A Map Drawn from the Inside
A large client in a regulated sector asked us, a few months ago, to put the platform on a secure footing. The request came in the usual terms—information security and conformity audit. What they ended up taking home was a DPA Annex 2 articulated across nineteen sections, a technical gap analysis, a remediation roadmap, and a formalised sub-processor chain written to withstand a serious inspection. There wasn’t a single new line of code in what we delivered, and not a platform to license either. Structured paperwork and contractual positioning, produced in such a way that they would hold up before anyone who came to ask. The interesting thing is that this wasn’t an exception. It’s the rule that has settled in over our last twelve months of work.
Someone might argue that the map of this market already exists, and that it’s enough to read Gartner’s Magic Quadrant for GRC tools, or to consult Forrester’s reports on privacy-management platforms. That would be a convenient and partly misleading shortcut. Those documents photograph the global platform market—ServiceNow, MetricStream, OneTrust, Drata, and Optro, which has just renamed AuditBoard last March. The Italian compliance market has a structure of its own, shaped by the Agenzia per la Cybersicurezza Nazionale, by the NIS2 transposition through decreto legislativo 138/2024 (Italy’s NIS2 transposition), by the dominant weight of public administration in total spend, by the irregular pace at which European directives are operationalised by end clients. To read it you need a map drawn from the inside.
At the Top: Specialist Advisory
It helps to picture the market as an hourglass. At the top, a thick layer of specialist advisory has formed. The Big Four—Deloitte, PwC, EY, KPMG—run GRC practices that by now look interchangeable on paper, and compete more on the names of their senior partners than on their methodologies. Alongside them, and in some cases at a qualitatively higher level, the structured Italian boutiques operate. P4I, part of the Digital360 group, lists more than one hundred and sixty professionals on its site and sells a methodological brand called Advisory Engine, with a catalogued product registered as Compliance360. ICTLC consolidated the legal-tech angle that’s fashionable today, but wasn’t when it started. Spike Reply operates inside the Reply group while keeping a recognisable identity, and covers the full spectrum of cybersecurity and data protection with significant weight on financial and manufacturing dossiers. Deda Tech took the multidisciplinary-team route, where lawyers and economists sit beside engineers, and in public interviews the firm openly says it doesn’t sell technical solutions but trust. The line sounds like marketing, and it matches the actual positioning.
What these firms sell is interpretation. Not a piece of software that does something, but a recognisable person, able to translate a regulation into the specific terms of your supply chain, and to hold the line at the negotiating table on a Data Processing Agreement with an American cloud provider without giving up what shouldn’t be given up. The margins are high and the scalability is low. Dependence on the single name with the grey beard or the academic CV is structural to the model. Growth happens by cooptation—hiring heavy names, acquiring smaller firms that bring consolidated client portfolios as dowry. It’s a mechanism that resembles the legal world more than the software world.
At the Bottom: The Platforms
At the bottom, the platform layer has formed. IntelMarket Research projections value the global GRC platform market at $16.7 billion in 2024, with a 2032 horizon at $32.8 billion and a compound rate of 9.9 percent. Other estimates give meaningfully different numbers depending on how the perimeter is drawn, but the direction is the same. ServiceNow GRC is the default for anyone already using ServiceNow for IT service management, and that covers a meaningful slice of the Italian enterprise. MetricStream covers the segment of multinationals with mature GRC programmes. OneTrust turned GDPR into a product and is now repositioning itself on AI governance. Drata and Vanta automate SOC2 and ISO 27001 for startups and scale-ups, with evidence collected continuously and SaaS pricing that fits a CTO’s budget without having to go through the CFO. The Italian portion of this layer is thin. The Italian market for compliance-dedicated software has not produced players of international scale, and local attempts remain confined to single verticals or single clients.
The Compressed Middle Layer
Between these two layers, where the hourglass narrows, sits the middle layer—and that’s where the interesting dynamic lives. It’s the layer of custom compliance software, of bespoke GDPR back-office tools, of vertical ISO 27001 platforms developed by mid-sized Italian software houses. For years it was a comfortable layer. The client didn’t trust American platforms for reasons of data sovereignty, the Big Four were too expensive for the mid-market, and a local software house delivering a branded GDPR portal was the natural answer. Today this layer is compressed from both sides at once. From below, because Drata delivers SOC2 at a fraction of the cost of a bespoke tool, and startups have no reason to commission anything proprietary for a commodity function. From above, because when the problem turns serious—a defensible DPIA, a contract negotiation with Microsoft that doesn’t leave gaps—the client realises software isn’t enough, and that what they need is a person who speaks their language and can sign documents that hold up.
ACN, and the Market Inside the Market
What makes the Italian map structurally different from the global one is ACN. The Regolamento unico per le infrastrutture digitali e i servizi cloud (Italy’s unified rulebook for digital infrastructure and cloud services), the decreto direttoriale 21007 of 27 June 2024, in full effect since 1 August of the same year, has built a market inside the market. Public administration can only buy cloud services if they are qualified QC1, QC2, QC3 or QC4, delivered on infrastructure rated AI1 through AI4, according to a matrix that ties data classification to the permitted service level. Aruba is qualified at the highest tiers, Polo Strategico Nazionale handles data classified as strategic, and a handful of other providers are filling in the remaining cells of the catalogue. For Italian system integrators working with the public sector, the concrete choice becomes binary. You either resell someone else’s qualified cloud, accepting thin margins and an implementer’s role, or you build an advisory that guides the public-sector client through architectural choices, capitalising knowledge of the qualified catalogue as a distinctive asset. When I prepared for Pescara Multiservice the proposal for ACN-qualified cloud hosting based on Aruba VPC at QC3 level—against the actual price-list entry ARB-11504-1 of €217.38/month—the part of value the client was buying was my translation work between their application requirements and the catalogue’s requirements. Infrastructure was commodity. Interpretation wasn’t.
What System Integrators Are Doing
At this point you can see what’s happening to Italian system integrators, and why. The large ones—Reply, Engineering, Almaviva, NTT Data Italia, Accenture—already run internal GRC practices that compete directly with the Big Four, and in some cases have outperformed them on public contracts. Spike Reply is the canonical example of this movement, but not the only one. The mid-tier firms—Deda Tech, Var Group, Lutech—build multidisciplinary teams and resell their identity as trusted advisors in a new vocabulary. Implementation revenue is still significant, but the high margin lives where you sell days of interpretation, not sprints of development. The small ones face a tighter choice. They can become someone else’s reseller and lose their identity. They can stay specialist implementers in a vertical where domain depth offsets a lack of scale. There’s also a third path, riskier than the others—turning into an advisory boutique and selling knowledge first and implementation second, trading a portion of certain revenue for a positioning that’s still uncertain. Most aren’t choosing—they’re passively absorbing the drift of the market. At Oltrematica we made the choice vertically: private healthcare and local public administration, with serious investment in compliance documentation as a product. That DPA, the five-tier formalisation of a sub-processor chain crossing three companies inside the same industrial group, the analysis of the new DPIA template that the EDPB adopted on March 10 and published on April 14 for consultation through June 9—all of these are pieces of work that, five years ago, we would have done as an accessory to the main project. Today they are the main project, and software comes after, if it comes at all.
Where Value Migrates, and What I Don’t Know About 2027–28
There’s a consequence to all of this that’s worth making explicit. Value in the Italian compliance market is migrating to the two ends of the hourglass. International platforms keep pushing the cost of evidence down, and that pressure won’t stop, because their business model depends on progressive automation. The advisory boutiques and the GRC practices of the large system integrators keep pushing the price of interpretation up, and there’s no technological innovation on the horizon that reduces the cost of an opinion signed by a recognisable name. What’s left in the middle—custom compliance software—faces a fork. It can become specialist inside a vertical to the point of no longer being substitutable by generalist platforms, or it can be absorbed into an advisory offering as a capability rather than a standalone product. The Politecnico di Milano figure that estimates the Italian cyber and data-protection segment at €2.78 billion in 2025 with twelve percent growth doesn’t distinguish between these layers in its surveys, and that’s probably one of the reasons companies in the middle layer keep reading the numbers as good news when in fact they’re saying something subtler.
The most honest sentence I can write about how this market will look in 2027 and 2028, when the Cyber Resilience Act is operational and the AI Act in full enforcement, is that I don’t know. It seems plausible to me that a reconfigured middle layer will emerge, where tools like Claude Code, GitHub SpecKit and their derivatives will let software houses like ours produce compliance artefacts treated as code—versioned, tested, generated from traceable formal specifications. It’s a direction I’m investing in personally and that I’ve been writing about here for several months. But it’s also possible that the middle layer collapses entirely and that the Italian market polarises onto two sides, the way other mature markets did before ours. Twelve months from now this map will need to be redrawn. That will be one of the exercises I take on.
Key takeaways
The Italian compliance market is shaped like an hourglass: a thick layer of specialist advisory at the top (the Big Four plus boutiques like P4I, ICTLC, Spike Reply, Deda Tech), global platforms at the bottom (ServiceNow, OneTrust, Drata, Vanta), and a crushed middle layer of Italian custom GRC software.
What advisory boutiques sell is not software, it’s interpretation: a recognisable person able to translate a regulation into the specific terms of your supply chain, and to hold the line at the negotiating table on a Data Processing Agreement with an American cloud provider without giving up what shouldn’t be given up. High margins, low scalability, structural dependence on heavy names.
The middle layer of custom software is compressed from both sides. From below, because Drata delivers SOC2 at a fraction of the cost of a bespoke GRC tool. From above, because when the problem turns serious—a defensible DPIA, a contract negotiation with Microsoft that doesn’t leave gaps—software is not enough. You need a person who can sign documents that hold up before anyone who comes to ask.
ACN, with the Regolamento unico per le infrastrutture digitali (the decreto direttoriale 21007 of 27 June 2024) and the QC1–QC4 / AI1–AI4 matrix, has built a market inside the market. Public administration can only buy qualified cloud. For Italian system integrators the concrete choice becomes binary: reseller on thin margins, or advisory that capitalises knowledge of the catalogue as a distinctive asset.
Value is migrating to the two ends of the hourglass. Platforms push the cost of evidence down. Boutiques and the GRC practices of the large system integrators push the price of interpretation up. What’s left in the middle bifurcates: vertical specialisation to the point of being non-substitutable, or absorption into an advisory offering as a capability rather than a standalone product.
Questions & answers
Why isn't Gartner's Magic Quadrant enough to read the Italian compliance market?
Those documents photograph the global platform market: ServiceNow, MetricStream, OneTrust, Drata, Optro—which has just renamed AuditBoard last March. The Italian market has a structure of its own, shaped by the Agenzia per la Cybersicurezza Nazionale, by the NIS2 transposition through decreto legislativo 138/2024, by the dominant weight of public administration in total spend, by the irregular pace at which European directives are operationalised by end clients. To read it you need a map drawn from the inside.
What is ACN, and why does it redraw the Italian cloud market?
ACN, Italy’s National Cybersecurity Agency, with the Regolamento unico per le infrastrutture digitali e i servizi cloud (the decreto direttoriale 21007 of 27 June 2024, in full effect since 1 August 2024), has built a market inside the market. Public administration can only buy cloud services if they are qualified QC1, QC2, QC3 or QC4, delivered on infrastructure rated AI1 through AI4, according to a matrix that ties data classification to the permitted service level. Aruba is qualified at the highest tiers, Polo Strategico Nazionale handles strategic data, a handful of other providers fill in the rest of the catalogue. For Italian system integrators the concrete choice becomes binary: resell someone else’s qualified cloud on thin margins, or build an advisory that guides the public-sector client through architectural choices, capitalising knowledge of the catalogue as a distinctive asset.
Why is the middle layer of custom software being squeezed?
For years it was a comfortable layer. The client didn’t trust American platforms for reasons of data sovereignty, the Big Four were too expensive for the mid-market, and a local software house delivering a branded GDPR portal was the natural answer. Today it’s squeezed from both sides. From below because Drata delivers SOC2 at a fraction of the cost of a bespoke tool, and startups have no reason to commission anything proprietary for a commodity function. From above because when the problem turns serious—a defensible DPIA, a contract negotiation with Microsoft that doesn’t leave gaps—the client realises software isn’t enough, and that what they need is a person who speaks their language and can sign documents that hold up.
What choices do small Italian system integrators face?
Three, with different costs. They can become someone else’s reseller and lose their identity. They can stay specialist implementers in a vertical where domain depth offsets a lack of scale. Or—the third path, riskier than the others—they can turn into advisory boutiques and sell knowledge first and implementation second, trading a portion of certain revenue for a positioning that’s still uncertain. Most aren’t choosing: they’re passively absorbing the drift of the market.
What might happen to the middle layer in 2027–28?
I don’t know. It seems plausible to me that a reconfigured middle layer will emerge, where tools like Claude Code, GitHub SpecKit and their derivatives will let software houses produce compliance artefacts treated as code—versioned, tested, generated from traceable formal specifications. It’s a direction I’m investing in personally and that I’ve been writing about here for several months. But it’s also possible that the middle layer collapses entirely and that the Italian market polarises onto two sides, the way other mature markets did before ours. Twelve months from now this map will need to be redrawn.
The author
