28 April 2026

Legal and Regulatory updates

Written by:Chiara Cimarelli Ina DociFrancesca Santovito

New IVASS Consultation Document on MTPL – 23 March 2026

On 23 March 2026 the Italian Insurance Regulatory Authority (IVASS) published consultation document 2/2026 (the Consultation Document). The document covers a draft regulation on the template for the annual report on the prevention of fraud in the motor liability insurance sector concerning:

a draft Regulation (the Regulation) concerning the template for the annual report on the prevention of fraud in the motor liability insurance sector;
a revision of the regulations set out in ISVAP Regulation No 44 of 9 August 2012, introducing new data relating to the activities carried out by companies in the fight against fraud; and
a technological upgrade in the stages of data transmission, reception, validation and recording through the use of the INFOSTAT platform.

Below is a brief summary of the contents of the Regulation.

Article 3 specifies the scope of application of the Regulation, which applies to insurance undertakings authorised in Italy and to undertakings with their registered office in an EU member state that are authorised to operate in Italy under the freedom to provide services or under the right of establishment authorised to provide compulsory motor vehicle liability insurance within the territory of the Italian Republic.

Articles 4 and 5 set out, respectively, the purpose and the content of the report described in the Regulations. With regard to the purpose, the text states that the report should provide the information necessary to assess the effectiveness of processes, systems and personnel, to ensure that the company’s organisational structure is adequate for the purpose of preventing and combating fraud.

As regards the content of the report, Article 5 stipulates that it consists of four numerical tables and a questionnaire. Each of the tables constitutes an annex to the Consultation Document:

Table MANFR_S2P1 contains data broken down by province, by location of the loss, by type of management (whether in-house or as a designated firm) and by reference year, relating to the following types of claims:

claims reported in the reference year, expressed per risk unit;
claims exposed to the risk of fraud;
claims subject to specific investigation;
claims closed without further action following anti-fraud measures;
claims for which complaints or legal proceedings have been filed;
subject to disallowance

Table MANFR_S2P2 contains the above data relating to claims handled under the CARD scheme
Table MANFR_S3P1 contains aggregated data on claims or legal proceedings relating to accidents, the company’s subsequent involvement in such proceedings, and the relevant outcome.
Table MANFR_S3P2 contains aggregated data on complaints or claims relating to contracts and contractual documentation, including those concerning contracts cancelled due to identity theft and fictitious ownership.

Finally, Annex 5 to the Consultation Paper contains a questionnaire setting out information on the company’s organisational structure and the procedures – including IT-related procedures – adopted by the company to prevent and combat the risk of fraud, both when taking out policies and when settling claims.

Regarding the deadlines for submitting the report, the Regulations state:

Insurance undertakings authorised in Italy must submit the report, approved by the board of directors, within one month of the date of approval of the annual financial statements.
Undertakings with their registered office in an EU member state, as referred to in Article 3, have to submit the report by 31 May each year.

The technical procedures for submitting the tables and questionnaire are set out in the document entitled “Instructions for the electronic submission of data relating to the regulation on the preparation of the anti-fraud activity report template,” with an Excel spreadsheet illustrating the data layout. Both are available on the IVASS website in the section dedicated to the Motor Liability Insurance and Anti-Fraud Databases.

The draft Regulation repeals ISVAP Regulation No. 44 of 9 August 2012 and IVASS Order No. 1 of 19 March 2013 and will enter into force on the day following its publication in the Official Gazette of the Italian Republic.

Any comments, observations or suggestions with regard to the Regulation should be sent to IVASS by 22 April 2026 to relazioneantifrode@ivass.it, using the file attached to the Consultation Document, available here.

The Consultation Document is available here.

Italy implements the ‘oncological right to be forgotten’: IVASS Order No. 169 and its impact on insurance – 10 February 2026

With Order No. 169 of 15 January 2026 (the Order), the Italian Insurance Supervisory Authority (IVASS) implemented Law No. 193 of 7 December 2023.

The law covers “Provisions for the prevention of discrimination and the protection of the rights of persons who have been affected by cancer.”

The law implements Articles 7, 8, 21, 35 and 38 of the EU Charter of Fundamental Rights. It introduces the “oncological right to be forgotten.” This is the right of people who’ve recovered from cancer not to provide information or undergo investigations regarding their previous medical condition. It applies to cases concerning banking, financial, investment and insurance services.

In implementing this principle, IVASS was the first supervisory authority in the sectors affected by the law to issue detailed provisions.

The Order introduces amendments to IVASS Regulations nos. 40 and 41. They concern, respectively, the distribution and disclosure of information, advertising and the creation of insurance products, replicating the provisions of the law.

The amendments establish that:

requests for information on the policyholder’s past health status for the purposes of entering into or renewing an insurance contract (or other contract) aren’t permitted if more than ten years have elapsed since the last active treatment of the condition without any recurrence;
at all stages of access to services (including insurance services), distributors must provide adequate information about the above right;
no additional costs, limits or charges can be applied to people who’ve been in the circumstances described above compared to the general public of policyholders;
companies are prohibited from requesting medical examinations for the purpose of entering into new contracts; and
any information previously acquired on the policyholder’s state of health can’t be used to assess the policyholder’s solvency. The policyholder can take steps to request certification of their current state of health to ask for previous health data held by the distributor/insurance operator to be deleted.

With regard to the above and with reference to Regulation 40, the Order introduces a series of additional information/operational obligations for distributors, in addition to those already contained in the Regulation. The obligations include:

The obligation to provide pre-contractual information when concluding or renewing an insurance contract on the existence of the oncological right to be forgotten. This article has resulted in the addition of a provision to the Single Pre-Contractual Form (MUP), delivered by distributors to potential policyholders, with the inclusion of wordingindicated by the Supervisory Authority.
The prohibition on acquiring, through health checks/use of information (including previously acquired information) on the state of health of the policyholder/insured person, if more than ten years have elapsed since the last active treatment of the disease.
The prohibition on the application of limits, costs and additional charges compared to the general public of contractors.
The prohibition on the use of information on previous oncological pathologies, if already acquired, for risk assessment.

With reference to Regulation 41, IVASS clarifies in the Order that introducing additional information requirements determines the natural derogation from the principle set out in the previous IVASS Order no. 147/2024. According to this previous order, the maximum length of the Additional DIPs couldn’t exceed three pages. IVASS has clarified in the results of the consultation on the Order that the information requirements apply to all insurance products, except those relating to motor vehicle liability insurance. Even with regard to the Additional DIPs, IVASS has indicated specific wordingto be included in new sections of the document.

Neither the law nor the Order clarify the impact of the new regulatory provisions on existing contracts.

The law merely requires the (insurance) operator to delete data relating to the customer’s previous state of health at the customer’s request and not to take the data into account when assessing the customer’s solvency, without providing further guidance, which may be expected from the implementing measures.

The Order doesn’t clarify these aspects.

It’s clear that – once it enters into force on 10 February – the law will apply to insurance contracts entered into or renewed after that date. But there’s no guidance on how operators should act regarding existing contracts – outside of cases of new contracts or renewals – when they receive confirmation that the condition has been met.

One of the aims of the law is to avoid individuals who have recovered from an illness being treated differently compared to the general public. But the Order doesn’t provide any operational guidance on this point. For example, should a portion of the premium be refunded in the event of advance payment in a single instalment, once certification of recovery has been received?

The authorities whose areas are affected by the law should – in consultation with the Data Protection Authority – provide clear guidance to avoid any unequal treatment between users of banking, financial and insurance services covered by the law.

Oncological right to be forgotten and insurance pre-contractual documentation – 27 January 2026

IVASS Order no. 169/2026 concerning the oncological right to be forgotten and amending and supplementing IVASS Regulations no. 40/2018 and no. 41/2018 (the Order) was published on 26 January 2026 in the Official Gazette of the Italian Republic.

From this 27 January 2026, the 15 days provided by IVASS will begin to run, allowing insurance undertakings to adapt to the changes introduced by the Order and, specifically, to modify the MUPs and Additional IPIDs.

Oncological right to be forgotten and precontractual documentation – 23 January 2026

On 15 January 2026, IVASS issued Order no. 169/2026 concerning the oncological right to be forgotten and amending and supplementing IVASS Regulations no. 40/2018 and no. 41/2018 (the Order).

Law no. 193/2023 introduces a ban on insurance companies and intermediaries requesting information on the health status of clients who have previously suffered from oncological pathologies. The ban applies when clients take out or renew insurance contracts, when a certain amount of time – which varies according to the pathology and the client's age – has passed without the illness returning.

The Law indicates that the oncological right to be forgotten needs to be expressly mentioned in the documentation to conclude or renew insurance contracts.

IVASS has also introduced new provisions in IVASS Regulations no. 40/2018 (Regulation 40) and no. 41/2018 (Regulation 41), modifying the insurance precontractual information documentation.

Amendments and additions to Regulation 40

The Order adds some new definitions in Regulation 40 on the oncological right to be forgotten and introduces the new articles 56-bis and 56-ter.

Art. 56-bis indicates that distributors, when concluding or renewing an insurance contract, have to provide the policyholder with the information on the oncological right to be forgotten. This information must be included in the single pre-contractual form, s.c. MUP.

The MUPs are amended with indications on the oncological right to be forgotten.

Art. 56-bis also provides that distributors cannot ask the client or obtain any information about previous oncological conditions. If distributors have such information, it cannot be used either in the precontractual phase to determine the terms and conditions to be applied to the client (eg limitations, exclusions, premium amount) nor during the execution of the contract itself for assessing the risk of the transaction or of the solvency (eg to establish the amount of the insurance benefit).

Article 56-ter states how the policyholder or the insured exercises their oncological right to be forgotten. The policyholder has to send certification to the distributor to certify the existence of the necessary requirements for the oncological right to be forgotten. Once the certification has been submitted, distributors have to delete the information held on the policyholder's or the insured person's past oncological condition in the next 30 days. The certification has to be retained for ten years.

Amendments and additions to Regulation 41

The Order adds some new definitions on the oncological right to be forgotten. It also introduces amendments to the Life, IBIPs, Multi-risk and non-life Additional IPIDs on this right.

The Order indicates that the printed version of the Additional IPIDs can have an additional page than what it's required by Regulation 41 to add information on the oncological right to be forgotten (and to add information on the newly introduced Insurance Arbitrator).

The Order enters into force the day after its publication in the Italian Official Gazette.

Insurance undertakings and intermediaries have to comply with the Order (and modify MUPs and Additional IPIDs) within 15 days from its publication on the Italian Official Gazette.

The Order hasn't yet been published in the Italian Official Gazette. We'll keep you posted in this respect.

You can read the Order, and the modified MUPs and Additional IPIDs, in Italian, here.

EIOPA launches consultation on IRRD – 12 January 2026

On 9 December 2025, the European Insurance and Occupational Pensions Authority (EIOPA) published on its website a set of seven consultation papers to support the implementation of the Insurance Recovery and Resolution Directive (the IRRD or the Directive).

The Directive, which must be transposed into national law by 28 January 2027, aims to establish a harmonised framework for crisis management in the European insurance sector, enhancing financial stability and policyholder protection.

Scope of the consultation

The proposals cover:

Pre-emptive recovery plans: insurers will have to prepare detailed plans outlining corrective measures and crisis scenarios.
Criteria for simplified obligations: conditions under which smaller or less complex undertakings can apply reduced requirements.
Qualitative and quantitative indicators: capital and liquidity metrics to monitor financial soundness and trigger timely recovery actions.
Independence of valuers: rules to ensure autonomy and impartiality of entities assessing assets and liabilities during resolution.
Contractual recognition of stay powers: mandatory clauses allowing authorities to temporarily suspend contractual rights in resolution scenarios.
Valuation of derivative liabilities: technical standards for determining the value of derivative positions under stress conditions.

Deadlines

Public consultation: open until 20 March 2026 via EIOPA’s online portal
National transposition: by 28 January 2027.
Directive application: January 2027.

The IRRD is aiming to create a consistent European approach to managing insurance failures, preventing systemic contagion and safeguarding policyholder interests. Insurers should start reviewing their recovery planning processes and contractual frameworks to comply with the upcoming requirements.

IVASS publishes first update to national TIBER-IT cybersecurity framework – 17 December 2025

On 11 December 2025 IVASS published an update about the National TIBER-IT Guide for Advanced Cybersecurity Testing for the Italian Financial Sector (TIBER-IT Guide) made by Italy’s Central Bank, CONSOB and IVASS.

TIBER-IT stands for Threat Intelligence Based Ethical Red-Teaming – Italia, and it implements TIBER-EU at national level. The aim is to simulate potential cyber-attacks by reproducing the tactics, techniques and procedures of real threat actors. The European Central Bank introduced the TIBER-EU in 2018.

The DORA Regulation, which came into force in 2025, made these testing tools mandatory for financial entities of major importance. Known as Threat-Led Penetration Testing (TLPT), the tools help the financial system verify digital operational resilience.

The competent authorities of each member state are responsible for identifying which financial entities have to use these testing tools. They base their decision on qualitative and quantitative criteria defined in (EU) Delegated Regulation 2025/1190.

In the first update of the TIBER-IT Guide (TIBER-IT update), in line with the DORA Regulation, Italy's Central Bank, CONSOB and IVASS have identified which financial entities will have to conduct security tests at least every three years:

financial entities defined in article 2, paragraph 2, of the DORA Regulation, including:

insurance and reinsurance undertakings
insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
institutions for occupational retirement provision
credit institutions
account information service providers
trading venues
management companies
credit rating agencies
crowdfunding service providers

payment systems
technological support or network infrastructures
Poste Italiane S.p.A.
financial intermediaries as defined in article 106 TUB (Consolidated Banking Law)
service providers of the aforementioned entities

Other financial entities can carry out a voluntary test and can send questions regarding the operation of TIBER-IT to: tiber-it@bancaditalia.it.

The TIBER-IT Guide states that the competent authority will formally notify the financial entity required to perform the tests. Then the TIBER Authority (ie the competent authority that runs all the activities related to a TIBER-IT test) will notify the financial entity when the process starts.

While the TLPT is mandatory for entities identified by competent authorities, the voluntary TLPT test is used mainly as a prudential supervisory tool. The process is the same for both the mandatory and the voluntary test. The main purpose is to increase the cyber resilience of the entity being tested, including taking advantage of the learning opportunities experienced during the test.

In accordance with the TIBER-EU framework and the provisions in DORA, it’s also possible to carry out cross-border TLPTs or TLPTs involving multiple financial entities. Multiparty testing – which includes joint tests and pooled tests – is especially useful for entities that operate in multiple countries or share the same technological infrastructure or ICT providers.

Supervisory fee set by IVASS – 15 December 2025

On 12 December 2025 IVASS issued Order no. 166 on the determination of the percentage for calculating management charges to be deducted from the insurance premiums collected in 2026 to calculate the supervisory fee on insurance and reinsurance activity (the Order).

The Order establishes that, for the 2026 financial year, the rate for management fees to be deducted from premiums collected is set at 4.4% of the premiums.

TIBER-IT – 12 December 2025

On 11 December 2025 IVASS published news on its website regarding an update of the National TIBER-IT Guide for Advanced Cybersecurity Testing for the Italian Financial Sector (TIBER-IT Guide) made by Italy's Central Bank, CONSOB and IVASS.

As you might be aware, TIBER-IT stands for Threat Intelligence Based Ethical Red-Teaming – Italia and implements at national level TIBER-EU, a tool that simulates potential cyber-attacks by reproducing the tactics, techniques and procedures of real threat actors, first introduced by the European Central Bank in 2018.

The DORA Regulation, which came into force in 2025, made the use of such testing tools, known as Threat-Led Penetration Testing (TLPT), mandatoryfor financial entities of major importance to the financial system to verify their digital operational resilience.

The financial entities for which these testing tools are mandatory are identified by the competent authorities of each member state on the basis of qualitative and quantitative criteria defined in (EU) Delegated Regulation 2025/1190.

Italy's Central Bank, CONSOB and IVASS have published the first update of the TIBER-IT Guide (TIBER-IT update) in line with the provisions of the DORA Regulation. It identifies the financial entities for which the security tests are mandatory at least every three years:

financial entities as defined in article 2, paragraph 2, of the DORA Regulation, including:

insurance and reinsurance undertakings
insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
institutions for occupational retirement provision
credit institutions
account information service providers
trading venues
management companies
credit rating agencies
crowdfunding service providers

payment systems
technological support or network infrastructures
Poste Italiane S.p.A.
financial intermediaries as defined in article 106 TUB (Consolidated Banking Law)
the service providers of the aforementioned entities

Other financial entities wishing to carry out a voluntary test can also send questions regarding the operation of TIBER-IT to the following address: tiber-it@bancaditalia.it.

With regard to the operation of the TLPT, the TIBER-IT Guide provides that the competent authority identifies the financial entity required to perform the tests by means of formal notification. Subsequently, the TIBER Authority (ie the competent authority who runs all the activities related to a TIBER-IT test) will notify the financial entity of the start of the process.

The differences between a mandatory TLPT and a voluntary test lie essentially in the mandatory nature of the former and its use as a prudential supervisory tool for the latter. The process for performing the individual test is the same, and the main purpose is to increase the cyber resilience of the entity being tested, including by leveraging the learning opportunities experienced during the test.

Finally, in accordance with the TIBER-EU framework and the provisions contained in DORA, there is the possibility of carrying out cross-border TLPTs and/or TLPTs involving multiple financial entities, especially in the case of entities operating in multiple countries and/or sharing the same technological infrastructure or ICT providers: so-called multiparty testing, which includes joint tests and pooled tests.

IVASS Order amending Ivass Regulation no. 7/2014 on administrative proceedings – 5 December 2025

On 3 December 2025, IVASS published Order no. 164 amending IVASS Regulation no. 7/2014 on IVASS administrative proceedings and IVASS units responsible for them (respectively, the Order and the Regulation).

The amendments by the Order to the Regulation arise from the need to update Annex 1 of the Regulation, which lists the supervisory proceedings carried out by IVASS and the timing of each proceeding. The new requirements stem mainly from developments in European and national legislation.

Article 1 of the Order replaces Annex 1 of the Regulations and introduces new proceedings regarding:

financial conglomerates with a predominant insurance business;
the identification by IVASS of financial entities to be subjected to threat-led penetration test (TLPT) introduced by the DORA Act;
the Insurance Arbitrator Board;
the Guarantee Committee; and
the payment in instalments of pecuniary sanctions imposed by IVASS.

Article 2 of the Order provides that it will enter into force the day after its publication in the Italian Official Gazette.

How the insurance arbitrator is affecting product documentation: News from IVASS – 4 December 2025

On 3 December 2025, IVASS published Order no. 163/2025. It introduces new information obligations for insurance companies and intermediaries regarding their precontractual documentation, websites and social network profiles. The changes reflect the upcoming entry into force of the insurance arbitrator.

The order contains amendments to the MUPs (Unique Precontractual Form) that insurance distributors have to provide to prospects. It introduces amendments to the additional IPIDs for the various classes of insurance business. All insurance companies and intermediaries (which joined the scheme of the insurance arbitrator) will have to implement these changes by 14 January 2026.

Impacts of the Insurance Arbitrator on Product Documentation: News from IVASS – 26 November 2025

IVASS has published Order no. 163/2025 (the Order) introducing new information obligations regarding the precontractual documentation, websites and social network profiles of insurance companies and intermediaries reflecting the upcoming entry into force of the insurance arbitrator.

The Order contains a number of amendments to the MUPs (Unique Precontractual Form) to be provided insurance distributors to the prospects, and to the additional IPIDs for the various classes of insurance business which all the insurance companies and intermediaries (which joined the scheme of the insurance arbitrator) had to implement by 14 January 2026.