EU & Italian Regulatory Framework • Case Law Analysis • 2026
The European and Italian legal landscape regarding cybercrime fraud has undergone a radical transformation between 2025 and early 2026. At the center of this revolution lies the balance between the technological security obligations of payment service providers (PSPs) and the duty to provide immediate reimbursement to account holders who fall victim to increasingly sophisticated techniques, such as spoofing and the use of artificial intelligence.
Although Directive PSD2 (implemented in Italy through Legislative Decree 11/2010) still constitutes the normative foundation, 2026 marks the turning point with the full operational implementation of EU Regulation PSR (Payment Services Regulation).
The PSR has introduced crucial innovations:
When a fraudster manipulates the bank's identity (SMS messages appearing in official chat threads or calls from genuine bank telephone numbers), the bank is obligated to reimburse the customer, unless it proves the user's malicious intent.
It is no longer sufficient to demonstrate merely the transmission of an OTP code; the institution must prove that its Strong Customer Authentication system was impenetrable and equipped with dynamic transaction monitoring.
A cornerstone of this new approach is constituted by the conclusions of Advocate General Athanasios Rantos, presented on March 5, 2025, in Case C-70/25.
The Advocate General established that Article 73 of PSD2 imposes upon the bank an obligation of immediate reimbursement (within the next business day following the report).
The bank cannot suspend compensation by invoking the customer's "gross negligence" to justify prolonged investigations; reimbursement may be denied only if there is a well-founded and communicated suspicion of fraud committed by the customer himself.
National jurisprudence has rapidly aligned with these principles, intensifying the burden of proof borne by banks and enhancing privacy protections.
Recent rulings have established that falling victim to particularly insidious phishing does not constitute gross negligence. A fundamental reference is Judgment No. 1137 of January 19, 2026, by the Court of Cassation (Civil Division), which reaffirms the rigorous criteria of professional diligence required of banks.
The Court of Rome (Judgment 1656/2025) confirmed that the bank is liable if its systems fail to block transactions that are patently inconsistent with the customer's spending profile.
The ECtHR (case Ferrieri and Bonassisa v. Italy, January 8, 2026) recalled that the security of banking data constitutes an integral component of the right to private life (Article 8 ECHR), thereby indirectly reinforcing the PSP's obligation to guarantee inviolable infrastructure.
| Aspect | Previous Rules | 2026 Orientation (PSR/CJEU) |
|---|---|---|
| Reimbursement | Often suspended pending technical expert evaluation | Immediate, subject to proof of customer fraud |
| Burden of Proof | OTP transmission log was sufficient | Evidence of anti-spoofing monitoring required |
| Customer Negligence | Readily invoked to deny compensation | Restrictively interpreted (effectively null in cases of spoofing) |
Avvocato Carlo Carta
Italian Attorney at Law | Banking Law & Financial Fraud Specialist
Expert Italian attorney specializing in banking disputes, corporate law, and financial fraud. Serving clients nationally across Italy and internationally with offices in Milan and Cagliari.
Regulation (EU) 2024/886 (Instant Payments/PSR)
Consult the full text on EUR-Lex
ECtHR Judgment Ferrieri and Bonassisa v. Italy (01/08/2026)
Download the PDF from the Chamber of Deputies
In 2026, the enterprise risk associated with digital fraud has been almost entirely transferred to banks. The protection of account holders is no longer an exception but the cardinal principle of the European legal order.
If you've been a victim of online banking fraud, contact us for expert legal counsel on your rights and remedies under the new 2026 regulatory framework.
Contact Avvocato Carlo Carta