The national authorities responsible for banking regulation, supervision and resolution in Italy are the European Central Bank (“ECB”), the Bank of Italy and the Interministerial Committee for the Credit and the Savings (“CICR”).

The ECB is responsible for banking supervision in the Euro area under the Single Supervisory Mechanism (“SSM”) and supervises significant entities.
The Bank of Italy seeks to ensure the sound and prudent management of intermediaries, the overall stability and efficiency of the financial system and compliance with the rules and regulations of supervised banking intermediaries. The Bank of Italy is the designated as National Competent Authority (“NCA”) under the Single Supervisory Mechanism (“SSM”).

The Bank of Italy is also the Italian Supervisory Authority in charge of resolution and crisis management for banks and non-bank intermediaries as well as extra-EU banks established in Italy, pursuant to Legislative Decrees N.180 and 181 dated 16 November 2015, transposing Directive 2014/59/EU of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms. Within the Bank of Italy, this function is entrusted to the Resolution and Crisis Management Unit.

The CICR is responsible for the overall supervision of credit and the protection of savings. The CICR deliberates, on the proposal of the Bank of Italy, on the principles and criteria for the exer-cise of supervision.

Pursuant to Article 10 of the Legislative Decree No. 385 dated 3 September 1993 on Consolidated Banking Act (“CBA”), Banking activities consist of taking deposits from the public as well as the granting of credit in any form.
The activity of taking deposits consists of the acquisition of funds with an obligation of repayment, both in the form of deposits and in other forms.

Lending activities fall within the scope of the granting of credit. Pursuant to Article 2 of Ministerial Decree dated 2 April 2015 N. 53, the granting of financing in any form implies the granting of credit, including the issue of guarantees in lieu of credit and endorsement commitments as well as any other form of financing in the form of:

• Financial leases;
• Purchase of receivables;
• credit to consumers in the form of deferred payment, loans or other financial facilities;
• mortgage credit;
• loans secured by pledges;
• issuing guarantees, endorsements, opening documentary credit, acceptance, endorsement, commitment to grant credit, as well as any other form of issuing guarantees and signature commitments.

Yes. Under the CBA, lending activities can also be provided by the following intermediaries:

• financial intermediaries carrying out financing activities, as defined by Article 2 of Ministerial Decree dated 2 April 2015 N. 53;
• “Confidi” are intermediaries that exclusively carry out collective credit guarantee activities and related or instrumental services;
• “Operatori del microcredito” (microcredit operators) exclusively grant loans to natural per-sons or companies.

The following intermediaries are exempt from banking authorization for lending activities:

• Management company and investment firms are allowed to carry out financing activities if connected to the provision of investment services, if the firm granting the credit or loan is involved in the transaction;
• Management company establishing loan-originating alternative investment funds;
• special purpose vehicles for securitization transactions in compliance with limits set forth by Article 1 (1-ter) of Law dated 30 April 1999 N. 130;
• insurance companies under the limits by the Italian insurance supervisory Authority (“IVASS”) Regulation No 24 dated 6 June 2016 pursuant to Article 38(1-bis) of Legislative Decree dated 7 September 2005, N. 209 on Private Insurance Code.

Yes. In addition to activities and services outlined in response to question n. 2, Italian banking license enables the provision of the following services, provided that the relevant bank applies the request to Supervisory Authorities:

• Payment services;
• Issuing and administering other means of payment (e.g. travellers’ cheques and bankers’ drafts);
• Guarantees and commitments;
• Trading for own account or for account of clients in any of the following:
  o money market instruments (cheques, bills, certificates of deposit, etc.);
  o foreign exchange;
  o financial futures and options;
  o exchange and interest-rate instruments;
  o transferable securities.
• Participation in securities issues and the provision of services relating to such issues;
• Advice to undertakings on capital structure, industrial strategy and related questions and advice as well as services relating to mergers and the purchase of undertakings;
• Money broking;
• Portfolio management and advice;
• Safekeeping and administration of securities;
• Credit reference services;
• Safe custody services;
• Issuing electronic money including electronic-money tokens as defined in Article 3(1), point (7), of Regulation (EU) No 2023/1114;
• Issuance of asset-referenced tokens as defined in Article 3(1), point (6), of Regulation (EU) No 2023/1114;
• Crypto-asset services as defined in Article 3(1), point (16), of Regulation (EU) No 2023/1114;
• Credit servicer and credit purchaser services pursuant to Directive (EU) No 2021/2167 on credit servicers and credit purchasers.

Therefore, Banks are allowed to provide:

• investment services subject to the authorization granted by Bank Italy, after having obtained the approval of CONSOB;
• depositary services for undertaking for collective investment (UCIs or AIFs) subject to the authorization granted by Bank Italy, after having obtained the approval of CONSOB;
• Crowdfunding services pursuant to Regulation (EU) No 2020/1503 subject to the authorization granted by the competent national supervisory authority (Bank of Italy);
• insurance distribution services requiring the enrollment in the single register of intermediaries (section D) granted by the competent national supervisory authority (IVASS).

Yes. Banking regulatory sandbox has been introduced in Italy by Decree of the Ministry of Eco-nomics and Finance N. 100 dated 30 April 2021 (“Decree”), implementing Decree Law 34/2019, setting out the “FinTech Committee rules and experimentation”.

Application to sandbox can be filed for activities using innovative technology affecting the banking sector and which, alternatively, are:

• subject to prior authorization by the Bank of Italy (or fall within the cases of exclusion or ex-emption provided for by the applicable laws);
• carried out in favor of entities that are supervised or regulated by at least one supervisory authority (also operating in Italy pursuant to the freedom to provide services or the right of establishment through a branch);
• carried out by entities, which are supervised or regulated by at least one of the supervisory authorities or by a foreign entity operating in Italy pursuant to the freedom to provide ser-vices or the right of establishment through a branch.

The request for admission is free of charge and is available exclusively to operators who meet all the eligibility criteria set forth by Articles 7 and 8 of the Decree of the Ministry of Economics and Finance N. 100 dated 30 April 2021 (“Decree”). The application may be submitted during specific time-windows established by the Bank of Italy, by submitting the application form together with the documentation required by Article 10 of the Decree.

Admission to the sandbox allows applicants to benefit from specific derogations granted at the Bank of Italy’s discretion, which may concern the following areas:

• capital requirements;
• simplified requirements proportionate to the activities to be carried out;
• operating perimeters;
• reporting requirements;
• timeframes for the granting of authorization;
• professionalism requirements for corporate officers;
• corporate governance and risk management profiles;
• admissible corporate forms;
• possible financial guarantees.

On date 1 April 2025, the Ministry of Economics and Finance launched a public consultation on draft of regulation replacing its Decree of the Ministry of Economics and Finance N. 100 dated 30 April 2021 in order to simply the application process to sandbox. The final version of the regula-tion has not been adopted yet.

At a national level, Legislative Decree N. 129 dated 5 September 2024 has been adopted in order to adapt Italian legislation to Regulation (EU) No 2023/1114 on Markets in Crypto-assets (“MiCAR”). The Legislative Decree designates the Bank of Italy and Consob as the competent authorities for the supervision and regulation of the crypto-asset sector.

The activities of issuing, offering to the public and admission to trading of asset-referenced to-kens (“ART”) or e-money tokens (“EMT”), as well as the provision of services for crypto-assets are therefore reserved for the categories of entities expressly identified by MiCAR.

In summary:

• the issuance, public offering and request for admission to trading of ART is reserved to specialized entities, based on a specific authorization and supervision regime as well as credit institutions and class 1 investment firm authorized;
• the issuance, public offering and request for admission to trading of EMT is reserved to banks and electronic money institutions (“IMEL”);
  – services for crypto-assets is reserved, pursuant to Article 3(16) of MICAR, to authorized cryp-to-asset service providers (“CASP”), as well as credit institutions, central securities deposito-ries, investment firms, market operators authorised under Directive 2014/65/EU, electronic money institutions, UCITS management companies, or an alternative investment fund manag-ers that are allowed to provide crypto-asset services pursuant to Article 60 of MICAR.

No. ART and EMT do not constitute deposits.

However, pursuant to Article 19 of the Legislative Decree N. 129 dated 5 September 2024, the reserve of assets of any ART or EMT deposited with a CASP is segregated from assets of CASP as well as assets belonging to other clients.

Each reserve of assets is intended to satisfy the redemption rights of ART or EMT holders for which it was established.

Actions by creditors of CASP in connection with or in the interest of the crypto-assets, as well as actions by creditors of or in the interest of the custodian or sub-custodian, if any, shall not be permitted in respect of such assets. Actions by creditors of individual clients are permitted to the extent of the reserve assets held by such clients. CASPs may not use for their own account clients’ funds held by them in any capacity whatsoever.

Statutory and judicial offsets do not apply and no contractual offsetting may be agreed with respect to claims of the depositary against the issuer of ART and EMT.

With regard to funds belonging to clients, banks, payment institutions and e-money institutions operating as CASP are subject to the provisions of the respective sectoral regulations.

As a preliminary remark, CASPs are required to have in place prudential safeguards equal to an amount of at least the higher of the following:

• the amount of the permanent minimum capital requirements indicated in Annex IV of MICAR according to services provided by the CASP, depending on the type of the crypto-asset ser-vices provided; and
• one quarter of the fixed overheads of the preceding year, to be reviewed on annual basis.

Prudential requirements indicated above are satisfied in the following forms or a combination thereof:

• own funds, consisting of Common Equity Tier 1 items and instruments referred to in Articles 26 to 30 of Regulation (EU) No 575/2013 (“CRR”) after the deductions and without the exemp-tions provided by CRR;
• an insurance policy covering the territories of the European Union where crypto-asset services are provided or a comparable guarantee.

With respect to Italian banks and investment firms within the scope of Regulation (EU) No 575/2013 (“CRR”), Article 501d of CRR shall apply.

Article 501d mandates the EBA to specify the technical elements necessary for institutions to calculate their own funds requirements with respect to crypto-asset exposures and exposures to asset-referenced tokens.

On 8 August 2025, EBA published its Final Report on Draft Regulatory Technical Standards to specify the technical elements necessary for institutions to calculate and aggregate crypto-asset exposures in relation to the prudential treatment of such exposures.

Until the date of application of the abovementioned Regulatory Technical Standards, Article 501d provides for a transitional prudential framework requiring institutions to calculate their own funds requirements for crypto-asset exposures as follows:

a) crypto-asset exposures to tokenized traditional assets shall be treated as exposures to the traditional assets that they represent;

b) exposures to asset-referenced tokens whose issuers comply with Regulation (EU) No 2023/1114 and that reference one or more traditional assets shall be assigned a risk weight of 250 %;

c) crypto-asset exposures other than those referred to in points (a) and (b) shall be assigned a risk weight of 1 250 %. By way of derogation from the first subparagraph, point (a), cryp-to-asset exposures to tokenised traditional assets whose values depend on any other crypto-assets shall be assigned this point (c);

d) the value of an institution’s total exposure to crypto-assets other than those referred to in points (a) and (b), shall not exceed 1 % of the institution’s Tier 1 capital;

e) for the calculation of their own funds requirements for crypto-asset exposures, deduction regarding intangible assets shall not apply.

European Central Bank (“ECB”) is the supervisory authority responsible for granting banking licences to credit institutions established in the Member States participating in the Single Supervisory Mechanism (“SSM”). In this respect, the Bank of Italy receives licensing applications and conducts preliminary assessments in cooperation with the ECB.

Pursuant to Article 14 of the CBA and Circular n. 285 of the Bank of Italy dated 17 December 2013 on supervisory provisions for banks, an entity applying for banking licences must meet the following requirements:

a. legal form of a joint-stock company or a cooperative company (“società cooperativa”);

b. registered office and headquarters in Italy;

c. initial share capital of at least:

• €10 million for banks in the form of public limited companies, “popolari” banks and mutual loan guarantee banks;
• €5 million for cooperative credit banks;

The application for banking license must be accompanied by a number of documents, including by way of example, the following:

d. programme for the initial activity, together with the articles of association, the bylaws, an indication, if applicable, of the composition of the group to which it belongs and a description of the provisions, processes and mechanisms relating to corporate governance, administrative and accounting organisation, internal controls and remuneration and incentive systems;

e. documents evidencing the regulatory requirements for qualified shareholders;

f. documents evidencing regulatory fit and proper requirements for members of the manage-ment body and key fuction holders;

g. documents evidencing that there is no close links between the bank or any entities within the group and other entities that could stand in the way of effective supervision.

The authorization procedure is usually completed within 7 to 8 months after receipt of the complete application. In any cases, the decision is taken by the ECB within 12 months of receipt of the application, which is regular and complete.

It is highly recommended to contact and discuss the project with the Bank of Italy before submit-ting the application in order to explain the business plan as well as to receive technical feedback on the application (so called “pre-filing”).

With reference to banks authorized in other Member States, no authorization process is required to be applied for the provision of banking services in Italy on a cross-border basis under the freedom to provide services or the freedom of establishment.

According to Commission Delegated Regulation (EU) No 1151/2014 supplementing Articles 35 and 39 of Directive 2013/36/EU on access to the activity of credit institutions and the prudential supervision of credit institutions, EU banks are required to notify the competent authorities of their home Member State with specific contact information and the list of activities which it intends to carry out in Italy as well as the intended commencement date. In case of branch, EU banks are also required to communicate:

• a programme of operations detailing the business envisaged and structural organisation of branch;
• the address in the host Member State from which documents may be obtained;
• details of professional experience of the person responsible for the management of the branch;
• other information regarding, among the others, a three years financial plan, name and contact details of the Union deposit guarantee and investor protection schemes and de-tails of the branch’s IT arrangements.

Once the Bank of Italy has received the notification from the competent authorities of the host Member State, or if the three-month period has expired, EU banks will be able to start their activities in Italy.

With reference to non-EU banks, Legislative Decree No 208 of 31 December 2025 implemented Directive EU 2024/1619 amending Directive 2013/36/EU as regards supervisory powers, sanctions, third-country branches, and environmental, social and governance risks (“CRD VI”).

According to Legislative Decree No 208 of 31 December 2025, as of 11 January 2027, non-EU banks are required to establish a branch in Italy if they intend to carry out the following services:

• Taking deposits and other repayable funds;
• Lending;
• Guarantees and commitments.

The so-called branching obligation shall not apply to the provision of the following services:

(a) on a reverse solicitation basis to a retail client, an eligible counterparty, or a professional client within the meaning of Annex II, Sections I and II, to Directive 2014/65/EU;

(b) to a credit institution; or

(c) to an undertaking of the same group as that of the undertaking established in a third country.

The authorization for the establishment of a branch by a non-EU bank is granted by the Bank after consulting the Ministry of Foreign Affairs and International Cooperation and taking due ac-count of the conditions of reciprocity between Italy and non-EU bank home country, taking into account the following elements:

• the activities that the head undertaking seeks authorization for in Italy are covered by the authorisation that such head undertaking holds in the third country where it is established and are subject to supervision in that third country;
• the information provided in the application, which includes a programme of operations set-ting out the envisaged business, the activities to be carried and the organisational structure and risk management of the branch;
• the supervisory authority of the head undertaking in the third country has been notified of and provided with the application to establish a branch in Italy and the accompanying programme of operations;
• the supervisory authority of the head undertaking in the third country has certified that the third-country bank and its group meet the requirements applicable under the law of the third country with regard to capital adequacy, the adequacy of organizational, administrative, and accounting structures;
• compliance with prudential requirements by the branch;
• the absence of impediments to the effective exercise of supervisory functions;
• there are no reasonable grounds to suspect that the branch is being used to commit or facilitate money laundering or terrorist financing.

With reference to the cases indicated above in letters (b) and (c), non-EU banks may also be authorized to provide services in Italy by virtue of the freedom to provide services, in accordance with the regulatory requirements of the Bank of Italy, which have yet to be adopted.

In this regard, according to Legislative Decree No 208 of 31 December 2025 implemented Directive EU 2024/1619, please note that:

• until January 11, 2027, non-EU banks currently authorized in Italy will be able to continue operating in Italy under the current authorization regime, regardless of whether they are currently established in Italy or not;
• after January 11, 2027, third-country banks may continue to carry out, without establishing branches, activities strictly necessary for the management of contracts – relating to activities connected with the branch obligation – entered into before July 11, 2026, without the possibility of novation or renewal. In any case, permanent contracts must be terminated or transferred to other authorized intermediaries by January 10, 2028;
• non-EU banks currently established in Italy will be able to continue operating in Italy even after January 11, 2027, provided that they have previously submitted an application for authorization until such authorization is granted or denied.
• by January 10, 2028, banks from third countries that are not authorized to provide ser-vices in Italy will be required to terminate their relationships with their customers or trans-fer them to authorized intermediaries.

Pursuant to Article 14 of the CBA, Italian banks and non-Italian bank subsidiaries must be incorporated in form of joint-stock company or a cooperative company (“società cooperativa”).

Both legal form of companies provide for:

• limited liability for all shareholders, as company covers liabilities exclusively with its own assets;
• division of capital into shares.

However, Cooperative banks are characterized by open-ended capital and pursue a mutualistic purpose. As a matter of fact, cooperative banks are not for profit, as they carry out activities de-signed to offer their members, through mutual collaboration, goods, services, or job opportunities on terms more advantageous than those available on the market.

Italian banks (including branches) are allowed to list financial instruments on trading venues (i.e., regulated markets, multilateral trading facilities, or organised trading facilities). The admission of financial instruments to trading venues triggers the application of sector regulations on issuers.

Non-Italian banks are allowed to offer their services and operate in Italy by establishing a branch or under the freedom to provide services (see Q&A n. 10).

Under the right of establishment a branch, a bank is allowed to establish in Italy a place of business which forms a legally dependent part of the bank and which carries out directly all or some of the transactions inherent in the business of institutions. Under the Italian regulatory perspective, the main organizational requirements relating to a banking branch are:

• appoint at least two (local) legal representative effectively directing the business;
• set-up local internal control functions;
• Depending on their size, internal organisation and the nature, scope and complexity of their activities, Bank of Italy may require branches to appoint an officer for each internal control function and establish a local management committee;

Under the freedom to provide services, non-Italian banks are allowed to provide banking services in Italy on a cross-border basis without a local presence acting on a permanent basis on behalf of the bank.

No, as Italian legal framework does not require any structural separation or ring-fencing requirements on banks or banking groups with respect to the business model carried out by the relevant entity (e.g., separation of retail banking activities from investment banking activities).

However, it should be noted that the Bank of Italy requires careful consideration of organisational solutions based on forms of operational or corporate separation that would be particularly suitable for relatively large banks and banking groups with significant opportunities for developing participatory investment activities.

As a preliminary remark, Circular n. 285 of the Bank of Italy dated 17 December 2013 on supervisory provisions for banks (“Circular 285”) requires that banks’ organisational and corporate governance structures must ensure sound and prudent management, which is an essential objective of regulation and supervisory controls.

With reference to the governance, the administration and control system of the bank (traditional, monistic or dualistic system) should ensure efficient management and effective controls, taking into account the costs associated with the adoption and operation of the chosen system, the ownership structure and the relative degree of openness to the risk capital market, the size and complexity of operations, medium- and long-term strategic objectives, and the organisational structure of the group, if any.

In this respect, banks should ensure a clear distinction of roles and responsibilities, adequate balance of powers, balanced composition of bodies, effective controls, monitoring of all corporate risks and adequacy of information flows.

Circular 285 defines the duties of the main corporate bodies as follows:

• the management body entrusted with strategic supervision defines the overall governance structure and approves the organisational structure of the bank, verifies its proper implementation and promotes timely corrective measures in the event of deficiencies or inadequacies. Among its duties, the management body entrusted with strategic supervision elaborates and resolves the business model, strategic guidelines of the bank and provides for their periodic review, risk objectives, tolerance threshold (where identified) and risk governance policies and the guidelines of the internal control system.
• the management body in its management function is responsible for the implementation of the strategies, risk appetite framework and risk management policies set by the management body with strategic supervision and discuss regularly the implementation and appropriateness of those strategies with the latter. The content of the delegations of management body in its management function must be determined analytically and characterized by clarity and precision, including in the indication of the quantitative or value limits and any manner of exercise. Among the others, the management body establishes operational limits to the assumption of the various types of risk as well as the responsibilities of the corporate structures and functions involved in the risk management process. Among its duties, the management body in its management function defines and supervises the implementation of the process (responsible persons, procedures, conditions) for the approval of investments in new products, the distribution of new products or services, or the launch of new activities or entry into new markets, the outsourcing policy, evaluation of company assets, the structure of information flow on risk as well as it implements the initiatives and measures necessary to ensure the ongoing completeness, adequacy, functionality, and re-liability of the internal control system.
• The board of statutory auditors is responsible for monitoring the completeness, adequacy, functionality, and reliability of the internal control system and the RAF. It is required to verify the adequacy of all functions involved in the control system, the correct performance of tasks, and the adequate coordination of these tasks, promoting corrective measures for any deficiencies and irregularities identified.

With respect to the composition of corporate bodies, Circular 285 requires that the number of members of corporate bodies be qualitatively and quantitatively adequate, taking into account the size and complexity of the bank’s organizational and operational structure.

From a qualitative composition perspective, the main requirements set out in Circular 285 require members of corporate bodies to:

• satisfy suitability requirements set forth by Article 26 of CBA and relevant implementing regulations, as well as EBA and ESMA joint guidelines on the assessment of suitability and ECB guidance on fit and proper assessment;
• possess skills that are widespread among all members and appropriately diversified;
• the presence of an adequate number of non-executive members;
• devote adequate time and resources to the complexity of their task;
• reflect an adequate degree of diversity in terms of, among other things, skills, experience, age, gender and international perspective. With regard to gender diversity, in bodies with strategic supervisory and control functions, the number of members of the less represented gender must be at least 33% of the members of the body;
• at least one member of the committees within the council should be from the less represent-ed gender;
• the role of chair of the body with strategic oversight functions, chair of the body with control functions, chief executive officer and general manager are not held by members of the same gender;
• to appoint a specific member of the management body as responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with AML legal framework;

Banks of greater size or operational complexity must establish within the body with strategic supervisory function three specialized committees: “nomination”, “risks” and “remuneration” (while so-called intermediate banks are required to establish at least the risk committee). In more com-plex banks, specific committees may be set up to manage the various risk profiles.

Circular 285 considers it good practice for committees to ensure that:

• at least one member is of the less represented gender;
• there is an adequate number of independent directors;
• each committee is composed of directors who are (in part) diversified and non-executive;

Banks must adopt a system of internal controls that ensures that the company’s activities are in line with corporate strategies and policies and are based on sound and prudent management principles.

Circular 285 identifies the following types and structures of internal controls:

• line controls (known as ‘first-level controls’), aimed at ensuring the correct performance of operations carried out by the same operational structures;
• risk and compliance controls (known as ‘second-level controls’), which aim to ensure, among other things:

i. the proper implementation of the risk management process;

ii. compliance with the operational limits assigned to the various functions;

iii. the compliance of business operations with regulations, including self-regulatory rules.

• internal audit (known as ‘third-level controls’), aimed at identifying violations of procedures and regulations, as well as periodically assessing the completeness, adequacy, functionality (in terms of efficiency and effectiveness) and reliability of the internal control system and information system (ICT audit), in relation to the nature and intensity of the risks.

Banks shall establish permanent and independent internal control functions of compliance, risk management, ICT risk, AML and internal audit.

For banking groups, the parent company is furthermore required to establish the group’s AML function and appoint an officer for this function.

However, taking into account the principle of proportionality, banks may, as long as controls over the various types of risk remain independent and effective:

• entrust a single internal control function with the task of compliance and risk management;
• entrust ICT risk with compliance and/or risk management function;
• entrust the anti-money laundering function to the compliance or risk management function;
• outsource internal control functions;
• assign the role of officer of the risk control and/or compliance function to a person who al-so performs other duties.

Banks must ensure that officers appointed for each internal control function are at all times of sufficiently good repute, act with honesty and integrity and possess sufficient knowledge, skills and experience necessary to perform their duties.

Regulation (EU) 2022/2554 (DORA) has been implemented in Italy by Legislative Decree No. 23 of 10 March 2025 (“Legislative Decree 23/2025”), which adapts the national legal framework to the EU Regulation.

The Legislative Decree 23/2025 designates the Bank of Italy as the competent authority for banks, that is responsible for supervising compliance with DORA, receiving notifications of major ICT-related incidents and voluntary notifications of significant cyber threats.

It is worth mentioning Legislative Decree 23/2025 also introduces an administrative sanctions regime in case of breaches of DORA obligations.

Furthermore, the Bank of Italy issued a Communication on the application of DORA (on 30 December 2024), providing supervisory guidance to ensure a uniform and consistent implementation of the Regulation by supervised intermediaries.

Bank of Italy has provided its supervisory guidance on:

• ICT risk control function: banks must establish an independent ICT risk control function under Article 6 DORA. It may be integrated within risk management and/or compliance but cannot be assigned to internal audit.
• Notification of planned ICT contracts supporting critical or important functions: banks must inform the Bank of Italy of any planned ICT arrangements relating to essential or im-portant functions.
• Reporting of major ICT incidents and significant cyber threats: from 17 January 2025, re-porting follows the harmonized DORA regime. Major ICT incidents must be reported to the Bank of Italy; significant cyber threats may be notified on a voluntary basis.
• Threat-Led Penetration Testing (TLPT): banks identified under Article 26 DORA must per-form advanced penetration tests at least every three years, with results feeding into supervisory assessment.

Furthermore, on 5 February 2026, the Bank of Italy update Circular 285, in order to align its supervisory provisions on banks with DORA framework and completing the integration of digital operational resilience into the Italian prudential regime.

The update has introduced the obligation for banks to identify and document their critical processes, namely those business processes whose disruption could materially affect operational continuity or compliance with supervisory requirements. For each critical process, responsibilities, supporting ICT systems and key interdependencies must be clearly mapped and governed.

The business continuity plan must also define, for each critical process, the recovery time objective and the recovery point objective, thereby determining the maximum acceptable duration of interruption and level of data loss.

In addition, Circular 285 requires a structured management framework for operational disruptions, including crisis escalation procedures, prioritized restoration of critical processes, periodic testing of continuity arrangements and appropriate communication with the supervisory authority following significant events.

As a preliminary remark, under Circular 285 banks are required to adopt, regularly review and update a written outsourcing policy covering the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to them.

As a general principle, through outsourcing agreements, a bank is not authorized to:

• delegate its own responsibilities or those of its corporate bodies;
• modify its relationship or obligations towards its clients;
• compromise its ability to comply with supervisory requirements or breach statutory activity restrictions;
• impair the quality of its internal control system;
• hinder the effective exercise of supervisory oversight;
• outsource operational tasks relating to control functions except on a proportionate basis and without prejudice to the continuing responsibility of the corporate bodies and of the head of the outsourced control function;
• do not retain adequate internal expertise to monitor the service provider, assess the adequacy of the activities performed, and intervene where necessary.

Given that, specific requirements apply according to the nature of the function, as outsourcing of critical or important functions is subject to stricter regulatory requirements.

With reference to the outsourcing agreement, the main regulatory requirements are the following:

• clear description of activities;
• provisions regarding the accessibility, availability, integrity, privacy and safety of relevant da-ta;
• service level agreement, K-performance indicators and right of monitoring the outsourcer;
• reporting obligations;
• test business contingency plan, disaster recovery, back-up;
• the obligation of the service provider to cooperate with the bank’ supervisory authorities;
• whether the sub-outsourcing of a critical or important function, or material parts thereof, is permitted;
• termination rights.

Among the others, banks are required to ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organizational structure to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract.

In addition, banks appoint an internal employee with the duty to oversee outsourced activities on an ongoing basis and report regularly to the corporate bodies so that any necessary corrective measures are promptly adopted. With regard to anti-money laundering (AML) function banks are not allowed to outsource the function itself, but only the AML tasks it entails.

Circular No. 285 provides specific additional safeguards where banks outsource:

• cash handling activities;
• bank’s information system;
• cloud computing.

In addition to the general outsourcing requirements, according to Regulation (EU) 2022/2554 (DORA) and Legislative Decree No. 23 of 10 March 2025, ICT outsourcing contracts must clearly define:

• ICT risk mitigation measures consistent with the bank’s security framework;
• accountability and traceability of critical operations and access to sensitive data;
• secure deletion of data upon termination of the contract;
• allocation of information security responsibilities;
• minimum cybersecurity requirements, data lifecycle safeguards and incident management procedures.

Outsourcing agreements of a critical or important function are subject to regulatory requirements set forth by EBA Guidelines on outsourcing arrangements and must be notified to the Bank of Italy or European Central Bank according to the qualification of the relevant bank (less significant institute or systemic).

On date 22 April 2022, the Bank of Italy adopted its “Supervisory expectations for climate and environmental risks” providing non-binding indications for banking and financial intermediaries on the integration of climate-related and environmental risks into their governance and control systems, business models and strategies, organizational systems and business processes, risk management systems as well as into market disclosure arrangements.

In particular, with reference to the governance system, supervisory guidance requires banks to:

• assess how to integrate climate and environmental risks into their corporate culture and strategy, as well as into their corporate risk appetite framework (where applicable) and in-to the risk limits of the portfolios they manage, consistently implementing key corporate policies and adapting their organizational and management system;
• provide the board of directors with expertise to understand and assess the implications of climate and environmental risks on the business model and strategy;
• assign roles and responsibilities for climate and environmental risks within the administrative body to its members and/or existing board committees; alternatively, intermediaries may consider establishing a dedicated committee;
• define a reporting system on climate and environmental risks with a focus on the medium-long term outlook, specifying the minimum content and frequency of information. The Board of Directors uses key performance indicators (KPIs) and key risk indicators (KRIs) to monitor and analyses the objectives defined;

Regarding the business model, banks should identify climate and environmental risks that could affect the business environment and are able to understand and measure their impact in order to ensure the resilience of the business model and guide its development prospects.

With respect to the organizational system and operational processes, supervisory guidance re-quires the administrative body to modulate the various interventions on the organization and operational processes in response to climate and environmental risks in a manner that is consistent and proportionate to the assessments made regarding their materiality.

Regarding the risk management system, supervisory guidance requires banks to:

• map events that could occur as a result of climate and environmental risks (physical and transition) and integrate them into the risk management system as well as identifying the risks that could potentially be affected and the prudential implications; and
• create a database on climate and environmental risk profiles, integrated into an information system capable of supporting the development of parameters for assessing cli-mate and environmental risks;
• integrate climate and environmental risks into their internal capital adequacy and liquidity assessment processes as well as into their risk limit systems;
• define a program of periodic review and updating of the decisions taken in relation to methodologies and tools for their assessment, in order to continuously preserve their validity and significance;
• integrate climate and environmental risks into all phases of the credit process, adapting the related policies and procedures in line with the EBA Guidelines on the granting and monitoring of loans;
• evaluate the possible impact of climate and environmental risks on the pricing of investments in financial instruments in order to minimize the risk of losses;
• consider the possible impact of climate and environmental risks on business continuity as well as the level of reputational and legal risks;
• integrate climate and environmental risks into the measurement and management of liquidity risk by estimating potential deteriorations in the liquidity position due to cash out-flows and/or decreases in the amount of reserves and/or changes in the liquidity of financial instruments held directly or by managed portfolios

Lastly, the Bank of Italy supervisory indications required banks to have infrastructure, data, and processes in place to disclose how environmental risk drivers are integrated into business strategy, internal organization, and risk management mechanisms, including the metrics used to assess climate risks and sustainability objectives.

Please note that following the publication of the guidelines, the Bank of Italy is periodically con-ducting thematic reviews, which are used to draw up and update a list of best practices applicable to banks in the following areas: 1) Governance and organizational systems; 2) Business model and strategy; 3) Risk management.

Furthermore, Circular 285 provides some specific requirements relating to environmental, social and governance (ESG) and climate-related factors. In particular, Circular 285 requires banks to:

• consider sustainable finance objectives and, in particular, the integration of environmental, social, and governance (ESG) factors into corporate decision-making processes;
• adopt a policy governing dialogue with shareholders, including issues relating to social and environmental impact (for banks of greater size or operational complexity only);
• include environmental, social, and governance (ESG) factors among the objectives used in the application of remuneration policies;
• include environmental, social, and governance risks within the risk management process.

Regarding the transposition of the provisions relating to environmental, social, and governance risks set out in Directive 2024/1619 (CRD VI), the Italian legislator has delegated their implementation to the Bank of Italy through the issuance of regulatory acts that have not yet been issued.

Banks are required to adopt and implement sound remuneration policies to all staff and specific requirements for the variable remuneration of staff whose professional activities have a material impact on the institutions’ risk profile.

The remuneration policy must be designed consistently with the bank’s corporate objectives and values, including sustainable finance objectives (ESG), as well as the bank’s long-term strategies and prudent risk management policies, in line with the provisions on the supervisory review process.

The remuneration policy shall, inter alia, provide for:

• role and responsibilities of management body, shareholders and internal control functions;
• identification process of staff whose professional activities have or may have a material impact on the institution’s risk profile (i.e., identified staff);
• performance objectives;
• variable remuneration structure including the ratio between the variable and fixed components of total remuneration for identified staff;
• an effective framework for performance measurement, risk adjustment and the linkages of performance to reward.

The following main requirements apply to the variable remuneration:

• the maximum ratio between variable and fixed remuneration should be 100% (200% with shareholder’s approval).
• at least 50% of the variable remuneration of identified staff must be paid out in financial instruments (both for upfront and deferred) that are also subject to a retention period set forth by remuneration policy;
• at least 40% (60% for significant amounts) of the variable component should be subject to deferred payment systems for a period of not less than 4-5 years, in order to take into account the evolution over time of the risks assumed by the bank (so-called malus mechanisms).
• variable remuneration should be linked to performance indicator and subject to a period of time for which the performance is assessed and measured for the purposes of determining the bonus pool;
• deferred portion of variable remuneration should not be vested sooner than 12 months after the start of the deferral period;
• retention period should be not less than 1 year as of the award of financial instrument;
• the adjustment for risks before the award is made (‘ex ante risk adjustment’) should be based on risk indicators and ensure that the variable remuneration awarded is fully aligned with the risks taken;
• it should be subject to ex post correction mechanisms (malus and claw back) aimed, among other things, at reflecting performance levels net of the risks actually assumed or achieved and capital levels, as well as taking individual behavior into account;
• malus or clawback arrangements should be able to affect up to 100% of the total variable remuneration;
• clawback arrangements should cover at least a period of five years from the first portion of variable remuneration vested;

Yes. Directive 2013/36/EU on access to the activity of credit institutions and the prudential super-vision of credit institutions and investment firms (“CRD IV”) has been transposed into Italian legal framework by Legislative Decree dated 12 May 2015 n. 72 and Circular n. 285 of the Bank of Italy dated 17 December 2013 on supervisory provisions for banks (“Circular 285”).

Directive (EU) 2019/878 amending Directive 2013/36/EU (“CRD V”) and Regulation (EU) No 2019/876 amending Regulation (EU) No 575/2013 (“CRR 2”) have been transposed into Italian legal framework by Legislative Decree dated 8 November 2021, N. 182 and Circular 285.

Directive (EU) 2024/1619 amending Directive 2013/36/EU (“CRD VI”) and Regulation (EU) No 2024/1623 amending Regulation (EU) No 575/2013 (“CRR 3”) have been transposed into Italian legal framework by Legislative Decree dated 30 December 2025, N. 208 and Circular 285.

Options and discretions applied by Italian legislator under CRD and CRR are made available on the Bank of Italy website.

Without prejudice to the above, under Circular 285 minimum share capital requirements are:

• €10 million for banks in the form of joint-stock companies, “popolari” banks and mutual loan guarantee banks;
• €5 million for cooperative credit banks.

Yes. Pursuant to Article 92(1) of Regulation (EU) No 575/2013 (“CRR”) Italian banks are required to maintain a minimum leverage ratio of 3% as a Pillar 1 requirement. However, in the presence of excessive leverage risk, under normal or stressed conditions, the European Central Bank and the Bank of Italy may require additional capital (leverage ratio Pillar 2 requirement, P2R-LR) be-yond the Pillar 1 Leverage Ratio metrics.

Furthermore, global systemically important institutions (“G-SII”) shall maintain a leverage ratio buffer equal to the G-SIIs total exposure measure multiplied by 50 % of the G-SII buffer rate applicable to the G-SII. G-SII shall meet the leverage ratio buffer requirement with Tier 1 capital only.

GSIIs are not allowed to make distributions in relation to Tier 1 capital that would result in a de-crease in Tier 1 capital to a level that would no longer meet the leverage ratio buffer requirement.

Banks that do not meet the reserve requirement of the leverage ratio for G-SIIs are required to calculate the maximum distributable amount related to the leverage ratio (‘L-AMD’) and report it to the ECB or the Bank of Italy. So long as L-AMD is not reported to the ECB or the Bank of Italy, G-SIIs are not allowed to:

• make distributions in relation to primary tier 1 capital;
• undertake obligations to pay variable remuneration or discretionary pension benefits or to pay variable remuneration if the payment obligation was undertaken when the G-SII leverage ratio reserve requirement was not met;
• make payments on Additional Tier 1 capital instruments.

Italian banks are required to apply the liquidity requirement provided by Regulation (UE) No 575/2013 (“CRR”), which has transposed into the EU legal framework the Basel III contents. Considering the self-executing nature the CRR, the Italian banks are required to apply the liquidity requirement provided by Article 412 of the CRR, stating that credit institutions under stress must have enough funds to meet withdrawal demands over a 30-day period. The aforementioned article 412 of the CRR is complemented by the Delegated Regulation (EU) No 2015/61, which requires that the ratio between the liquidity buffer and the net liquidity outflows over 30 days (the so called “Liquidity Coverage Ratio”, “LCR”) must be at least 100 per cent (please note that this requirement applies from 2019). The Delegated Regulation also specifies which assets are to be considered as liquid assets and sets out how expected cash outflows and inflows over a 30-day period are to be calculated. The Bank of Italy’s Supervisory Provisions allow banks that meet the conditions provided for under par. 1 of Article 8 of the CRR, to apply for a total or partial derogation from the application of the liquidity coverage requirements on an individual basis.

Italian banks are also required to comply with the long-term liquidity requirement set out in Article 428c of the CRR, which requires institutions to maintain a net stable funding ratio (“NSFR”) of at least 100%, calculated in the reporting currency, for all their transactions, irrespective of their actual currency denomination. Please note that the NSFR is the ratio of the institution’s available stable funding (as defined in Chapter 3 of Part VI of the CRR) to the institution’s required stable funding (as defined in Chapter 4 of Part VI of the CRR).

Italian banks have access to various funding sources beyond the Banca d’Italia (Italy’s central bank). These sources can be broadly categorized into (1) open market operations and (2) standing facilities.

The open market operations are conducted on the initiative of the Bank of Italy, usually by means of a tender procedure and they can be broken down on (a) main refinancing operations (MROs), with a weekly maturity and frequency and (b) longer-term refinancing operation (LTROs), with a maturity of three months and a monthly frequency. Please also note that in response to the financial and economic crises that have occurred since the global financial crisis of 2007-08, the Eurosystem has introduced several refinancing operations, in euros and in foreign currency, with longer maturities than standard operations and, in some cases, with the aim of directly supporting the provision of bank credit to the real economy (by way of example, Longer-term refinancing operations (LTROs) with maturities of six months to one year, Three-year LTROs, targeted long-er-term refinancing operations (TLTROs), pandemic emergency longer-term refinancing operations (PELTROs) and foreign currency refinancing operations).

Standing facilities allow credit institutions to offset any liquidity imbalances at the end of the business day by making overnight deposits with the central bank (deposit facility – DF) or by borrowing funds from the central bank to obtain overnight liquidity (marginal lending facility – MLF). The interest rates applied to these facilities normally constitute the lower bound (deposit facility rate) and the higher bound (marginal lending facility rate) for the overnight interest rate at which banks exchange funds, creating what is known as the monetary policy «corridor». The operations are managed by the Bank of Italy in accordance with the harmonized terms and conditions for the entire euro area.

In addition, the Italian credit institutions may participate to special programmes launched by the Eurosystem for the purchase of private sector securities. In order to be admitted to such a pro-gramme as “monetary policy counterparties”, banks must meet the general criteria laid down in the Eurosystem’s regulations and comply with administrative, technical and operational require-ments. These criteria and requirements are assessed by the Bank of Italy. By way of example, under the third covered bond purchase programme (CBPP3, launched on 20 October 2014), the Bank of Italy purchased on the primary and secondary markets covered bonds issued by banks.

Italian banks, as well as other Italian joint stock companies, are required by law to publish their financial statements in order to ensure transparency and provide stakeholders with accurate fi-nancial information. The primary legislation pertaining to this obligation is Article 2435 of the Ital-ian civil code which provides that Italian joint-stock companies shall file within the competent company register, in 30 days after the approval by shareholders’ meeting, a copy of the financial statements (accompanied by the reports of the Board of Directors, the report of the board of statutory auditors, the report of the auditing firm and the minutes of the approval of the share-holders’ meeting). The financial statements are prepared in accordance with Bank of Italy’s Circu-lar n. 262 of 22 December 2005 on “Banks’ financial statements: presentation and preparation”.

Italian listed banks are also required to publish, within three months of the end of the first half of the financial year, a half-yearly financial report, including (a) the consolidated half-yearly financial statements, (b) the interim management report (including, at least, an analysis of important events occurred during the first six months of the financial year and their impact on the consoli-dated interim financial statements, together with a description of the principal risks and uncertain-ties for the remaining six months of the financial year) and (c) the declaration provided for in Arti-cle 154-bis, paragraph 5 of the Legislative Decree dated 24 February 1998 No 58 (“Consolidated Law on Finance”) concerning (i) the adequacy and effectiveness of the administrative and ac-counting procedures used to prepare the financial statements; (ii) the correspondence of the sup-porting documents with the entries in the books and records of account; (iii) the suitability of the documents to give a true and fair view of the assets and liabilities, profit and loss and financial position of the issuer and the group of companies included in the consolidation; (iv) reliability of the analysis of the information provided by the interim management report.

In addition, Article 82-ter of the Consob Resolution n. 11971/1999 (“Issuers Regulation”) allows listed companies to choose whether or not to publish additional periodic financial information, specifying the criteria and principles to be adopted. Therefore, Italian banks listed on the stock exchange may decide to publish financial information on a quarterly basis, in addition to the an-nual and half-yearly reports, usually as at 31 March and 30 September of each financial year.

Article 65 of the Legislative Decree No. 385 dated 3 September 1993 on Consolidated Banking Act (“CBA”) provides that the Bank of Italy exercises consolidated supervision over:

(a) companies belonging to a banking group, which is composed of the parent company (which may be a bank, financial company or mixed financial company) and the banking, financial and instrumental companies controlled by it;

(b) other legal entities, specifically listed under Article 65 of the CBA (by way of example, (i) banking and financial companies owned at least 20% by companies belonging to a banking group or by a single bank; (ii) banking and financial companies that do not belong to a banking group but are controlled by the natural or legal person that controls a banking group or an individ-ual bank; (iii) undertakings controlling at least one bank, including financial holding companies or mixed financial holding companies excluded from the scope of prudential consolidation pursuant to Article 60-ter of CBA; (iv) undertakings other than banking and financial undertakings, when they are controlled by a single bank or when undertakings belonging to a banking group or the persons referred to in point (iii) above, even jointly, have a controlling interest; (v) financial hold-ing companies or financial holding companies which, under certain conditions, are exempted by the Bank of Italy from the obligation to apply for authorization to assume the status of parent company, unless they are excluded from the scope of prudential consolidation pursuant to Article 60-ter of CBA; (vi) companies, other than those mentioned in the preceding points, included in the scope of prudential consolidation pursuant to Article 18 of Regulation (EU) No 575/2013 and its implementing provisions).

Entities under consolidated supervision are subject to reporting, inspection and regulatory super-vision of the Bank of Italy. In particular, under the “reporting supervision” mandate (“vigilanza informativa”), the Bank of Italy is empowered to require periodic and on-demand reporting (i) by entities under consolidated supervision and (ii) by the parent company, also on behalf of the banking group’s companies.

On the other hand, the “prudential regulatory supervision” mandate (“vigilanza regolamentare”) pertains to the power granted to the Bank of Italy to issue mandatory rules concerning capital requirements, risk containment as well as any other area in which the Bank of Italy has been del-egated to promulgate second-level regulatory provisions.

Finally, under the “inspection supervision” mandate (“vigilanza ispettiva”) the Bank of Italy is em-powered to conduct investigations on entities subject to consolidated supervision. It is worth not-ing that the scope of the inspections on entities that do not fall within the definition of banking, financial and instrumental entities is limited to assessing the accuracy of the data and information provided for consolidation purposes.

Article 19 of the Legislative Decree No. 385 dated 3 September 1993 on Consolidated Banking Act (“CBA”) requires that any natural or legal person who intends to acquire or increase, directly or indirectly, a “qualified holding” in a bank must obtain a prior authorisation from the European Central Bank, upon proposal of the Bank of Italy. In particular, the prior authorisation is required in the following circumstances:

(a) the acquisition of holdings in a bank that may result in the ability to exercise control or significant influence over the institution, or that may confer a share of capital or voting rights amounting to a minimum of 10%, taking into account the shares already owned;

(b) any change in shareholdings where the proportion of capital or voting rights reaches or exceeds 20%, 30% or 50% and, in any event, where such changes result in the control of the Bank;

(c) the acquisition of the control, share of the capital or voting rights in a company, holding the shareholdings indicated above sub par.(a) and (b), as a result of the capital shares or voting rights held through companies, including non-subsidiaries, which in turn have voting rights or capital shares in the bank, taking account of the demultiplication produced by the shareholdings chain.

The prior authorization by the Bank of Italy is required for the acquisition for any reason whatso-ever, also in the absence of the purchase of shares (including by means of a contract with the bank or a clause in its article of association).

The authorization is released when the acquisition is suitable to ensure the sound and prudent management of the bank, having assessed the quality of the proposed acquirer and the financial soundness of the acquisition project. In this respect, the Bank of Italy takes into account the fol-lowing criteria: (i) the reputation of the proposed acquirer; (ii) the integrity, fairness, professional-ism and competence of those who, after the acquisition, will undertake administrative and managerial functions in the bank; (iii) the financial soundness of the potential acquirer; (iv) the ability of the bank to comply with the provisions governing its activities after the acquisition; (v) the suitability of the group structure of the potential acquirer to allow for the effective exercise of supervision; (vi) the absence of reasonable grounds to suspect that money laundering or terrorist financing is, or has been, taking place in relation to the proposed transaction, or that the proposed transaction could increase the risk thereof..

The Italian legal framework pertaining to the acquisition of qualified shareholdings in a bank is complemented by the Bank of Italy’s “Provisions on the Ownership Structures of Banks and Other Intermediaries” (issued on 27 July 2022) and “Provisions on the Information and Documents to be Transmitted to the Bank of Italy in the Request for Authorisation to Acquire a Qualified Share-holding’” (issued on 27 October 2021).

Pursuant to Article 25 of the Legislative Decree No. 385 dated 3 September 1993 on Consolidated Banking Act (“CBA”), the holders of qualifying or controlling interests in banks shall meet the integrity requirements and satisfy criteria of competence and fairness, in order to ensure the sound and prudent management of the bank.

Article 25 of the CBA – as amended by the Legislative Decree No 72 of 12 May 2015 implementing Directive 2013/36/EU – delegates the Ministry of Economy and Finance to identify, by decree adopted after consultation with the Bank of Italy, the: (i) integrity requirements; (ii) the competence criteria, graduated in relation to the influence on the management of the bank that the hold-er of the participation may exercise, and (iv) the criteria of fairness with regard to, inter alia, the business relations of the owner of the shareholding, conduct vis-à-vis supervisory authorities and sanctions or corrective measures imposed by them, restrictive measures relating to professional activities carried out, as well as any other element that may affect the fairness of the holder of the shareholding.

To date, the Ministry of Economy and Finance has not yet issued the delegated decree. Conse-quently, Decree No 144 of 18 March 1998 remains applicable in relation to the integrity require-ments only. With regard to the competence and fairness criteria, the owners / proposed acquirers of qualifying or controlling participations in banks shall refer to the Bank of Italy’s “Provisions on the Ownership Structures of Banks and Other Intermediaries” and “Provisions on the Information and Documents to be Transmitted to the Bank of Italy in the Request for Authorisation to Acquire a Qualified Shareholding’”, which provide the list of documents and information requested by the Bank of Italy for the purpose of assessing the eligibility of the candidate acquirers.

Italian law does not impose any specific restrictions on the acquisition or holding of shares in Italian banks by foreign parties. However, it should be noted that the documentation and information required by the Bank of Italy from Extra UE perspective acquirers differ in part from those required from Italian acquirers. By way of example, with regard to the assessment of the integrity requirements, non-EU acquirers are required to submit, in addition to criminal records, a legal opinion. This opinion must be issued by a qualified lawyer in the State of nationality of the prospective acquirer, and it must support the suitability of the criminal records to prove that information contained therein are equivalent to those required by the Italian law.

Without prejudice to the above, Decree-Law 15 March 2012, n. 21 introduced in the Italian legal framework the so-called “golden power” empowering the Italian government to limit or stop (i) foreign direct investments (“FDI”) and (ii) corporate transactions involving Italian strategic assets including credit sector. Golden power requires foreign purchasers to notify in advance the Presi-dency of the Council of Ministers with a full disclosure of the transaction (including relevant doc-uments) in order to enable the timely exercise of special powers by the government.

The Directive 2013/36/EU (“CRD”) and Regulation (EU) No 575/2013 (“CRR”) provides for a special and more prudential regulatory regime for the so called “other systemically important institutions” (O-SIIs) and the “globally systemically important institutions” (G-SIIs). In particular, Article 131 of the CRD provides that Member States shall designate an authority to be responsible for identifying, on a consolidated basis, G-SIIs, and, on an individual, sub-consolidated or consolidated basis, as applicable, other systemically important institutions (O-SIIs), which have been authorised within their jurisdiction. The designated Italian authority is the Bank of Italy.

The Bank of Italy identifies and classifies the G-SIIs authorised in Italy, based on the methodology (basic and supplementary) identified by the European Commission regulation pursuant to Article 131, par. 18 CRD and the EBA “Guidelines on the specification and disclosure of systemic importance indicators”. The basic methodology assigns a score enabling the classification of G-SIIs into at least 5 sub-categories, each of which is associated with a level of primary tier 1 capi-tal that G-SIIs must hold at a consolidated level. Each G-SII shall, on a consolidated basis, main-tain a G-SII buffer which shall correspond to the sub-category to which the G-SII is allocated. That buffer shall consist of and shall be supplementary to Common Equity Tier 1 capital. For 2025 no Italian bank, nor banking group is identified as G-SIIs.

The Bank of Italy identifies O-SIIs among banks and banking groups authorized in Italy and as-sesses their systemic importance on the basis of at least the following criteria (a) size; (b) im-portance to the Union or Italian economy; (c) importance of cross-border activities; (d) intercon-nectedness of the bank or group with the financial system. The Bank of Italy may require each O-SII to hold a capital buffer for O-SIIs of up to 3 per cent of total risk exposure or, subject to ap-proval by the European Commission, higher than 3 per cent. For 2025 the Bank of Italy has iden-tified 7 banks as O-SIIs, requiring each of them to maintain from 1 January 2025 specific O-SII buffers of their total risk-weighted exposure (from 0.25% to 1.50%).

Furthermore, it is worth noting that, in light of Italy’s participation in the Single Supervisory Mech-anism (SSM), the Italian banks falling within the definition of “significant” credit institutions, as set out by Article 6, par. 4 of the Regulation (EU) No 1024/2013, are subject to the prudential super-vision of the European Central Bank (ECB). The Regulation (EU) No 1024/2013 and the Regula-tion of the ECB No 468/2014 sets out the division of responsibilities between the ECB and the national supervisory authorities on significant credit institutions, granting, by way for example, the ECB the competence to authorize the conduct of banking business and the acquisition of partici-pations in the capital of banks, the monitoring of compliance with prudential requirements regard-ing own funds, limits to large exposures, liquidity, leverage, reporting and disclosure, respect of governance requirements, remuneration policies etc. Conversely, the Bank of Italy retains the supervisory authority prerogatives over significant banks with regard to matters not encompassed within the ECB’s competencies. These include consumer protection, anti-money laundering, payment services, and the supervision of third-country banks operating in Italy under a perma-nent establishment or freedom of services regime.

The Legislative Decree No. 385 dated 3 September 1993 on Consolidated Banking Act (“CBA”) provides for a complex system of sanctions for the violation of regulatory provisions applicable to banks. In particular, some violations are punished with criminal sanctions (such as, for example, the abusive exercise of collection and credit activities), others with administrative sanctions.

Administrative sanctions may be imposed on banks, as legal entities, as well as on natural per-sons who hold significant shareholdings in banks (without authorization) or who act on behalf of banks (such as, for example, members of management and supervisory bodies and key-functions managers). The CBA endows the Bank of Italy with the authority to impose administrative sanc-tions in the event of violation of regulatory provisions by the banks, as legal entities, and by natu-ral persons acting on their behalf or subject to its supervision (including banking institutions, shareholders, members of the management and control bodies as well as key-role managers of banks).

Administrative sanctions are mainly monetary and vary according to whether they are imposed on natural persons (generally between €5,000 and €5 million) or legal persons (generally between €30,000 and 10% of turnover). In cases where the infraction is deemed sufficiently grave, the Bank of Italy may impose an additional administrative sanction, namely disqualification from par-ticipating in the administration, management and control functions in financial intermediaries for a duration of between 6 months and 3 years.

Furthermore, Legislative Decree No. 385/1993, which amends the CBA to implement Directive (EU) 2024/1619 (“CRDVI”), introduced Article 144-ter.1 concerning the concept of “periodic pen-alty payments”. In particular, pursuant to Article 144-ter.1 of the CBA (i) with regard to legal enti-ties, a daily penalty ranging from €2,000 to €50,000 may be imposed, alternatively or in addition to administrative monetary sanctions, for non-compliance with specific provisions set out in the CBA. Where the daily turnover is available and can be determined, and where 5% of such daily turnover exceeds €50,000, the penalty may be set at 5% of the daily turnover instead of the fixed monetary range. Furthermore, (ii) with regard to natural persons, a daily penalty ranging from €1,000 to €50,000 may be imposed, alternatively or in addition to the administrative monetary sanctions and ancillary penalties, in the event of ongoing non-compliance with specific measures laid down in the CBA. Such periodic penalty payment may be applied until the non-compliance ceases, provided that the ongoing breach concerns their own duties or those of the body to which they belong.

As an alternative to the imposition of a monetary sanction, for certain offences characterized by minimal offensiveness or dangerousness, the Bank of Italy has the prerogative to impose a cease and desist order, whereby it may require the legal entity to remedy the infringements, also indicat-ing the measures to be adopted and the deadline for compliance. Moreover, in consideration of Italy’s participation in the Single Supervisory Mechanism (SSM), it is noteworthy that, as outlined in Article 18 of the Regulation (EU) No 1024/2013 and Article 122 of the Regulation of the Euro-pean Central Bank No 468/2014, the European Central Bank (ECB) retains the authority to im-pose administrative penalties on (i) significant supervised entities, or (ii) less significant super-vised entities where the relevant ECB regulations or decisions impose obligations on less signifi-cant supervised entities vis-à-vis the ECB. These administrative penalties are of a pecuniary na-ture and may be imposed on legal entities only.

Finally, it should be noted that the Italian Securities and Exchange Commission (Consob) retains the authority to impose administrative penalties on banking institutions that infringe the conduct rules in the provision of investment services forest out in the relevant Directive 2014/65/EU and related implementing Italian laws and regulations. In addition, CONSOB is competent to investi-gate and impose administrative sanctions for breaches of the Regulation (EU) No 596/2014 (Market Abuse Regulation, “MAR”), including insider dealing, unlawful disclosure of inside infor-mation and market manipulation.

Recent figures confirm a sustained level of enforcement intensity. According to the Bank of Italy’s Annual Management and Sustainability Report for 2024, the authority imposed sanctions on 63 subjects, comprising 19 legal entities (including one significant bank, six less significant banks and twelve non-bank intermediaries — five of which were subject to multiple sanctions) and 44 natural persons serving as corporate officers or heads of control functions. The total amount of pecuniary sanctions imposed in 2024 was approximately €1.7 million (compared with €1.5 million in 2023), indicating a year-on-year increase in overall sanctioning volume.

More recent data confirm a continued robust enforcement approach, with the Bank of Italy showing an increasing willingness to pursue action not only against institutions but also against corporate officers (e.g. members of management and control bodies). Based on the sanctioning measures published up to the first two months of 2026 (source Bank of Italy website), it emerges that in 2025, the Bank of Italy imposed sanctions on approximately 25 banking and financial institutions (including eleven banks, three financial intermediaries, five payment institutions, five asset management companies and one investment firm) for a total amount of approximately € 8,6 mil-lion, as well as on 43 natural persons serving as corporate officers of supervised entities (including representatives of three banks, one payment institution, three asset managers and one financial intermediary) for a total amount of approximately about € 1,1 million.

While monetary penalties imposed on individuals generally remain moderate in amount (median approximately €12,500; maximum €110,000), their frequency and recurrence are consistent with a supervisory approach that emphasizes role-based accountability and individual responsibility within governance and control frameworks.

By contrast, the most significant financial exposure is concentrated on legal entities. Based on the same published measures, monetary sanctions imposed in 2025 on institutions remained substantially higher than those applied to individuals (median approximately €255,000; maximum €2,5 million). Enforcement patterns also display a differentiated distribution across supervisory areas. AML-related enforcement concerned 14 financial institutions, with total penalties of ap-proximately €3,9 million (average about €283,000), confirming that anti-money laundering com-pliance remains a key supervisory priority. Governance-related breaches involved a larger num-ber of entities — 18 financial institutions — but with a slightly lower average penalty (total approx-imately €4,175 million; average about €231,000), suggesting a broad supervisory focus on organ-isational and control-framework deficiencies. By contrast, enforcement in the transparency area was more limited in volume, with only two cases recorded, although the overall sanctions im-posed (total approximately €540,000; average approximately €270,000) indicate that breaches in this field may still attract material penalties despite their lower frequency.

In relation to the assets of the client (by way of example financial instruments), Article 22 of the Legislative Decree dated 24 February 1998 No 58 (“Consolidated Law on Finance”) establishes a general requirement for asset segregation. This provision states that the assets of clients who deposit them at a bank or other financial intermediary are to be regarded as assets separate from those of the intermediary and other clients for all purposes. It is worth noting that no actions by or on behalf of the bank or intermediary’s creditors, nor actions by or on behalf of the creditors of any custodian or sub-custodian, are permitted on such assets. However, actions by creditors of individual customers are permissible, provided that these actions do not exceed the limits of the assets owned by those customers. In the event of a bank being considered failed or likely to fail, the assets of its customers are not subject to bail-in measures.

Nonetheless, the regulations pertaining to segregation do not apply in the context of cash depos-its with banking institutions. Article 1834 of the Civil Code stipulates that upon the deposit of a sum of money with a banking institution, the bank acquires ownership of the deposited sum and is obligated to return it in the same monetary denomination at the expiration of the mutually agreed term or at the request of the depositor, subject to the notice period established by the par-ties or by customer. Consequently, banking institutions are obligated to adhere to the most stringent capital requirements stipulated by the EU CRD and CRR, with the aim of ensuring the restitution of client cash deposits at any time.

Pursuant to Article 96 of the Legislative Decree No. 385 dated 3 September 1993 on Consolidated Banking Act (“CBA”), all Italian banking institutions are obligated to participate in one of the depositor guarantee schemes that have been established and recognised in Italy. Specifically, they must adhere to: (a) the Interbank Deposit Protection Fund (“Fondo Interbancario di Tutela dei Depositanti”) to which all Italian banks incorporated as joint-stock companies and cooperative banks are required to adhere, or (b) the Cooperative Credit Depositors’ Guarantee Fund (“Fondo di Garanzia dei Depositanti del Credito Cooperativo”), which covers depositors of banks incorpo-rated as cooperative credit banks. Both of these depositor guarantee schemes are private con-sortia, financed by contributions from the respective banking institutions. The Italian depositors’ guarantee schemes provide reimbursements of up to EUR 100,000 per depositor in the event of crisis resolution and compulsory administrative liquidation of Italian banks and branches of non-European banks.

Legislative Decree No. 180 of 16 November 2015 and Legislative Decree No. 181 of 16 November 2015 (“BRRD Decrees”) transposed in Italy the Directive No. 2014/59/EU (also known as the “Banking Recovery and Resolution Directive”, “BRRD”), thereby establishing a structured legal framework for the prevention and management of banking crises.

Within this regime, Italian law establishes a dual framework of recovery planning (institution-driven) and resolution planning (authority-driven). Credit institutions and banking groups are re-quired, in the ordinary course of business, to draw up recovery plans setting out strategies and operational measures aimed at restoring their financial soundness in the event of significant deterioration, with the objective of preserving financial stability and avoiding reliance on extraordinary public financial support. In parallel, the bank of Italy, acting as national resolution authority, is required to prepare, for each institution, a resolution plan identifying the resolution actions that may be adopted if the conditions for resolution are met.

The key distinction between the two instruments – the recovery plan and the resolution plan – lies in both their authorship and their function. Recovery plans are drawn up by the institutions them-selves and constitute internal crisis-management tools designed to enable autonomous recovery. Resolution plans, by contrast, are prepared by the resolution authority and set out the strategy for managing a crisis where recovery measures prove inadequate or ineffective. Accordingly, recovery plans operate as preventive mechanisms, whereas resolution plans function as ex-ante public intervention instruments.

With respect to recovery plans, they must be approved by the Institution’s management body – or, in the case of a banking group, by the management body of the parent company – in accordance with the BRRD delegated acts and implementing technical standards — notably Commission Delegated Regulation (EU) 2016/1075 — as well as the EBA Guidelines on improving re-solvability (EBA/GL/2022/01), as subsequently amended by the 2023 Guidelines introducing re-solvability testing requirements.

The recovery plans must include the information required under Commission Delegated Regulation (EU) 2016/1075 and must neither assume nor rely on access to extraordinary public financial support. They must be reviewed and, where necessary, updated at least annually (or more frequently, if so required by the Bank of Italy) and in any event whenever there is a material change in circumstances affecting the Institution’s legal or organisational structure or financial position.

The recovery plans must be submitted to the Bank of Italy, which, within six months, reviews it to verify compliance with Delegated Regulation (EU) 2016/1075 and to assess whether: (a) the measures set out in the plan are reasonably likely to maintain or restore the bank’s (or group’s) viability and financial soundness, taking into account preparatory actions already taken or planned by the bank and (b) the plan and its options can be implemented swiftly and effectively in situations of financial stress, while minimizing adverse effects on the financial system, including where other institutions may activate recovery plans at the same time. In carrying out this assessment, the Bank of Italy must also evaluate whether the bank’s (or group’s) capital and funding structure is appropriate in light of the complexity of its organisation and its risk profile.

Where an Institution breaches or is likely to breach prudential or other regulatory requirements, including due to rapid financial deterioration, the Bank of Italy is empowered to require implementation of recovery measures, preparation of a debt restructuring plan, or changes to the Institution’s legal structure.

As for resolution plans, these are prepared by the Bank of Italy on the basis of information pro-vided by Institutions, including recovery plans and supervisory reporting, and set out the arrangements for applying resolution tools and powers. Resolution plans must be reviewed and, if necessary, updated at least annually and whenever material changes occur in the Institution’s structure, activities or financial position.

In preparing and updating the resolution plan, the Bank of Italy, after consulting the competent authority, assesses whether the bank (or group) is “resolvable”, that is, whether — even in conditions of generalised financial instability or systemic stress — it can be subject either to compulsory administrative liquidation or to resolution, without causing significant adverse effects on the Italian, EU or other Member States’ financial systems and while ensuring the continuity of its critical functions, including, where appropriate, through their timely separation or other suitable measures. Where the Bank of Italy determines that an Institution is not resolvable, it must promptly notify the European Banking Authority. In such cases, the obligation to prepare or up-date the resolution plan is suspended until the measures necessary to remove material impedi-ments to resolvability have been identified.

The bail-in mechanism was implemented into the Italian legal framework by Legislative Decree 181/2015 in order to: (a) restore the capital of the bank under resolution procedure to the extent necessary to meet prudential requirements and appropriate to restore market confidence, if the application of the bail-in, even in combination with corporate reorganisation measures, is sufficient to provide a prospective recovery and (b) in the context of the transfer of assets and legal relationships, reduce the nominal value of the liabilities transferred, including debt securities, or to convert these liabilities into equity.

The bail-in mechanism allows for the absorption of losses and recapitalization of failing banks by writing down or converting into equity certain liabilities (rather than relying on taxpayer-funded bailouts). In particular, the bail-in applies in a hierarchical order, with losses imposed on creditors in the following sequence:

i) shareholders;

ii) holders of other capital instruments;

iii) other subordinated creditors;

iv) unsecured creditors;

v) individuals and small businesses for the part of their deposits above Euro 100,000; and

vi) the deposit guarantee fund, which contributes to the bail-in in the place of guaranteed depositors

The following elements are excluded from the scope of application of the bail-in measure and thus cannot be written down or converted into capital:

(i) deposits protected by the deposit guarantee scheme, i.e. those up to EUR 100,000;

(ii) secured liabilities, including covered bonds and other guaranteed instruments;

(iii) liabilities arising from the holding of customer assets or by virtue of a fiduciary relationship, such as the contents of safe deposit boxes or securities held in a special account;

(iv) interbank liabilities (excluding intragroup relationships) with an original maturity of less than seven days;

(v) liabilities arising from participation in payment systems with a residual maturity of less than seven days;

(vi) payables to employees, trade payables and tax payables provided they are privileged under bankruptcy law.

The bail-in tool does not automatically apply in the case of a mere liquidity crisis, such as a breach of the Liquidity Coverage Ratio (LCR) or Net Stable Funding Ratio (NSFR). The bail-in measure applies in instances where specific preconditions for the implementation of bank resolu-tion measures are met. These preconditions include the following: (i) the bank is deemed to be failing or likely to fail; and (ii) no alternative measures can be identified to address the situation of failure (such as early intervention measures or extraordinary administration).

The “Total Loss-absorbing Capacity (TLAC) Term Sheet”, published by the Financial Stability Board on 9 November 2015 (the ‘TLAC standard’), was implemented into the EU banking regulatory framework through amendment of the Regulation (EU) No 575/2013 (“CRR”), Regulation (EU) No 806/2014 (“SMRM”) and Directive 2014/59/EU (“BRRD”) in order to better ensure that the loss absorption and recapitalisation of Global Systemically Important Institutions (G-SIIs) entities banks occurs through private means (bail-in) when those banks become financially unviable and are, subsequently, placed in resolution.

The above-mentioned rules have been implemented into the Italian legal framework by the Legis-lative Decree 180/2015 which requires: (i) all banks to hold a Minimum Capital Requirements of Eligible Liabilities (MREL) (ii) G-Siis banks to hold Total Loss Absorbing Capacity (TLAC).

With regard to the TLAC, article 16 sexies of the Legislative Decree 180/2015 specifically pro-vides that for institutions designated for resolution that are G-SIIs or are included in the scope of prudential consolidation of an entity that qualifies as a G-SII, the minimum requirement of own funds and eligible liabilities shall consist of the sum of the following

a. the requirements set out in Articles 92a and 494 of the CRR; and

b. the additional requirement established by the Bank of Italy for the cases which the requirements set forth under point a) above are not sufficient to meet the minimum requirements of own funds and eligible liabilities provided for all banks (MREL). This measure is not expected to be adopted by the Bank of Italy, since no Italian banking institution is currently identified as G-SII.

Pursuant to Article 92a of the CRR, starting from 1 January 2022, G-SII entities must hold an amount of TLAC equal to:

a. 18% in terms of risk-weighted assets (representing the own funds and eligible liabilities of the institution expressed as a percentage of the total risk exposure amount); or

b. 6.75% of the leverage exposure measure (representing the own funds and eligible liabilities of the institution expressed as a percentage of the total exposure measure).

Yes. Pursuant to Article 144-ter of the Legislative Decree No. 385 dated 3 September 1993 on Consolidated Banking Act (“CBA”), in the event of non-compliance with specific obligations under the legislation, a pecuniary administrative sanction ranging from EUR 5,000 to EUR 5 million shall be imposed on persons performing administrative or management functions, as well as on staff, when the non-compliance is a consequence of the breach of their duties or of those of the body to which they belong and one or more of the following conditions are met:

a) the conduct has significantly affected the overall organisation or risk profiles of the company;

b) the conduct has contributed to the failure of the company or entity to comply with specific measures adopted by supervisory authorities.

c) the violation regards regulatory obligations listed by CBA.

If the advantage obtained by the infringer exceeds the above-mentioned ceilings, the administrative pecuniary sanctions shall be increased up to twice the amount of the advantage obtained, provided that this amount can be determined. In addition, the Bank of Italy may apply the accessory administrative sanction of temporary ban, for a period of no less than six months and no more than three years, from carrying out administrative or management functions.

Furthermore, unless the act constitutes a criminal offence, Article 144-ter of CBA, which was recently amended by Legislative Decree No. 208/2025 to implement Directive (EU) 2024/1619 (“CRDVI”), applies pecuniary administrative sanction to natural person in the event of non-compliance with certain provisions of Regulation (EU) 2022/2554 (“DORA”) and the related technical, regulatory and implementation rules.

If the advantage gained by the author of the violation exceeds the maximum limits of €5 million or €3.5 million, the administrative sanction is increased to up to twice the amount of the advantage gained, provided that this amount can be determined. In such cases, an accessory administrative sanction of temporary ban for a period of not less than six months and not more than three years may also be imposed by the Bank of Italy.

Finally, it is worth mentioning that the Supreme Court of Cassation has developed a well-established orientation regarding the liability of non-executive directors of a bank stating that non-executive directors have the duty to act informed as well as to take the initiative to ask for information in the presence of so -called “danger signs” (c.d. «segnali di allarme»). Given that, the liability of non-executive directors of a bank exists when they fail to take action to prevent the event or to eliminate or mitigate its harmful consequences in the presence of warning signs.

Over the next 12–18 months, the Italian banking sector is expected to be shaped by a combination of EU-level regulatory reforms, intensified supervisory scrutiny and macro-financial pres-sures, with the following developments likely to be most impactful.

The implementation phase of the EU Banking Package (CRR III /CRD VI) will be pivotal for the Italian banking sector. Although CRD VI has started to apply in 2026, its operational impact will materialise progressively as secondary legislation and supervisory guidance are issued, particu-larly in the areas of governance, suitability, qualifying holdings, and supervisory approvals for significant transactions. While these developments will be significant and will require targeted organisational and compliance adjustments, they are not expected to be disruptive in structural terms.

In parallel, the new third-country branch (TCB) regime introduced by CRD VI – fully applicable from 2027 but already prompting preparatory action – is expected to have a particularly far-reaching impact on non-EU banks operating in, or targeting, Italy. In particular, the requirement to establish a local branch in order to provide core banking services such as deposit-taking, lending, and the issuance of guarantees will represent a structural shift for third-country institutions that have so far operated on a cross-border basis under the freedom to provide services. Unlike other elements of the reform, these provisions are likely to entail substantial operational, organizational, and strategic adjustments. Accordingly, affected groups are reassessing cross-border service models, booking arrangements, capital allocation strategies, and the governance frameworks of prospective Italian branches to ensure alignment with the forthcoming authorization, substance, and reporting requirements.

On a EU Level, ECB supervisory priorities for 2026–2028 signal continued focus on resilience to geopolitical and macro-financial shocks, alongside heightened scrutiny of operational resilience, ICT risk and digital transformation strategies. These priorities are expected to translate into more intrusive SREP assessments and remediation expectations. In particular, the operationalization of DORA is moving from implementation to enforcement. Supervisors are beginning to test institutions’ ICT risk governance, outsourcing frameworks and incident-reporting capabilities, making operational resilience a core prudential topic rather than a purely technical compliance exercise.

Another important regulatory development is expected with the forthcoming entry into force of the EU AML package, including the new AML Regulation and the gradual establishment of AMLA. These reforms are already triggering significant implementation programs across governance, group-wide internal controls, and customer due diligence frameworks, as institutions prepare for a more harmonized rulebook and an increasingly centralized supervisory model at EU level.

Further significant regulatory interventions may also stem from the forthcoming Retail Investment Package and the Savings and Investment Union strategy, both of which are expected to reshape elements of the EU financial services framework, particularly in relation to investor protection, distribution models, and capital markets integration. As regards the Retail Investment Package, however, the final legislative text is still pending, as the outcome of the ongoing interinstitutional negotiations has yet to be finalised.

Finally, market conditions – particularly funding costs, sovereign-spread volatility and credit-quality trends in interest-sensitive sectors – are likely to interact with regulatory expectations, keeping capital planning, liquidity management and risk appetite frameworks under close supervisory scrutiny.