Italy: New obligation to notify cyber incidents enters into force
Law No. 142 of 21 September 2022 ('Law No. 142'), which converted into law Decree Law No. 115 of 9 August 2022, Containing Urgent Measures Regarding Energy, Water Emergency, Social, and Industrial Policies ('Decree Law No. 115, as converted into law'), was published, on 21 September 2022, in the Official Gazette and entered into force the following day. In particular, Article 37-quater of Decree Law No. 115, as converted into law, amends Article 1 of Decree Law No. 105 of 21 September 2019, Urgent Provisions on the Cybersecurity National Perimeter ('Decree Law No. 105, as amended'), by inserting a new paragraph 3-bis. More specifically, Article 1(3-bis) of Decree Law No. 105, as amended, imposes a new obligation to notify, within 72 hours, to the Italian National Cybersecurity Agency ('ACN') all incidents affecting entities within the existing National Cybersecurity Perimeter, even if they do not directly affect assets specifically included in the same.
In addition, Article 1(3-bis) of Decree Law No. 105, as amended, specifies that the 72-hour timeframe for the incident notification shall be counted from the moment in which the subjects included in the National Cybersecurity Perimeter become aware of the incident. Moreover, Article 1(3-bis) of Decree Law No. 105, as amended, provides that the taxonomy of incidents to be notified to the ACN and the specific notification modalities will be further defined by technical determinations to be adopted by the Director General of the ACN.