Investing in Cybersecurity: What are the Trends of a Strategic Pillar in the Transition Plan 5.0

It is predicted that by 2025, 41 billion devices worldwide will be connected to the Internet of Things, making cybersecurity a top priority. Cybersecurity becomes a critical element for the survival and competitiveness of businesses. In a scenario where malware designed to steal banking credentials, software allowing remote control of devices, or tools to download additional malware are becoming increasingly widespread, the Transition Plan 5.0 represents a significant opportunity for Italian companies to invest in cybersecurity.

The Transition Plan 5.0 The Transition Plan 5.0 aims to support and accelerate the digital and energy transformation of national businesses, making them more competitive and sustainable on an international level. It includes specific tax incentives for investments in technologies and solutions that improve cybersecurity, facilitating the purchase of security-related software and hardware, offering support for investments in consulting and training services on cybersecurity risks, and providing incentives for solutions that protect data and applications in the cloud, as well as measures to ensure the security of connected devices. The primary tool proposed by the Transition Plan 5.0 is the tax credit for cybersecurity investments, which covers, among other eligible expenses, not only IT systems, software, cloud solutions, and consulting services but also the 4.0 Training Tax Credit, which covers expenses related to cybersecurity training for staff. Thanks to these incentives, businesses can reduce the risks of cyberattacks and their subsequent economic losses, increase the trust of clients and partners, comply with data protection regulations, and optimize internal processes, all while improving operational efficiency.

Italian Excellence According to the Global Cybersecurity Index 2024 Report Thanks to CSIRT According to the Global Cybersecurity Index 2024 Report by the International Telecommunication Union (ITU), a United Nations agency specializing in ICT, Italy is a model country in how it manages cybersecurity issues and cybercrime. This is demonstrated not only by the presence of a National Authority, the Agency for National Cybersecurity (ACN), tasked with ensuring security and resilience in the cyber domain, but also by the Operational Summary of the Computer Security Incident Response Team (CSIRT) Italy, which plays an active role in improving skills and raising awareness about these risks. CSIRT is the national hub that receives incident notifications, which can be reported online by affected parties, and uses these to create a useful tool for assessing trends and the state of cybercrime in the country: the Operational Summary. This is a document published monthly, providing useful information to characterize the state of the cyber threat in Italy, the most active groups, and data that helps to understand the phenomena and their evolution over time, all with the aim of strengthening prevention levels based on the knowledge of past incidents.

Public Incentives for Cybersecurity In an ever-evolving context where investments in cybersecurity are necessary but challenging, Italian companies can also count on the support of national bodies to achieve their cybersecurity goals. The Agency for National Cybersecurity and the government have set up a coordination structure to promote investments and allocated 90 million euros for 2024 to fund projects in cybersecurity, AI, and quantum computing. Another organization promoting cybersecurity investments is Invitalia, with its Digital Transformation incentives. This measure supports the technological and digital transformation of the production processes of micro and small-medium enterprises (SMEs) by applying advanced 4.0 technologies. It also funds projects using digital supply chain solutions, including those related to software. CDP Venture Capital has also established the Digital Transition Fund to support the digital transformation of supply chains and SMEs through financial support for innovative projects in cybersecurity, AI, fintech, blockchain, and cloud, with at least 250 companies involved by mid-2025.

Cybersecurity in Europe and Italy with the NIS 2 Directive The NIS 2 Directive, which follows the previous NIS Directive of 2016, is one of the EU’s latest responses to cybersecurity threats. It updates the list of sectors and activities subject to cybersecurity obligations and promotes greater cooperation among member states. The directive introduces criteria to make it easier and more consistent to identify operators, dividing them into two new categories: “essential entities” and “important entities,” further categorized according to company size. The NIS 2 excludes organizations with fewer than 50 employees or an annual turnover below 10 million euros, unless deemed critical. Critical entities will be defined by the CER Directive – Critical Entities Resilience – which focuses on the resilience of critical or extremely critical entities, strengthening their preparedness for various threats, including terrorism, natural risks, and health emergencies. In addition to digital service providers, the NIS 2 applies to other types of entities, such as providers of communication networks or electronic communication services accessible to the public, domain name registration services, and some public administration entities. The deadline for each member state to define the list of essential or important entities and provide information on their level of regulatory compliance is set for April 17, 2025.

The Data Act and Commercial Use of Data The increasing spread of connected devices, cloud adoption, and IoT systems expose companies to an increasing number of potential cybersecurity vulnerabilities. Managing ever-growing amounts of sensitive data requires adequate security measures to prevent breaches and information loss. However, the commercialization of this data also needs clear rules, as cyberattacks increasingly disrupt production processes, causing severe economic damage. In the complex regulatory landscape that concerns data protection, governance, and usage, the Data Act, the regulation by the European Parliament and Council, complements other sector-specific regulations such as GDPR. It governs the commercial use of data to ensure their proper utilization without limiting market opportunities. The competent authority for its implementation in Italy will be the Agency for Digital Italy (AgID), which will regulate data intermediation services under this regulation. Thus, the Data Act is part of a series of regulations that demonstrate how investing in cybersecurity is not just a cost but a strategic investment for business growth and development.