Ransomware and Crime - A Proposal to Tackle Cyber Extortion in Italy

Show Notes

In this episode of Diritto al Digitale, we explore Italy’s bold move to criminalize ransom payments in response to the growing threat of ransomware attacks. With Italy ranking among the top ransomware targets globally, a new legislative proposal aims to disrupt the business model of cybercriminals by banning ransom payments for critical infrastructure operators, mandating rapid breach notifications, and recognizing ransomware as a national security threat.

Giulio Coraggio, technology and data lawyer at the global law firm DLA Piper, breaks down the key elements of the proposal, the legal and strategic implications for companies of all sizes, and the controversial balance between resilience and compliance.

What is a ransomware attack, and why is banning ransom payments both a radical and risky move? 

How can companies—especially small and medium enterprises—prepare for a future where paying a ransom is no longer an option?

We also discuss the role of education in strengthening cybersecurity culture, and Italy’s ambition to lead Europe in the fight against cybercrime.

📌 You can find our contacts 👉 www.dlapiper.com

Transcript

What if paying ransom to cybercriminals became a crime?
 Not just a shady shortcut to retrieve stolen data, but a punishable offense.
 And what if, in the name of national security, a government told companies: “Do not give in to digital blackmail”?

It’s not a thought experiment.
 It’s happening. In Italy.

A new bill could revolutionize the way we deal with ransomware attacks—turning victims… into criminals?

Welcome to Diritto al Digitale, the podcast where we explore the intersection of law and innovation.

I’m Giulio Coraggio, a technology and data lawyer at the global law firm DLA Piper.
 Each week, I take you through the legal challenges, opportunities, and shifts that technology brings to our world and our work.

Today, we’re diving into a legislative proposal in Italy that aims to reshape how we respond to ransomware attacks.
 Could it be the game-changer we need—or a well-intentioned overreach?

But first—let’s break it down.

What is a ransomware attack?

A ransomware attack is a form of cyber extortion.
Hackers infiltrate an organization’s IT systems, encrypt their data, and lock users out.
Then, they demand a ransom—often in cryptocurrency—to unlock the files and restore access.

It’s like a digital hostage situation.
 And in many cases, the only way to resume operations is to pay the ransom… which is exactly what this proposed law seeks to prevent.

Italy is the third most targeted country in the EU for ransomware attacks—trailing only Germany and France—and the sixth globally.
 That’s according to Italy’s National Cybersecurity Agency.

And no one is safe.
 From vulnerable small businesses to multinational corporations, these attacks can mean halted operations, leaked personal data, millions in damages—and even layoffs.

The ransomware business model thrives on fear, urgency, and a lack of options.
 Until now.

An Italian MP, with the backing of the National Cybersecurity Agency, has introduced a bold bill packed with never-before-seen measures:

• Ban on ransom payments by critical infrastructure operators—unless authorized directly by the Prime Minister in exceptional cases.
• Mandatory notification of ransomware incidents to Italy’s CSIRT within 6 hours.
• Recognition of ransomware as a national security threat, allowing intelligence services to intervene proactively.
• Cross-border undercover operations by Italian law enforcement targeting cybercrime networks.
• Operational support for victims, especially SMEs and local public administrations.
• A dedicated task force for incident coordination and threat intelligence sharing.
• A national fund to provide financial support to victims who meet cybersecurity best practices.

This proposal marks a major shift—from reactive to proactive cybersecurity policy.
 The core idea? Cut off the criminals’ lifeline by banning ransom payments.

In theory, it makes sense:
 No money, no incentive.

But in practice? Things get murky.

What happens when not paying means a business shuts down?
Or a hospital loses access to patient data?
Should desperate victims be criminalized for trying to survive?

And what about small businesses with no cyber insurance, no response plan, and no way out?

This proposal raises complex legal and ethical questions.
 It’s not just about punishment—it’s about preparing businesses for resilience.

One of the most forward-thinking parts of the proposal is its emphasis on cybersecurity education in schools.

In partnership with the Ministry of Education, the government wants to teach kids how to recognize and avoid digital threats.

It’s a smart move.
 Because the weakest link in cybersecurity is almost always human.

Investing in the next generation is not just a technical necessity—it’s a cultural obligation.

With this proposal, Italy is positioning itself at the forefront of Europe’s cybercrime response.

In a world where ransomware isn’t just about money—but also about espionage, sabotage, and geopolitical influence—Italy seems ready to lead.

But strong legislation isn’t enough.
 We need a coordinated strategy, robust funding, and, above all, public awareness.

So, what do you think?

Is banning ransom payments a brave move—or a risky bet?
 How do we balance business continuity with the need to shut down the ransomware economy?
 And how can we protect the most vulnerable players—those small organizations who often don’t even know where to start?

I’d love to hear your thoughts.

Write to me at giulio.coraggio@dlapiper.com.
I always appreciate your comments and suggestions—and I often bring them into upcoming episodes.

And if you found this episode insightful, subscribe to Diritto al Digitale on Spotify or Apple Podcasts.
Tap the bell so you don’t miss future episodes, and if you enjoyed this one, leave us a five-star rating.

I’m Giulio Coraggio,
 This is Diritto al Digitale.
Arrivederci!