Codice Fiscale
Detects Codice Fiscale patterns. This pattern is based on a Microsoft Purview built-in sensitive information type. Users already running Purview may prefer to enable the built-in SIT directly, or use this version as a starting point for customisation.
- Type
- regex
- Engine
- universal
- Confidence
- medium
- Confidence justification
- Medium confidence: pattern has structural constraints but corroborative keywords are recommended to reduce false positive rates. Added context gating and exclusion rules improve precision and reduce incidental matches.
- Detection quality
- Verified
- Jurisdictions
- eu, it
- Regulations
- BDSG, CNIL / LIL, GDPR
- Frameworks
- ISO 27001, ISO 27701
- Data categories
- pii, government-id
- Scope
- narrow
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible
Pattern
\b[A-Z]{6}\d{2}[A-Z]\d{2}[A-Z]\d{3}[A-Z]\bCorroborative evidence keywords
identifier, number, ID, ID number, identification, ID card, license, permit, registration, certificate, field, column, row, entry, record, value, form, register, database, extract (+16 more)
Proximity: 300 characters
Should match
RSSMRA85M01H501Z— Standard codice fiscaleABCDEF12A34B567C— Generic codice fiscale formatVRDLGU70D06H501S— Real format codice fiscale
Should not match
RSSMRA85M01H501— Only 15 characters instead of 16RSSMRA85M01H501ZZ— 17 characters instead of 16RSS1RA85M01H501Z— Digit in name section instead of lettertemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- Common words and phrases related to codice fiscale appearing in policy documents, training materials, HR templates, or compliance guidelines without actual personal data. Mitigation: Require corroborative evidence keywords within the proximity window to confirm sensitive data context rather than general discussion.
- In multiple EU languages, similar terminology used in formal or administrative contexts (education, professional documentation) that does not constitute sensitive data collection. Mitigation: Layer with additional contextual signals such as structured identifiers, form fields, or database column headers to distinguish sensitive records from general references.