Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Cybersecurity

Quardia / Essentials collection / istockphoto.com

1. GOVERNING TEXTS

1.1. Legislation

General legislation

The following legislation is generally applicable in the field of cybersecurity:

  • Regulation (EU) 2019/881 of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on Information and Communications Technology Cybersecurity Certification and Repealing Regulation (EU) No.526/2013 ('the Cybersecurity Act');
  • Legislative Decree 18 May 2018, no. 65, Transposition of the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) (only available in Italian here) ('the NIS Decree');
  • Law 18 November 2019, No. 133 Converting Decree-Law 2019, No. 105 on Urgent Measures Regarding the Perimeter of National Cybersecurity and the Regulation of Golden Powers in Areas of Strategic Importance (only available in Italian here) ('the National Cybersecurity Law');
  • Decree of the President of Councils of Ministers No. 131 of 30 July 2020 on Regulations Regarding the National Cybersecurity Perimeter (only available in Italian here) ('the Cybersecurity Perimeter Decree');
  • Decree of the President of the Council of Ministers of 17 February 2017, Directive Setting Guidelines for Cyber Protection and National Computer Security (only available in Italian here) ('the Cyber Protection and National Computer Security Decree')
  • Decree of the President of the Republic, 5 February 2021, No. 54 on Regulations as per Article 1 of the National Cybersecurity Law (only available in Italian here) ('the Decree of the President of the Republic');
  • Decree of the President of Councils of Ministers No. 81 of 14 April 2021 on Regulations regarding notification of incidents having an impact on networks, information systems and services (only available in Italian here) ('the Notification of Cyber Incidents Decree');
  • Decree of the President of Councils of Ministers of 15 June 2021 on the identification of ICT goods, systems and services to be used in the National Cybersecurity Perimeter (only available in Italian here) ('the ICT Goods, Systems and Services Decree');
  • Law 4 August 2021, No. 109 converting Decree-Law 2021, No. 82 on urgent measures regarding cybersecurity, including with regard to national cybersecurity architecture and the creation of the Agency for National Cybersecurity (only available in Italian here) ('the Law on Cybersecurity Governance'); and
  • Personal Data Protection Code, Legislative Decree No. 196/2003 (as amended to implement the GDPR) (only available in Italian here) ('the Privacy Code').

The Cybersecurity Act

The Cybersecurity Act, which is directly applicable in all EU Member States, is complementary to the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) ('the NIS Directive'), and focuses mainly on two key areas. Firstly, it enhances European Union Agency for Cybersecurity's ('ENISA') role and powers, recognising ENISA's key role in ensuring a high level of network and information security and in assisting EU Member States in implementing an efficient national security policy. Secondly, it introduces provisions for the establishment and maintenance of a cybersecurity certification framework at the EU level in order to strengthen trust in the digital internal markets by guaranteeing transparency of information system products, services, and processes.

The NIS Decree

The NIS Decree implemented the NIS Directive and came into force on 26 June 2018. The so-called essential facilities operators (i.e. companies operating in the energy, transport, banking, financial markets, health, supply and distribution of drinking water, digital infrastructure sectors) and digital services providers (i.e. search engines, cloud services, and e-commerce platforms) fall within the scope of the NIS Decree. Essential facilities operators have been identified by the competent authorities, however, their list is not publicly available. The NIS Decree establishes that the above-mentioned operators and digital service providers must adopt technical and organisational measures to prevent IT incidents and, more generally, manage the risks related to cybersecurity. In addition, such operators, as well as the digital service providers, must notify the competent authorities, without undue delay, of a relevant incident impacting on continuity and supply of the service. The Italian implementation substantially reflects the contents of the NIS Directive, without any particular derogation.

However, please note that the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) ('NIS 2 Directive') was published in the Official Gazette of the European Union on 27 December 2022 and became effective as of 16 January 2023. Pursuant to Article 41 of the NIS 2 Directive, by 17 October 2024, Member States must transpose the NIS 2 Directive into their national legislation, and the transposition laws shall apply from 18 October 2024. On the same date, the NIS Directive will be repealed. For further information please see our Insight article on the NIS Directive here.

The National Cybersecurity Law

The National Cybersecurity Law is a further step in the implementation of an Italian cybersecurity legislative framework, introducing a 'perimeter for national cybersecurity aimed at ensuring a high level of security for networks, information systems and IT services of public and private operators carrying out an essential function of the State, or ensuring an essential service for the maintenance of civil, social or economic activities that are deemed fundamental to the interests of the State.

Such entities are yet to be identified by secondary legislation within four months from the entry into force of the National Cybersecurity Law. Operators falling within the National Cybersecurity Law are likely to overlap with those already falling under NIS Decree. Like the NIS Decree, the National Cybersecurity Law sets out provisions in terms of security measures to be implemented and incident notification duties. In addition, the National Cybersecurity Law imposes specific duties to:

  • map and communicate on an annual basis, the list of all relevant infrastructures to the competent authorities; and
  • to communicate any intention to outsource relevant ICT systems and services, in order to allow competent authorities to carry out preliminary checks, audits and impose certain conditions.

Additional operative details on such obligations have been identified through the Decree of the President of the Republic, the Notification of Cyber Incidents Decree, the ICT Goods, Systems and Services Decree as further described below.

Finally, the National Cybersecurity Law entitles the President of the Council of Ministers with the power to dispose of the total or partial deactivation of relevant systems and networks, in the presence of serious and imminent risk for national security.

The Cybersecurity Perimeter Decree

The goal of the Cybersecurity Perimeter Decree is for the government to impose a high standard of security for private and public network and information systems operating within the national territory, with particular attention to the companies that are essential for the state or from which the provision of essential services depends.

The Cyber Protection and National Computer Security Decree

The Cybersecurity Protection and National Computer Security Decree is secondary legislation defining a public governance structure for cyber protections and general instructions and best practices, also to be followed by private entities, in particular by providers of public electronic communications networks, essential services operators and providers of critical infrastructures (Article 11 of the Decree). All these operators shall make accessible to the competent authorities their 'security operations centres' and must cooperate to remedy and solve a 'cybernetic crisis.'

Decree of the President of the Republic

The Decree of the President of the Republic is a secondary legislation defining the procedures, modalities and terms to be applied by the National Assessment and Certification Centre ('CVCN') within the National Cybersecurity Perimeter. At the same time the Decree provides the technical criteria to be applied for the identification of ICT goods, systems and services which shall be subject to the evaluation of the CVCN in case of use of such goods, systems and services for strategic assets.

Notification of Cyber Incidents Decree

The goal of the Notification of Cyber Incidents Decree is to provide a regulation on the notification procedure in case of incidents affecting networks, information systems and IT services as well as provide additional measures to ensure a high level of security. In addition, the Notification of Cyber Incidents Decree:

  • identifies a taxonomy of incidents;
  • provides a definition of methods and timescales for reporting IT incidents; and
  • provides further security measures to be implemented by the companies falling within the National Cybersecurity Perimeter.

The ICT Goods, Systems and Services Decree

The ICT Goods, Systems and Services Decree stands as a further step in the development and subsequent implementation of the Italian cyber architecture. In fact the Decree provides a list of categories of goods, systems and services that companies falling within the National Cybersecurity Perimeter who intend to proceed with the purchase of such goods, systems and services that are functional to the performance of essential activities, will have to notify to the CVCN or Assessment Centres ('CVs') of the Ministry of the Interior and Defense. The relevant companies will therefore have to clarify to the CVCN or CVs the need for such purchases.

Law on Cybersecurity Governance

The Law on Cybersecurity Governance set up the governance of the national cyber security system which is headed by the President of the Council of Ministers, who is responsible for the overall direction and responsibility of 'cyber security policies', and for the adoption of the relevant national strategy. One of the biggest innovations is the implementation of a competent authority with regard to cybersecurity issues, the new Agency for National Cybersecurity.

The Privacy Code

The Privacy Code requires data controllers and data processors to adopt appropriate security measures to ensure a level of security appropriate to the risk, in order to avoid the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Pursuant to the Privacy Code, in the event of a personal data breach, the data controller should, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Italian data protection authority ('Garante'), unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (see further below).

Sectoral legislation

Public network providers

Legislative Decree 1 August 2003, No. 259, Electronic Communications Code (only available in Italian here) ('the Electronic Communications Code') applies to providers of public electronic communications networks. Articles 16-bis and 16-ter of the Electronic Communications Code require such providers to adopt technical and organisational security measures to ensure the safety and integrity of such networks, as well as to prevent and minimise risks for users of such networks.

Providers must notify the Ministry of the Economic Development ('MISE') of any 'significant' security incident. MISE has the power to inform or compel the provider to inform the public of such incidents. In case the relevant operators also fall within the NIS Decree, the provisions on security measures and incident notifications of the Electronic Communications Code will apply.

Public administration sector

The Agency for Digital Italy ('AgID') is in charge of adopting security standards in the public administration sector. Regulations issued by AgID require the adoptions of specific security measures for cloud and SAAS providers that are engaged by the public administration (see Requirements on Qualification Procedures for Cloud Service Providers for the Public Administration (only available in Italian here) and Requirements for SaaS Providers of the Public Administration (only available in Italian here) (both issued on 9 April 2018)).

Energy and transport sectors

Legislative Decree 11 April 2011, No. 61, Transposition of the Directive 2008/114/EC on the Identification and of Critical Infrastructures (only available in Italian here) establishes the procedures for the identification and designation of European critical infrastructures ('ICE') in the energy and transport sectors, as well as the procedures for the safety assessment and the minimum requirements for the protection of ICEs.

Cybercrime and terrorism obligations for critical infrastructure operators

Article 7 of Law No. 155/2005 of Law 31 July 2005, No. 155, Converting into Law, with Amendments, Law-Decree 27 July 2005, No. 144, on Urgent Measures to Counteract International Terrorism (which contains provisions for critical infrastructure operators) (only available in Italian here) ('Law No. 155/2005') provides for cooperation between public entities in charge of national cyber security and providers of critical information infrastructure (as identified by the relevant authorities), with the adoption of agreements in this regard.

Financial sector

  • Legislative Decree 15 December 2017, no. 218, Implementing Directive (UE) 2015/2366 on Payment Services in the Internal Market ('PSD2') (only available in Italian here) ('PSD2 Decree') requires, payment service providers to establish measures of adequate security to protect confidentiality and integrity of users' credentials (in line with the Regulatory Technical Standards issued by the European Banking Authority ('EBA')).
  • Bulletin Circular No. 285/2013 (updated in 2019, only available in Italian here) ('the Banking Security Measures'), issued by the Bank of Italy, mandates security measures to be adopted in the banking sector and provides guidance in case of a security incident.
  • Regulation (EU) No. 910/2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market ('eIDAS Regulation') was adopted on 23 July 2014 and is directly applicable in Italy. Article 19 of eIDAS Regulation provides for a series of security requirements applicable to trust service providers, including obligations to notify data breaches (see further below). In case the relevant providers also fall within the scope of the NIS Decree, the provisions on incident notifications of the eIDAS Regulations will apply.

Insurance Sector

Article 16 of Institute for the Supervision of Insurance ('IVASS') Regulation No. 38 of 3 July 2018  (only available in Italian here) ('the IVASS Regulation') provides for specific measures to be adopted in order for Insurance companies to guarantee cybersecurity. In particular IVASS Regulation requires insurance companies to:

  • approve an ICT strategic plan, including corporate cyber security, aimed at ensuring the existence and maintenance of an overall system architecture that is integrated and secure from an infrastructural and application point of view, adequate to the needs of the company and based on international, national standards and guidelines defined in sector regulations;
  • implement procedures aimed at limiting access and intrusions to development and production environments;
  • implement procedures for approval and purchase of hardware and software; and
  • implement procedures to ensure business continuity through disaster recovery systems and business continuity plans.

In addition to the above, in the event of extraordinary transactions, the insurance company is required to prepare an IT systems integration plan which specifies:

  • areas, functions, procedures, applications and databases affected by the integration process
  • the timing associated with each phase of the integration with particular regard to the migration of the databases and the dates from which the integration of the portfolios will be completed; and
  • the units and organisational structures entrusted with the controls and monitoring of the entire integration process.

Finally, insurance companies shall adopt a notification procedure in case of an event that represents a serious IT security incident.

1.2. Regulatory authority 

Cybersecurity Act

Through the Cybersecurity Act, ENISA has a permanent mandate to support EU Member States in the identification of cybersecurity threats and attacks. More specifically, ENISA is tasked with:

  • providing consulting services with regard to the adoption of IT security policies;
  • preparing the technical grounds for specific certification schemes, as well as issuing certificates through a dedicated website (ENISA is currently working on a suitable certification scheme to be implemented); and
  • increasing operational cooperation at EU level and providing support for the management of cyberattacks as suffered by EU Member States.

NIS Decree

The NIS Decree establishes that five Ministers (i.e. the Ministers of the Economic Development, Infrastructure and Transport, Economy, Health and Environment) act as relevant NIS authorities for the industries falling within their areas of competence. The Department of Information Security ('DIS') acts as point of contact and coordination among these authorities and with authorities outside Italy.

These authorities have inspective powers and can issue monetary fines, as provided for by Article 21 of the NIS Decree. The NIS authorities also corrective powers where failure to comply with the NIS Decree by the relevant operators is demonstrated.

National Cybersecurity Law

The competent authorities for ascertaining violations and issuing sanctions under the National Cybersecurity Law are:

  • the President of the Council of Ministers, for public entities and for the so-called 'trust service providers' identified by Article 29 of Legislative Decree 82/2005 (Code of Digital Administration) (only available in Italian here) falling within the national cybersecurity perimeter; and
  • the MISE, for private entities falling within the national cybersecurity perimeter.

Law on Cybersecurity Governance

The Agency for National Cybersecurity is delegated by the President of the Council of Ministers as the competent authority with regard to cybersecurity issues. In fact the Agency is responsible for:

  • the development of national capabilities on prevention, monitoring, detection and mitigation of cyber incidents;
  • the enhancement of the security of ICT systems for the companies included in the Perimeter of National Cybersecurity, public administration, Operator of Essential Services and Digital Service Providers;
  • the development of industrial, technological and scientific development in the field of cybersecurity;
  • the coordination of public companies in order to realize common actions in the field of cybersecurity at national level;
  • draft the national strategy on cybersecurity; and
  • cybersecurity certifications.

Privacy Code

The Garante supervises security incidents involving personal data and has inspective and corrective powers, as well as powers to impose fines.

Electronic Communications Code

The MISE is in charge of security incidents involving electronic communications networks. The authority has full inspective and corrective powers, as well as powers to impose fines.

eIDAS Regulation

Trust service providers must notify the AgID in the event that they suffer a security incident.

1.3. Regulatory authority guidance

NIS Decree

The NIS authorities are in charge of adopting specific guidelines on further security measures to be implemented, as well as guidelines on when security incidents should be notified, taking into considerations ENISA's and other EU relevant authorities' guidance. In this regard, in July 2019, the NIS authorities issued and shared with the relevant operators a set of guidelines regarding risk management, prevention, mitigation, and notification of incidents (not publicly available).

National Cybersecurity Law and following implementation decrees

The National Cybersecurity Law requires the adoption of specific guidelines on:

  • securities measures;
  • incident notification procedure;
  • technical criteria to map and communicate the list of relevant infrastructures to the competent authorities; and
  • technical criteria to identify the categories of ICT systems and services, the outsourcing of which needs to be communicated and is subject to verification by the competent authorities.

Additional operative details on such obligations have been identified through the Decree of the President of the Republic, the Notification of Cyber Incidents Decree, the ICT Goods, Systems and Services Decree as further described below.

Privacy Code

The Garante recently added a cybersecurity section on its website (only available in Italian here) providing guidance on how to identify and prevent the most frequent security incidents and cyber threats such as phishing and ransomware and suggesting how to create and store a secure password. Furthermore, the Garante provided its recommendations with regards to the security measures that entities processing personal data shall adopt.

Such recommendations confirm that the security measures must ensure a level of security appropriate to the risk, including the list of security measures as per Article 32(1) of the GDPR (e.g. pseudonymisation and encryption). In this respect, the Garante clarifies that the list referred to Article 32(1) is an open and non-exhaustive list and for the same reason, after 25 May 2018, there cannot be generalised obligations to adopt minimum security measures since a case-by-case adequacy assessment shall be performed by the data controller and processor in relation to the risks specifically identified.

However, the Garante will evaluate the issuance of guidelines or good practices based on the positive results achieved in the previous years. Moreover, for some types of personal data processing (e.g. the processing of sensitive data carried out by public entities for important reasons of public interest) the specific security measures currently envisaged through the applicable legal provisions and implementing regulations will also apply.

On 30 July 2019, the Garante has also issued a decision on the notification of personal data breaches [9126951] (only available in Italian here). The decision provides for a procedure to notify data breaches through an online standard form, in line with Article 29 Working Party Guidelines on personal data breaches notification under Regulation 2016/679. The decision also clarifies that decisions on data breaches issued in the past concerning notifications for particular categories of processing activities (e.g. concerning biometrics, electronic health records, data exchanged between public administration and banks) are not more applicable and the standard notification procedure should always apply.

Electronic Communications Code

The MISE adopted the implementing Decree 12 December 2018, Security and Integrity Measures for Electronic Communications Networks and Notification of Significant Incidents (only available in Italian here) ('the MISE Decree'), pursuant to Articles 16-bis and 16-ter of the Electronic Communications Codes (see below for further detail).

2. SCOPE OF APPLICATION

2.1. Network and Information Systems

Both the NIS Decree and National Cybersecurity Law aim at safeguarding networks and information systems.

The NIS Decree (as also reiterated by the Cybersecurity Act) defines 'network and information systems' as any:

  • electronic communication network pursuant to the Electronic Communication Code (i.e. a transmission system and, where appropriate, switching or routing equipment and other resources, including non-active network elements, which allow the transmission of signals via cable, via radio, by means of optical fibre or other electromagnetic means, including satellite networks, mobile and fixed terrestrial networks (circuit-switched and packet-switched, including the Internet), networks used for the circular broadcasting of sound and television programs, systems for transmission of electric current, to the extent that they are used to transmit signals, the cable television networks, regardless of the type of information carried;
  • device or group of interconnected or connected devices, one or more of which, based on a program, perform automatic processing of digital data; and
  • digital data stored, processed, extracted or transmitted by means of networks or devices as per as defined above, for their operation, use, protection and maintenance.

The National Cybersecurity Law requires secondary legislation to identify the relevant networks and information systems falling within the scope of the same. In particular the Decree of the President of the Republic has identified the technical criteria to be applied for the identification of ICT goods, systems and services which shall be subject to the evaluation of the CVCN in case of use of such goods, systems and services for strategic assets.

2.2. Critical Information Infrastructure Operators

Legislative Decree 61/2011 defines 'critical infrastructure operators' as the operators of an infrastructure which is essential for maintaining the vital functions of society, health, safety and the economic and social well-being of the population and whose damage or destruction would have a significant impact on the State, due to the impossibility of maintaining such functions. The critical information infrastructure operators are referred to by Law 155/2005 with respect to measures aimed at fighting cybercrime and terrorism and are specifically identified by the competent ministry among the providers of information networks.

2.3. Operator of Essential Services

Both NIS Decree and National Cyber Security Law applies to operators of essential services.

The 'operators of essential services' falling within the scope of the NIS Decree are described in Annex 2 of the NIS Decree and include companies operating in the energy, transport, banking, financial markets, health, supply and distribution of drinking water, digital infrastructure sectors. Italian companies acting as essential service operators have been identified by the competent authorities. However, the list is not publicly available.

The 'operators of essential services or the maintenance of civil, social or economic activities fundamental to the interests of the State' falling within the scope of the National Cybersecurity Law are to be individuated within four months from the entry into force of the same law by the President of Council of Ministers, among public and private entities whose services depends on networks, information systems and IT services, taking into account the extent of the prejudice to national security which, in relation to the specificities of the different sectors of activity, may derive from the malfunctioning, interruption, even partial, or from the improper use of the aforementioned networks, information systems and IT services.

Within this framework, the Cybersecurity Perimeter Decree also provides specific criteria and indications with regard to entities that, within the cybersecurity perimeter, perform essential functions and essential services for the Italian state. At the same time, the Cybersecurity Perimeter Decree identifies the areas of activity falling within the cybersecurity perimeter (specifically the following areas: internal security, aerospace; energy; telecommunications; economy and finance; transportation; digital services; critical technologies; critical technologies (such as ai and robotics), social security and labour. It is important to point out however that the list of entities falling within the cybersecurity perimeter as identified with regard to Italy are classified.

Finally, the above definitions as implemented as per the NIS Decree and the Cybersecurity Perimeter Decree are going to be expanded through the NIS 2 Directive. The EU has in fact declared the need to update the NIS Directive and its implementation at a national level through a new set of provisions which will aim at including more sectors and services as either essential or important entities.

2.4. Cloud Computing Services

The NIS Decree defines a 'cloud computing service' as a digital service that allows access to a scalable and elastic set of shareable IT resources.

2.5. Digital Service Providers

Digital service providers are identified by the NIS Decree as providers of the following 'information society services' (defined as the services normally provided for remuneration, at a distance, by electronic means and at the request of the recipient): search engines, cloud services, and e-commerce platforms.

2.6. Other

The Electronic Communication Code contains cybersecurity provisions applicable to operators of electronic communication networks, as defined above.

The provisions on cybersecurity contained in the eiDas Regulation apply to the providers of a 'trust service' (such as the providers of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services).

The provisions on cybersecurity of the PSD2 Decree apply to payment service providers, such as providers of services that allow the deposit of cash, cash withdrawals, the operations required for the management of a payment account, execution of payment transactions, direct debits, transfers, the issuing payment instruments.

The provisions on cybersecurity of the IVASS Regulation apply to insurance companies.

The provisions on data breaches notification of the Privacy Code apply to all entities acting as data controllers or data processors.

3. REQUIREMENTS

3.1. Security measures

NIS Decree

Operators must take:

  • appropriate technical and organisational measures and proportionate for the management of the risk to the security of the network and information systems; and
  • adequate measures to prevent and control the impact of accidents on the safety of the network and information systems used for the provision of essential services.

In particular, digital services providers, when implementing such measures, must take into account (Article 14 of the NIS Decree):

  • the security of systems and equipment;
  • the processing of security incidents;
  • continuity in the operations;
  • monitoring, audit and test; and
  • compliance with international standards.

The NIS authorities are in charge of adopting specific guidelines on further security measures to be implemented, taking into consideration ENISA and other EU relevant authorities' guidance.

In addition, strengthened security requirements with a list of focused measures (including incident response and crisis management, vulnerability handling and disclosure, as well as the effective use of encryption) will be adopted through the NIS 2 Directive.

National Cybersecurity Law

The National Cybersecurity Law required that within 10 months of entry into force of the National Cybersecurity Law, the competent authorities shall issue a list of security measures, taking into account the standards defined at international and EU level.

Accordingly, the Cybersecurity Perimeter Decree was issued, establishing that each entity included in the cybersecurity perimeter shall draft and keep updated on an annual basis an inventory of ICT assets which includes information on networks, information systems and the relevant services (with particular attention to essential activities and functions). Each ICT asset shall also undergo a full risk assessment in order to determine potential cybersecurity threats.

The National Cybersecurity Law clarifies that operators also falling within the scope of the NIS Decree or the Electronic Communication Code, should adopt the security measures specified therein when their level is equivalent to the one required by the National Cybersecurity Law. If there is no such equivalence, the competent authorities will define any additional measures necessary to ensure the appropriate level of security.

Notification of Cyber Incidents Decree

In addition to the security measures as per the National Cybersecurity Law the entities part of the national cybersecurity perimeter are required to adopt specific security measures for ICT goods. Depending on the type of security measure to be adopted (including minimum security measures), the relevant entity is required to implement the measures within either six or 30 months from the communication of the list of relevant ICT goods to the authorities.

In the event an ICT good is modified an evaluation is to be carried out in order to identify changes to the applicable security measures. Once the relevant security measures have been adopted, the relevant entity is required to communicate the adoption to the DIS through a digital platform.

Privacy Code

With respect to activities involving personal data, the general security measures under Article 32 of the GDPR apply, including, among others, as appropriate:

  • pseudonymisation and encryption of personal data;
  • ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • procedures for regular testing, assessing and evaluation of the effectiveness of technical and organisational measures for ensuring the security of the processing.

In addition, please refer to section 1.2 above.

Electronic Communications Code

Article 4 of the MISE Decree provides for the adoption of a long list of security measures, classified in the following areas:

  • security policy approved by the company management;
  • risk management
  • definition of an organisational structure;
  • personnel training and management;
  • physical and logical security;
  • the integrity of the network and information systems;
  • operational management;
  • security incident management;
  • operational continuity; and
  • monitoring, testing and control.

eIDAS Regulation

Qualified and non-qualified trust service providers must take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to the latest technological developments, those measures must ensure that the level of security is commensurate to the degree of risk. In particular, measures must be taken to prevent and minimise the impact of security incidents and inform stakeholders of the adverse effects of any such incidents.

PSD2 Decree

Payment service providers must establish measures of adequate security to protect confidentiality and integrity of users' credentials (in line with the Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 with regard to Regulatory Technical Standards for Strong Customer Authentication and Common and Secure Open Standards of Communication ('Regulation 2018/389'), through which the EBA's regulatory technical standards on customer authentication and secure open standards of communication entered into force).

The Bank of Italy's Banking Security Measures (see section 1 above) defines the security measures to be adopted in the banking sector.

3.2. Notification of cybersecurity incidents

NIS Decree

Operators and providers subject to the Decree must notify the Computer Security Incident Responsible Team ('CSIRT') and the competent NIS authority, without undue delay of incidents with a major impact on the continuity of essential services provided. The CSIRT must forward the notifications without undue delay to competent bodies responsible for the prevention and preparation of possible crisis situations and activation of alert procedures.

To this end, operators and providers shall provide:

  • information necessary to assess the safety of their and their information systems, including documents relating to the security policies; and
  • evidence of effective implementation of security policies, such as the results of a safety audit carried out by authorities.

The NIS Authorities are in charge of adopting specific guidelines on further security measures to be implemented, as well as guidelines on when security incidents should be notified, taking into consideration ENISA and other EU relevant authorities' guidance. In this regard, the NIS Authorities, on July 2019, issued and shared with the relevant operates a set of guidelines regarding risk management, prevention, mitigation and notification of incidents (not publicly available).

In order to determine the relevance of the impact of an accident, the following parameters shall be taken into consideration:

  • the number of users affected by the service disruption;
  • the duration of the accident; and
  • the geographical spread in relation to the area affected by the accident.

Entities not subject to the NIS Decree may voluntarily notify security incidents to CSIRT.

National Cybersecurity Law

The National Cybersecurity Law requires relevant entities to report incidents which have an impact on networks, information systems and IT services to the CSRIT (which is then responsible of notifying all relevant bodies in charge of national cybersecurity, such as the DIS).

The Cybersecurity Perimeter Decree requires the relevant operators to notify the CSIRT of a breach within 6 hours from the event (instead of 24 hours as per the NIS Decree)

The National Cybersecurity Law clarifies that for operators that fall within the scope of NIS Decree and Electronic Communications Code, compliance with the notification obligations under the National Cybersecurity Law means compliance with the notification obligations under the NIS Decree or Electronic Communication Code (the CSIRT will be responsible for ensuring that the relevant authorities under the NIS Decree or the Electronic Communication Code are informed).

Notification of Cyber Incidents Decree

The Notification of Cyber Incidents Decree is applicable for the reporting of events occurred to entities belonging to the Perimeter of National Cybersecurity and to operators that fall within the scope of NIS Decree.

With this regard the Notification of Cyber Incidents Decree provides a taxonomy of cyber incidents differentiating between less severe and a more severe incidents depending on the impact on ICT assets.  The taxonomy is relevant in terms of notification timescale as reporting of less severe incidents needs to be carried out within six hours from the event while reporting for more severe incidents needs to be carried out within one hour. The taxonomy is also relevant with regard to the type of information that need to be reported.

Finally, the notification process is being implemented through a specific system which will be up and running from 1 January 2022, following an experimental period, active from the moment of communication of the list of ICT assets until 31 December 2021.

Privacy Code

Pursuant to the Privacy Code, where personal data is involved, the data controller should, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Garante, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to Garante is not made within 72 hours, it must be accompanied by reasons for the delay.

The notification to the Garante must at least describe:

  • the nature of the personal data breach including where possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records concerned; the name of a point of contact (i.e. the representative);
  • the likely consequences of the personal data breach; and
  • the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (e.g. users of a website or customers of a company), the data controller should also communicate the personal data breach to the data subjects involved in the breach without undue delay.

In any case, where the notification to the Garante or the communication to the data subjects is not deemed necessary, the Garante recommends documenting any personal data breaches, detailing the facts relating to the personal data breach, its effects and the remedial action taken.

In addition, please refer to section 1.3 above.

Electronic Communication Code

Pursuant to Article 5 of the MISE Decree, as well as to Articles 16-bis and 16-ter of the Electronic Communications Code, electronic communications service providers must provide notification of a security breach in the following cases:

  • duration exceeding one hour and percentage of affected users greater than 15% of the total national users of the interested service;
  • duration exceeding two hours and percentage of users affected greater than 10% of the total national users of the interested service;
  • duration of more than four hours and percentage of users affected more than 5% of total users national of the service concerned;
  • duration of more than six hours and percentage of users affected over 2% of the total national users of the interested service; and
  • duration of more than eight hours and percentage of users affected greater than 1% of the total national users of the interested service.

In such cases, the service providers must promptly report the incident to the CSIRT (pursuant to Article 8 of the NIS Decree) and to the Higher Institute of Communications and Information Technologies  ('ISCTI'). The communication must be made within 24 hours from the detection of the incident, with at least an indication of the following information, if available:

  • the service concerned;
  • duration of the incident if concluded, or the estimate of the conclusion if still in progress; and
  • the estimated impact on the users of the service concerned in terms percentages compared to the national user base for the same service.

Within five days of the notification, the provider must also send to the CSIRT and ISCTI a report in which are indicated:

  • a description of the accident;
  • the cause of the accident such as, by way of example only but not exhaustive, human error, failure, natural phenomenon, actions malicious, failures caused by third parties;
  • the consequences on the service provided;
  • the infrastructure and systems affected;
  • the impact on interconnections at a national level;
  • the response actions to mitigate the impact of the accident; and
  • the actions to reduce the probability of repeating the incident or similar incidents.

The PSD2 Decree and other provisions applicable to the banking sector

Article 96 of the PSD2 requires payment service providers to establish a framework to maintain effective incident management procedures, including for the detection and classification of major operational or security incidents. As part of this framework, and to ensure that damage to users, other payment service providers or payment systems are kept to a minimum, Article 96 of PSD2 provides that payment service providers must report major operational or security incidents to the competent authority in their home Member State without undue delay. It is also expected that this competent authority, after assessing the relevance of the incident to other relevant domestic authorities, will notify them accordingly.

The EBA has issued guidance in this respect that has been implemented by the Bank of Italy. In particular, the Bank of Italy also makes reference to the guidelines already adopted with the Banking Security Measures defining information security incidents as any event that implies the violation or imminent threat of violation of company rules and practices regarding information security (e.g. computer fraud, internet attacks, malfunctions and disruptions).

Such incidents should be promptly communicated to the European Central Bank or to the Bank of Italy, by sending a summary report containing one description of the accident and the inefficiencies caused to internal users and customers as well as the following information, ascertained or alleged:

  • date and time of the event or event accident;
  • resources and services involved;
  • causes, times and procedures envisaged for fully restoring the levels of availability and safety defined and for the complete assessment of the facts connected;
  • description of the actions taken and the results obtained; and
  • an assessment of the damage from economic losses or reputational damage.

eIDAS Regulation

Qualified and non-qualified trust service providers shall, without undue delay but in any event within 24 hours after having become aware of it, notify the supervisory body (AgID) and, where applicable, other relevant bodies, such as the competent national body for information security or the data protection authority, of any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein.

Where the breach of security or loss of integrity is likely to adversely affect a natural or legal person to whom the trusted service has been provided, the trust service provider must also notify the natural or legal person of the breach of security or loss of integrity without undue delay.

The notified supervisory body must inform the public or require the trust service provider to do so, where it determines that disclosure of the breach of security or loss of integrity is in the public interest.

Insurance sector regulation

Insurance companies that suffered a severe cyber incident shall provide IVASS (the relevant authority) with a short document describing the incident and the consequences for clients with details as to:

  • date and time of the incident;
  • resources and services involved in the incident (including information relating to economic losses and reputational damages);
  • causes of the incident as well as time and modalities for the restoration of the impacted services availability;
  • description of the actions taken by the company to resolve the issue with relevant results; and
  •  impact of the incident on the clients and counterparties.

3.3. Registration with a regulatory authority

Not applicable.

3.4. Appointment of a 'security' officer

Legislative Decree No. 61/2011 requires European critical infrastructure operators to appoint a security liaison officer ('SLO'). The SLO, together with the competent authorities and the operators, is responsible for drawing up the security plan of the operator. The aim of the security plan is to identify the most important elements of the infrastructure by carrying out the analysis of the risks, vulnerabilities, threats and potential impact in the event of an incident. This plan must be updated every five years and must comply with the minimum requirements agreed at EU level.

3.5. Other requirements

National Cybersecurity Law

The National Cybersecurity Law and the ICT Goods, Systems and Services Decree imposes on the relevant entities specific duties to annually map and communicate the list of all relevant IT infrastructures to the competent authorities, as well as to communicate any intention of outsourcing ICT services and systems to the National Evaluation and Certification Center ('CVCN'), established at the MISE, that will carry out preliminary checks, audits and verifications and may impose certain conditions and tests on relevant hardware and software.

4. SECTOR-SPECIFIC REQUIREMENTS

Cybersecurity in the health sector

With specific reference to the health sector, the European Commission, through the EU Medical Device Coordination Group, issued specific Guidance on Cybersecurity for Medical Devices. The guidance aims at helping manufacturers to fulfil relevant cybersecurity requirements on all medical devices that incorporate electronic programmable systems as well as software that are to be considered as medical devices. In particular, the guidance emphasises the need for a risk assessment on the relevant products in order to ensure that the risk associated with the use is acceptable if compared to the benefit for the patient and that, based on such risk assessment, manufacturers set out minimum IT security measures to ensure that medical devices are designed and manufactured in such a way as to ensure that the products are suitable for their intended purpose as well as safe and effective.

The guidance also provides a helpful practical guide for cybersecurity in the health sector, making reference to the NIS Directive which is applicable to the case at hand.

Cybersecurity in the financial sector

With regards to entities operating in the financial sector, the Garante has adopted Decision on Data Sharing and Tracking of Transactions in the Banking Sector as published in Italy´s Official Journal No. 127 dated 3 June 2011.

The Garante, in its decision, established several reinforced cybersecurity practices for banks, including detailed provisions on transaction logging, internal auditing, regular reporting and alerts to be implemented.

As an example, specific measures with regards to tracking of transactions have been introduced and suitable IT measures must be implemented to enable controls on the processing of individual information items as contained in the individual databases. The aforementioned solutions include a detailed log of the banking transactions performed, whenever such transactions consist in and/or result from the interactive use of information systems by the persons in charge of data processing – except for inquiries of aggregated data that cannot be traced back to individual customers.

In particular, the log files shall keep track at least of the following information for each access to bank data as performed by a person in charge of data processing:

  • the ID code of the person that accessed the data;
  • date and time of the access;
  • ID Code of the relevant workstation;
  • ID Code of the customer whose bank data were accessed by the person in charge; and
  • type of contractual relationship in place with the customer whose data were accessed (e.g. C/A no., loan/guarantee, securities deposit account, etc.).

In addition, the retention period for inquiry logs shall not be shorter than 24 months as from the respective log date.

Furthermore, on 31 December 2020, the period of supervisory flexibility for implementation of strong customer authentication ('SCA') requirements under the PSD2 had ended. 

The PSD2 introduced a number of cybersecurity requirements for entities operating in the financial sector in the Italian market, as described in the previous paragraphs.

In particular, companies must comply with the provisions established by Regulation 2018/389 and the Bulletin Circular on supervisory provisions for banks updated on 23 July 2019 by the Bank of Italy (only available in Italian here), which implements the EBA Guidelines on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366, Recommendations on Outsourcing to Cloud Service Providers (20 December 2017), and Guidelines on major incident reporting under Directive (EU) 2015/2366 (PSD2) (27 July 2017).

Cybersecurity practices for employees

Due to the massive adoption of smart working during the COVID-19 pandemics, the AgID has published 11 recommendations to help public employees safely use personal PCs, tablets and smartphones when working from home (only available in Italian here). The recommendations were developed by AgID's Cert-PA, based on the minimum cybersecurity measures for public administrations set forth in Circular No. 1/2017 of 17 March 2017 (only available in Italian here).

Agid's 11 recommendations for a safe smart working environment:

  • Follow as a priority the policies and recommendations dictated by your Administration
  • Use the operating systems for which support is currently guaranteed
  • Constantly perform security updates of your operating system
  • Ensure that your operating system protection software (Firewall, Antivirus, etc.) is enabled and constantly updated
  • Ensure that access to the operating system is protected by a secure password and complies with the password policy issued by your administration
  • Do not install software from unofficial sources/repositories
  • Block access to the system and/or configure the automatic block mode when you leave the workstation
  • Do not click on links or attachments in suspicious emails
  • Use access to properly secured Wi-Fi connections
  • Connect to mobile devices (pen-drive, external hdd, etc) of which you know the origin (new, already used, provided by your Administration)
  • Always log out of the services/portals you use after you have completed your work session.

Cybersecurity in the education sector

No specific guidance has been provided with regard to the education sector at a national level.

5. PENALTIES

NIS Decree

The NIS Decree provides for the following outlined below.

Unless the act constitutes a criminal offence, the service provider will be subject to an administrative fine ranging from €12,000 to €120,000 if it:

  • does not take appropriate technical and organisational measures proportionate for the management of the risk to the security of the network and information systems; or
  • does not take adequate measures to prevent and control the impact of accidents on the safety of the network and information systems used for the provision of essential services.

The sanction is reduced by a third if the act is committed by a digital service provider;

Unless the act constitutes a criminal offence, a service provider which does not notify the CSIRT of accidents having a significant impact on the continuity of the essential services provided, is subject to an administrative sanction from €25,000 to €125,000.

Unless the act constitutes a criminal offence, a service provider will be subject to a fine ranging from €12,000 to €120,000 if it does not provide the competent authority with:

  • the information necessary to assess the safety of their and their information systems, including documents relating to the security policies; or
  • evidence of effective implementation of security policies, such as the results of a safety audit carried out by the authority.

Unless the act constitutes a criminal offence, a service provider that does not comply with the binding instructions for service operators essential to remedy the shortcomings identified is subject to an administrative fine ranging from €15,000 to €150,000;

Unless the act constitutes a criminal offence, a service provider that does not notify the Italian CSIRT of incidents with a significant impact is subject to an administrative sanction from €25,000 to €125,000.

Unless the act constitutes a criminal offence, a service provider that acts on behalf of third party providing digital services for the provision of a service that is indispensable for the maintenance of fundamental economic and social activities, which omits to notify competent authorities about an incident is subject to an administrative fine ranging from €12,000 to €120,000.

Furthermore, the repetition of the infringements determines the increase up to triple of the penalty.

Privacy Code

Sanctions under the GDPR are up to €20,000,000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

National Cybersecurity Law

The National Cybersecurity Law provides for the following administrative sanctions (unless the act constitutes a criminal offence):

  • failure to comply with the obligations to map and communicate to the competent authorities the list of relevant IT infrastructures- fines from €200,000 to €1,200,000.
  • failure to comply with the notification obligations – fines from € 250,000 to €1,500,000;
  • failure to adopt the required security measures – fines from €250,000 to €1,500,000;
  • failure to communicate the outsourcing of relevant ICT systems and services within the prescribed time limits - fines from €300,000 to €1,800,000;
  • the use of products and services on networks, information systems and for the performance of IT services in violation of the conditions or in the absence of passing the tests imposed by the CVCN – fines from €300,000 to €1,800,000;
  • failure to cooperate in carrying out the testing activities on the relevant outsourced ICT systems and services - fines from €250,000 to €1,500,000;
  • failure to comply with the requirements indicated by the competent authorities as a result of inspection and verification carried out on outsourced ICT systems and services – fines from €250,000 to €1,500,000; and
  • failure to comply with the instructions and conditions imposed by the CVCN regarding outsourced ICT systems and services - fines from €250,000 to €1,500,000.

Violations under the fifth item above may also cause the inability for the relevant individuals to take on management and administration in other entities and control posts in legal persons and undertakings, for a period of three years from the date on which the infringement was established.

Finally, anyone who, in order to hinder or condition the completion of procedures or inspections regarding the obligations to map and communicate the list of all relevant IT infrastructures and the outsourcing of relevant ICT systems and services, provides information, data or factual elements that do not correspond to the truth, or fails to communicate the aforementioned information within the prescribed deadlines, is punished with imprisonment from one to three years.

Electronic Communications Code

Failure to comply with Articles 16-bis and 16-ter will lead to sanctions provided for by Article 98(4)-(12) of the Electronic Communications Code. Among other fines, failure to provide the documents, the data and the information requested by the Ministry or the competent authorities, according to the respective competencies, entails an administrative pecuniary sanction from €15,000 to €1,150,000.00.

Lack of compliance with orders and warnings issued by the competent authorities may lead to a pecuniary administrative sanction from €240,000 to €5,000,000.

6. OTHER AREAS OF INTEREST

Not applicable.

Tommaso Ricci Lawyer [email protected] Giulio Coraggio Partner [email protected] Giulia Zappaterra Senior Lawyer [email protected] DLA Piper, Milan

Feedback