Context

Recently, new notification obligations have been laid down in Italy, under Article 37-quater of Law Decree No. 115 of 9 August 2022 (converted into law by Law No. 142 of 21 September 2022) and entered into force on 10 August 2022. The abovementioned provision has amended Article 1 of the Decree, which now includes the (new) Paragraph 3-bis, according to which public entities and private operators included in the Cybersecurity Perimeter ('the Entities') should notify the incidents impacting their networks, information systems, and computing services other than those included in the Cybersecurity Perimeter.

The list of Entities is contained in an administrative act adopted by the President of the Council of Ministers. This act is secret, as it is not subject to publication and no right of access is allowed. Each Entity is given separate notification of its inclusion in such list.

Former notification obligations

Networks, information systems, and computing services included in the Cybersecurity Perimeter were already subject to a notification obligation pursuant to Article 1(3)(a) of the Decree, which delegated the Government to adopt the relevant procedure of notification. Accordingly, in order to make the Cybersecurity Perimeter operational, the Government adopted several implementing measures, including the Decree No. 81 of the President of the Council of Ministers of 14 April 2021, laying down the Regulation on the notification of incidents affecting networks, information systems, and computer services ('the DPCM').

Pursuant to Article 3 of the DPCM, the affected Entity must notify any relevant incident having an impact on the networks, information systems, and computing services entrusted with performing a function that is essential to the interests of the State or to the provision of an essential service. In order to map the relevant asset covered by this provision, the Entities must draft an updated inventory of their ICT assets, pursuant to the Decree No. 131 of the President of the Council of Ministers of 30 July 2020 ('the Inventory').

An 'incident' is any unintentional or intentional event resulting in the malfunctioning, interruption, even in part, or improper use of networks, information systems, or computing services (Article 1(h) of the DPCM). The DPCM lists at Annex A several cases of 'less serious' (Table 1) and 'very serious' (Table 2) incidents; each incident is identified with a unique identifier number. Any Entity must notify the Italian Computer Security Incident Response Team ('CSIRT') within one hour, in case of a 'very serious' incident, or six hours in case of a 'less serious' incident, starting from the moment in which it discovers the incident.

The CSIRT is part of the National Agency for Cybersecurity ('the Cybersecurity Agency'), which has been established by virtue of Law Decree No. 82 of 14 June 2021 as amended by Law No. 109 of 4 August 2021, that has unified most of the cybersecurity-related competences, which were originally distributed amongst several authorities.

New notification obligations

The new provision expands the objective scope of the notification obligations, i.e. there are additional types of incidents that must be notified, while the subjects, i.e. the Entities, bound by the new requirement are the same.

Indeed, according to the new provision, the concerned Entity should also notify any incident - within the meaning of Article (h) of the DPCM - occurred to ICT assets other than the one already included in the Inventory pursuant to the Decree No. 131 of the President of the Council of Ministers of 30 July 2020.

While the procedure for this new notification is the same as the one already in place for the ICT systems included in the Inventory, the deadline to perform such notification is a different one: Entities must notify incidents occurred to the 'other' ICT assets within 72 hours.

Assets with an impact on the Ministry of Defence's networks, information systems, and computing systems are not covered by the new notification obligation. These are indeed separately governed by the principles and procedures set forth in Article 528(1)(d) of Legislative Decree No. 66 of 15 March 2010 (the so-called Defence Organisation Code), which in turn makes reference to several other provisions (e.g. Legislative Decree No. 82 of 7 March 2005, the so-called Digital Administration Code).

Article 1, Paragraph 3-bis of the Decree delegates to the Director General of the Cybersecurity Agency the adoption of the technical specifications to identify the taxonomy of incidents that will be covered by the new notification obligation, as well as the specific notification procedure for these incidents.

Final remarks

Apparently, the lawmaker is entrusting the Cybersecurity Agency with an exhaustive monitoring tool not only for those incidents affecting the assets included in the Cybersecurity Perimeter, but in general for all incidents involving assets of the Entities. A subjective rather than an objective approach is thus preferred, due to the strategic role played by these Entities in terms of national security and interests.

This amendment is part of the main roadmap outlined by the President of the Cybersecurity Agency, Mr. Baldoni, which aims at managing national cyber risks at a higher and systemic level, via three main areas of intervention: prevention, detection and alerting, and incident response.

Gianluigi Marino Partner
[email protected]
Antonio Racano Senior Lawyer
[email protected]
Osborne Clarke, Milan