjects affected, employees, customers, patients, minors, etc.
   • Approximate number of data subjects affected.
   • Categories of personal data records affected, identification data, financial data, health data, biometric, etc.
   • Approximate number of personal data records affected.
5. Assess and describe consequences. Outline the likely consequences of the breach for affected individuals (identity theft, financial loss, discrimination, etc.) and explain the measures taken or proposed to address the breach and mitigate adverse effects.
6. Mark cross-border status. Indicate whether the breach involves processing in more than one EEA member state. If cross-border, identify the lead supervisory authority and list all concerned supervisory authorities.
7. Upload supporting documents. Attach any relevant evidence, forensic reports, system logs, screenshots, risk assessment documents, or communications with affected parties.
8. Review and submit. Verify all fields, confirm accuracy, and submit. The system will generate a confirmation receipt with a protocol number and timestamp. Retain this receipt as proof of timely filing.

What Supporting Documents to Upload

The Garante does not mandate a fixed set of attachments, but best practice includes: the internal incident report, a summary of the forensic analysis (even if preliminary), the risk assessment matrix used to evaluate likelihood of harm, evidence of containment measures deployed, and, if data subjects have been notified, a copy of the communication sent to them. All documents should be in PDF format and should not themselves contain unredacted personal data of affected individuals beyond what is necessary for the Garante’s assessment.

How to Mark Cross-Border Incidents

If the breach involves data subjects in multiple EEA states or processing operations in more than one member state, the form requires the controller to identify the lead supervisory authority. Where the Garante is the lead authority, it will coordinate with other concerned DPAs through the EDPB’s one-stop-shop mechanism. Where the Garante is not the lead authority, the controller should still submit a notification to the Garante as a concerned authority and separately notify the lead DPA in the relevant member state.

5. Cross-Reporting: GDPR, EDPB/EDPS, and National Cybersecurity Obligations (NIS2)

How do you report a data breach to the EU beyond the Garante? For organisations operating across borders or falling within critical infrastructure sectors, the answer involves multiple parallel reporting streams. GDPR cross-border breach reporting obligations interact with both the EDPB cooperation mechanism and, increasingly, with NIS2 national cybersecurity requirements.

EDPB and EDPS Reporting Routes

When a breach is cross-border, meaning it substantially affects data subjects in more than one EEA member state, the controller must notify its lead supervisory authority, which then coordinates with other concerned DPAs through the EDPB cooperation procedure. The EDPB itself does not receive individual breach notifications; rather, it facilitates the cooperation mechanism between national DPAs. EU institutions, bodies, offices, and agencies that are themselves controllers report directly to the European Data Protection Supervisor (EDPS) rather than a national DPA.

NIS2 Parallel Reporting, Who Leads

Italy’s transposition of the NIS2 Directive has introduced additional incident-reporting obligations for entities classified as essential or important under the directive, including many technology companies, cloud providers, managed service providers, and digital infrastructure operators. These entities must report significant incidents to the national CSIRT (Computer Security Incident Response Team) within tight timeframes that may differ from the GDPR’s 72-hour window. Under NIS2, an early warning must typically be issued within 24 hours of becoming aware of a significant incident, with a more detailed notification following within 72 hours.

The practical consequence is that an IT security team may need to file two separate reports for the same incident: one to the Garante under GDPR and one to the national CSIRT under NIS2. The content, format, and deadlines differ, and organisations subject to both regimes should maintain separate but coordinated reporting workflows. Industry observers expect the Garante and the national cybersecurity authority to increase their operational coordination, but for now, dual compliance remains the controller’s responsibility.

Parallel Reporting Workflow

• Hour 0: Breach detected, initiate internal incident response.
• By hour 24: If subject to NIS2, submit early warning to national CSIRT.
• By hour 72: Submit GDPR notification to the Garante (and lead DPA if cross-border). Submit detailed NIS2 notification to CSIRT.
• Ongoing: Provide supplementary updates to both authorities as forensic analysis progresses.

6. Practical Templates and Sample Wording for Controller Notification in Italy

Having clear, pre-drafted templates accelerates notification and reduces the risk of omitting required information under pressure. The following templates are designed to be adapted to specific circumstances; they are not legal advice and should be reviewed by qualified counsel before use.

Template A, Controller to Garante (Initial Notification)

“[Controller legal name], fiscal code [XX], hereby notifies the Garante per la protezione dei dati personali of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679. The breach was discovered on [date] at [time]. It involved [unauthorised access to / loss of / alteration of] [categories of personal data] affecting approximately [number] data subjects in the categories of [employees / customers / patients / other]. The likely consequences include [identity theft risk / financial exposure / loss of confidentiality of health data / other]. Measures taken to contain the breach and mitigate its effects include [isolation of affected systems / forced password resets / engagement of forensic specialists / other]. DPO contact: [name, email, phone].

This is an [initial / supplementary] notification; further details will be provided as the investigation progresses.

Template B, Processor to Controller (Escalation Alert)

“[Processor legal name] informs [Controller legal name] of a suspected personal data breach detected on [date] at [time] in connection with [description of processing activity covered by the DPA dated [date]]. Nature of the incident: [brief description]. Data categories potentially affected: [list]. Estimated number of records: [number or ‘under investigation’]. Containment measures already implemented: [list]. We are available for immediate coordination and will provide further technical details as requested. Contact: [name, email, phone].”

Template C, Controller to Affected Data Subjects

“Dear [Data Subject], we are writing to inform you that [Controller legal name] has experienced a personal data breach that may affect your personal information. The breach occurred on [date] and involved [brief, plain-language description]. The data potentially affected includes [categories in plain language]. We have taken the following steps to address the situation: [list of measures]. We recommend that you [change your password / monitor your financial accounts / remain alert to unsolicited communications / other specific advice]. For questions, please contact our Data Protection Officer at [email / phone]. You also have the right to lodge a complaint with the Garante per la protezione dei dati personali.”

7. Remediation, Evidence, and Post-Notification Steps

Submitting the notification is not the final step. The period following a breach report demands structured remediation, rigorous evidence preservation, and ongoing communication with both the Garante and affected individuals. What the DPO and IT team must do next falls into three operational phases.

Immediate Containment and Forensic Logging

• Isolate affected systems. Disconnect compromised servers, revoke credentials, and block attack vectors while preserving forensic evidence.
• Preserve logs. Create forensic images of affected storage and retain network logs, access records, and firewall data. Chain-of-custody documentation is essential if the matter may involve law enforcement.
• Conduct root-cause analysis. Determine how the breach occurred, which vulnerabilities were exploited, and whether the attacker retains access.

Risk Assessment and Follow-Up Communications

• Refine the risk assessment. As forensic findings emerge, update the initial risk evaluation. If the risk level escalates to “high,” trigger data-subject notification under GDPR Article 34 if not already initiated.
• Submit supplementary notifications. Provide the Garante with updated details, revised data-subject counts, newly discovered data categories, or additional containment measures, without undue delay.
• Update the internal breach register. Record every action taken, every communication sent, and every decision made, with timestamps and responsible individuals identified.

Evidence Preservation and Cooperation with Law Enforcement

Where the breach involves criminal activity, ransomware, hacking, insider theft, the controller should consider reporting the incident to the Polizia Postale (Italy’s postal and communications police, which handles cybercrime). Cooperation with law enforcement does not replace or delay the GDPR notification to the Garante; both obligations run in parallel. Forensic evidence should be preserved in a manner that is admissible in court, and external forensic consultants should follow recognised standards for digital evidence handling.

8. Practical Risk and Enforcement: Data Breach Fines in Italy (2024–2026)

The Garante has consistently demonstrated a willingness to sanction controllers for late, incomplete, or absent breach notifications. Enforcement actions in the 2024–2026 period reflect a clear institutional priority: organisations that fail to notify within 72 hours, or that submit notifications lacking essential details, face both financial penalties and reputational consequences. GDPR Article 83(4)(a) permits administrative fines of up to €10 million or 2% of global annual turnover for notification failures, a ceiling that underscores the seriousness with which the regulation treats timeliness.

Early indications suggest that the Garante’s enforcement posture will continue to intensify in line with Italy’s broader National Cybersecurity Strategy and NIS2 implementation. Practical mitigation strategies include maintaining an up-to-date incident response plan, conducting regular tabletop exercises that simulate the 72-hour workflow, pre-drafting notification templates (as provided above), and ensuring that DPAs with all processors include enforceable escalation timelines. Organisations that can demonstrate a mature, documented response process are better positioned to argue for mitigating factors should an enforcement action arise.

The rising volume of phishing, ransomware, and state-sponsored cyber operations targeting Italian organisations, documented by industry security analysts, makes proactive compliance preparation not merely a legal formality but a business continuity imperative.

Conclusion

Knowing how to report a data breach in Italy information technology online, from the initial threshold decision through the Garante’s electronic submission portal to cross-reporting under NIS2, is no longer optional knowledge for IT and compliance teams. The 72-hour window is unforgiving, the Garante’s enforcement posture is intensifying, and dual reporting obligations add operational complexity that demands advance preparation. Organisations operating in Italy should implement the workflows, templates, and checklists outlined in this guide, test them regularly, and ensure that every link in the controller-processor chain is contractually and operationally ready. For tailored guidance on breach notification strategy, explore the Italy lawyer directory or request a consultation through Global Law Experts.

Sources

1. Garante per la protezione dei dati personali, English homepage
2. European Data Protection Board (EDPB), Notify a data breach
3. GDPR text (EUR-Lex), Articles 33 & 34
4. DLA Piper, Breach notification in Italy
5. University of Turin, Data Breach Reporting Procedure
6. EDPS, Personal data breach reporting
7. DataGuidance, Italy jurisdiction overview
8. Council of Europe, Italy (cybersecurity/NIS reference)
9. Linklaters, Data protection Italy
10. Telsy, Phishing and ransomware in Italy