A new Italian court ruling on the DPO liability regime under GDPR in the context of cyber fraud confirms that Data Protection Officers bear no responsibility for cybersecurity breaches caused by their clients' failure to act on documented recommendations.