The Bank of Italy has issued a market communication urging directly supervised intermediaries to promptly strengthen their digital operational resilience, risk management and security controls in response to cyber threats amplified by advanced artificial intelligence models. Framed in line with the European supervisory approach and the Digital Operational Resilience Act (DORA), the communication says newer AI tools can sharply shorten the time between discovery of software vulnerabilities and their exploitation, increasing the risk of effective cyberattacks against financial firms. The measures highlighted cover governance, cyber hygiene, IT asset management, vulnerability and patch management, monitoring and testing. Boards and senior management are expected to update the risk appetite framework to reflect frontier technology risks, strengthen accountability including for data security, oversee external IT providers through tighter contractual and selection standards, and ensure appropriate technology expertise and training. Intermediaries are also asked to adopt defense-in-depth controls, maintain reliable inventories of IT assets and internet-facing exposures, modernize legacy systems, accelerate remediation of critical and zero-day vulnerabilities, strengthen application, access and network traffic monitoring, and run more robust operational resilience, response, recovery and crisis tests. The communication also stresses that increasing reliance on external providers can widen vulnerabilities through concentrated and multilayer supply chains. Each firm is expected to have its board review the communication in a joint meeting with the board of statutory auditors and begin preparing a report for each risk area that assesses current exposure, the adequacy of existing controls, key gaps, intervention priorities and a proportionate work plan covering actions, timing, investment needs and board oversight. Firms must also designate and notify the supervisory authority of a specific internal point of responsibility. The report, together with the work plan, must be submitted to supervision by 31 December 2026.