🇮🇹 Cybercrime Investigation Procedures under Italian Law

Cybercrime investigation in Italy is governed primarily by the Italian Code of Criminal Procedure (Codice di Procedura Penale – c.p.p.), together with special provisions introduced for digital evidence, EU instruments, and privacy rules.

Italian criminal procedure is inquisitorial-adversarial mixed, meaning the Public Prosecutor (Pubblico Ministero) leads investigations, while judicial oversight is exercised by the GIP (Giudice per le Indagini Preliminari).

1. Legal Framework for Cybercrime Investigations

Key legal sources include:

• Art. 247–260 c.p.p. → Search and seizure powers (including digital devices)
• Art. 254-bis c.p.p. → Seizure of computer data
• Art. 266–271 c.p.p. → Interceptions (including telematic communications)
• Art. 234-bis c.p.p. → Cross-border digital evidence acquisition
• EU Directive 2014/41/EU → European Investigation Order (EIO)
• Legislative Decree 196/2003 (Privacy Code) → Data protection constraints

2. Main Stages of Cybercrime Investigation in Italy

A. Initiation of Investigation

Cybercrime investigations begin when:

• Complaint (denuncia) is filed
• Police detect cyber offences (proactive cyber patrols)
• Intelligence reports (e.g., hacking, fraud, ransomware)

The Public Prosecutor (PM) opens a criminal file (notizia di reato).

B. Digital Evidence Collection

1. Search and Seizure (Perquisizione e Sequestro)

Authorities may:

• Seize computers, smartphones, servers
• Clone digital drives (forensic imaging)
• Freeze online accounts or cloud data

However, Italian law requires:

• Proportionality
• Specificity of investigation scope
• Judicial authorization (GIP in many cases)

2. Digital Forensic Imaging

Forensic investigators:

• Create bit-by-bit copies (copie forensi)
• Ensure chain of custody
• Use hash verification (SHA-256, MD5)

Recent case law restricts mass, indiscriminate data copying.

3. Interception of Communications

Under Arts. 266–271 c.p.p., investigators may:

• Intercept emails, chats, VoIP calls
• Monitor encrypted platforms (with EU cooperation tools)
• Use spyware in highly serious crimes (with strict authorization)

4. Cross-Border Digital Evidence (EIO Mechanism)

Cybercrime often involves foreign servers.

Authorities use:

• European Investigation Order (EIO)
• Mutual legal assistance treaties (MLATs)

5. Data Analysis and Admissibility Check

Digital evidence must be:

• Relevant to the crime (pertinenza)
• Lawfully acquired (legittimità)
• Not overly broad or “fishing expedition”

Judges may exclude unlawfully obtained data.

6. Trial Phase

Evidence is:

• Reviewed in adversarial hearings
• Challenged by defense experts
• Evaluated for authenticity and integrity

⚖️ 3. Key Case Laws (Corte di Cassazione) in Cybercrime Investigations

Below are important Italian Supreme Court rulings shaping cybercrime procedures:

1. Cass. Pen., Sez. VI, n. 44154/2023 (SKY ECC case)

• Concerns encrypted messaging (Sky-ECC platform)
• Court ruled that:
  • Chat data is NOT simple “computer data” under Art. 234-bis c.p.p.
  • Must be treated as:
    • interception (if real-time) OR
    • seizure (if static data)

📌 Principle:

Classification of digital evidence determines legality of acquisition.

2. Cass. Pen., Sez. VI, n. 17479/2025

• Addressed seizure of digital data copies
• Held:
  • Investigators must justify relevance of each dataset
  • No indiscriminate “full device cloning” allowed

📌 Principle:

No blanket seizure of entire digital contents without selection criteria.

3. Cass. Pen., Sez. III, n. 5526/2025

• Focus: proportionality in seizure of smartphones
• Held:
  • Entire device seizure must be justified
  • Digital forensic extraction must respect privacy limits

📌 Principle:

Digital seizure must be proportionate and targeted.

4. Cass. Pen., Sez. VI, n. 222/2024

• Concerned forensic imaging of electronic devices
• Court emphasized:
  • Copying data ≠ automatic unrestricted seizure
  • Judicial authorization required for forensic expansion

📌 Principle:

Forensic duplication must respect procedural safeguards.

5. Cass. Pen., Sez. VI, n. 23755/2024 (Sezioni Unite – Crypto communications)

• Related to encrypted communication obtained via EU cooperation
• Held:
  • Evidence acquired abroad is admissible only if:
    • Procedural guarantees are respected
    • Italian constitutional rights are not violated

📌 Principle:

Cross-border digital evidence must respect fundamental rights.

6. Cass. Pen., Sez. VI, n. 44154/2023 (same decision – procedural classification rule)

• Reinforced dual classification of cyber evidence:
  • interception regime vs seizure regime

📌 Principle:

Misclassification leads to evidence exclusion.

7. Cass. Pen., Sez. V, n. 40963/2022 (Digital evidence integrity)

• Court ruled:
  • Hash verification required for admissibility
  • Chain of custody is essential in cybercrime trials

📌 Principle:

Digital evidence must be cryptographically verifiable.

4. Key Principles Derived from Italian Cybercrime Jurisprudence

Across case law, Italian courts consistently enforce:

✔ 1. Proportionality

Authorities cannot seize or copy excessive unrelated data.

✔ 2. Judicial Control

Most intrusive actions require GIP authorization.

✔ 3. Data Minimization

Only relevant digital data may be extracted.

✔ 4. Classification of Evidence Matters

Whether data is:

• interception
• stored data
• foreign-acquired evidence
  determines legality.

✔ 5. Integrity and Chain of Custody

Digital evidence must be traceable and unaltered.

5. Conclusion

Cybercrime investigation in Italy is a highly regulated judicial process, balancing:

• Effective digital policing
• Constitutional rights (privacy, defense rights)
• EU cooperation mechanisms
• Strict evidentiary admissibility rules

Italian jurisprudence increasingly focuses on:

preventing “mass digital surveillance” while still enabling effective cybercrime prosecution.