On 22 March 2022, several Government-enacted emergency measures came into force in response to the dramatic humanitarian and far reaching economic effects of Russia’s invasion of Ukraine. These emergency measures are contained in Law Decree No. 21/2022 (“Decree 21/2022“) and they introduce, among others, significant changes to the Italian regulations around foreign investment review (FIR) as this had been set out already exactly ten years ago.


The Italian FIR regime applies to any transaction involving a change of control, ownership, availability or use (“CoC“) of “strategic” assets in certain industry sectors. Such CoC requires prior notification to, and approval by, the Italian Government.

The industry sectors relevant for Italian FIR purposes are in line with those covered under Regulation (EU) 452/2019 (“EU Regulation“) for the establishment of a framework for the screening of foreign direct investment into the European Union (“EU Regulated Sectors“). The EU Regulated Sectors are:

  • Defense and homeland security (which encompasses also 5G technology)
  • Communications, energy and transportation
  • Critical infrastructures, such as water, health, media, data processing or storage, electoral or financial infrastructure, and sensitive facilities
  • Critical technologies and dual use items, including artificial intelligence, robotics, semiconductors, cybersecurity, energy storage, quantum computing, supply of critical inputs and nuclear technologies as well as nanotechnologies and biotechnologies
  • Food security, sensitive information – including personal data – and media freedom and plurality

The Italian Government added the following industry sectors: finance, including credit and insurance, as well as manufacturing, import and distribution of medical and surgical devices and personal protective equipment (PPE).

The amendments approved by way of Decree 21/2022 not only affect the FIR process vis-à-vis the Italian Government, but also tighten the FIR requirements for certain industry sectors with increased strategic relevance as a result of the current international scenario.

FIR Notification and Clearance

Decree 21/2022 allows an investor that acquires control over any entity operating in a strategic sector (“Investor“) to make a joint notification with such strategic entity whose participations are acquired (“Target“). If the Investor does not make the notification jointly with the Target, then the Investor is required to inform the Target to allow the latter to join the FIR process.

The Government has 45 days to approve, impose prescriptions/conditions, or veto the transaction altogether, with such 45-day term being capable of being extended when the Government requires additional information from the players involved as well as when the EU coordination mechanism needs to be completed under the above-mentioned EU Regulation.

If the transaction involving a CoC is carried out before receiving governmental clearance, or in breach of the government-imposed prescriptions or conditions, then such transaction is null and void and the Government may also oblige the parties to reinstate, at their own expenses, the ex ante situation.

Also, without prejudice to the application of criminal sanctions (should the conduct constitute the perpetration of a crime), failure to notify a transaction involving a CoC in strategic sectors, or to carry it out before receiving governmental clearance or in breach of the government-imposed prescriptions or conditions, entails an administrative pecuniary sanction of up to twice as much as the value of the transaction and, in any event, no less than 1% of the aggregate turnover realized in the last fiscal year.

Interestingly, the above-mentioned sanctions apply not only to the Investor or the company distributing its strategic assets, but also to the Target.

The good news from the Investor’s perspective is that Decree 21/2022, in an effort to simplify the process and provide additional regulatory certainty, has introduced a so called ‘pre-notification’ phase during which the Investor may obtain from the Government a preliminary assessment on the possible application of the FIR rules and the qualification of the CoC transaction for clearance.

FIR Industry Sectors

In light of the current international crisis, the Italian Government saw the need to ensure further protection in the fields of national defence, electronic communications networks and procurement of raw materials. To this end, Decree 21/2022 identifies some of the strategic industry sectors that were already appearing on the radar screen of the Government for FIR purposes before the current reform and which are now subject to increased scrutiny.

Such strategic industry sectors are telecommunications, including 5G and cloud technologies, as well as energy, transportation, health, agri-food and finance, including credit and insurance (“Tightened Sectors“).

While 5G technology and cloud technologies are regulated by specific FIR rules and procedures (see below), the Tightened Sectors are part of the EU Regulated Sectors.

In particular, any CoC concerning telecommunications, energy, transportation, health, agri-food and finance, including credit and insurance, will require a prior notification to, and approval by, the Italian Government regardless of the nationality of the Investor, i.e., regardless of whether the Investor is a non-EU or a EU or even an Italian individual or entity. This essentially attracts the Tightened Sectors within a similar sphere of governmental scrutiny as that which 10 years ago had been envisaged for the defence and homeland security sector. Indeed, before Decree 21/2022 entered into force, any individual or entity that acquired control over assets or activities considered to be strategic for the Italian defence and homeland security was required to notify, and obtain clearance by, the Government, regardless of nationality/residency. On the contrary, acquisitions in strategic sectors other than defence and homeland security were relevant for FIR purposes only if the Investor was non-Italian.

5G Technologies and Cloud

Decree 21/2022 has significantly changed the legal framework concerning the Italian FIR scrutiny in the field of 5G technology and cybersecurity, though these have been confirmed to be strategic for national defence and homeland security, not only for the telecoms sector.

The assets and activities falling within the perimeter of the governmental FIR assessment are:

  • Broadband electronic communications services based on 5G technology
  • Additional assets, contracts, activities and technologies that are cybersecurity relevant, including those concerning cloud technologies, as these will be further outlined through implementing decrees to be issued by the Italian Prime Minister

In this context, while the previous FIR regime required a notification to the Government within 10 days from each and every purchase of 5G technology based networks or services (plus the governmental green light for such purchase), now Decree 21/2022 requires an advance notification of a broader set of information. In fact, those entities that intend to purchase, in any shape or form, assets or services for the design, construction, maintenance or management of 5G electronic communications networks and services as well as, possibly, cybersecurity or cloud technologies and related high technology-intensive components need to notify the Government with an annual plan before the purchase is made (“Annual Plan“). And this regardless of any CoC in the interested companies.

The Annual Plan needs to include certain information and data to allow the Government to assess threats (if any) to the national interests, such as, for example:

  • The notifying company’s purchase pipeline
  • Information on actual and potential suppliers
  • Detailed description of technical specifications concerning the assets, services and high technology-intensive components that are instrumental to the design, implementation, maintenance and management of 5G technology
  • Comprehensive picture of the development plans for the digitalization systems of the notifying company
  • Information around any notifications that may have been made by same company under the so-called Cybersecurity Decree (Law Decree No. 105/2019) so as to allow the National Assessment and Certification Center (Centro di Valutazione e di Certificazione Nazionale – CVCN) to carry out safety checks, including the outcome of such checks

The Annual Plan needs to be notified to the Government on a yearly basis, before proceeding with its implementation, but it can be updated during the year, on a quarterly basis.

The Government has 30 days from notification to approve, or approve with prescriptions/conditions, or else veto the Annual Plan, with such term being capable of being extended if, for example, the Government needs to carry out in-depth analyses around technical aspects or requires additional information from the notifying company or third-parties. The Annual Plan can be approved in whole or in part, or even just for a limited period of time.

The Government will monitor the implementation of the Annual Plan also through specific reports around the activities in progress which the notifying company needs to produce to the Government every six months.

Failure to notify the Annual Plan or to comply with the prescriptions and conditions contained in the governmental approval decree trigger a pecuniary administrative sanction of up to 3% of the company’s turnover, without prejudice to criminal penalties that might apply should the conduct consist in the perpetration of a crime.

Also, if the notifying company starts carrying out the relevant activities before the governmental approval of the Annual Plan or if it acted in breach of the veto or of the conditions contained in the governmental decree, the Government may order the notifying company to restore the ex ante situation. In addition, any contract entered into in breach of the veto or of the government-imposed prescriptions/conditions is null and void and the Government would apply a sanction of up to one twelfth (1/12) of the above-mentioned 3% sanction for each month of delay in the restoration of the ex ante situation.


Decree 21/2022 also introduces changes in the cybersecurity area. More specifically, public agencies and State bodies must promptly ‘diversify’ the cybersecurity products and services they are currently using in order to prevent harms that may be caused to the security of their networks, IT systems and services arising from the risk that Russia-related manufacturing companies might not be able to provide services and updates to the IT security related technology products and services which they had supplied to the above-mentioned public agencies and State bodies.

The products and services which need to be so diversified are set out by the National Cybersecurity Agency among those which are aimed at ensuring the following safety functions:

  1. Devices security (endpoint security), including anti-virus, anti-malware and endpoint-detection-and-response (EDR) applications
  2. Web application firewall (WAF)

Decree 21/2022 provides for detailed instructions on how public administrations and agencies have to purchase further IT security related technological products or services, together with the relevant support services. More in general, the Government may now order the total or partial disabling of one or more devices or products used in vulnerable networks, information systems and IT services, in the event of a serious and imminent risk for the national security and for as long as strictly necessary for the elimination of the specific risk factor or for its mitigation, even departing from any existing rule of law. As this can be a significantly disruptive event, the governmental order that might be issued in this case needs to comply with strict proportionality criteria.

Conclusion – What has changed?

Through Decree 21/2022, the Italian Government continues its path towards not only increased scrutiny of strategic sectors, but also heightened regulatory certainty. This is of the essence, particularly given the mandatory, pre-close nature of the Italian FIR regime.

However, while, on the one hand, Investors and 5G suppliers as well as cybersecurity and cloud players will be able to rely on a more specific set of FIR rules to assess whether a CoC or certain high tech-intensive supply contracts require a FIR filing in Italy, on the other hand, stakeholders might face additional challenges and obligations before getting to completion of the deal.

For these reasons, the new obligations introduced with immediate effect by Decree 21/2022 will need to be carefully assessed on a timely basis at the outset of any acquisition project, when looking at investments in strategic sectors or procurement of 5G or cybersecurity and cloud related technologies. This also with a view at optimizing FIR activities and streamlining decision making processes within companies’ management bodies and governance structures.