Cybersecurity regulation approved in Italy
The prime minister’s decree no. 131 of 30 july 2020 containing the “regulations regarding the national cybersecurity perimeter” (hereinafter the “d.p.c.m.”) has been officially published in the italian official gazette and has came into force on 5 november 2020.
The d.p.c.m is of crucial relevance, since such measure sets out the criteria for the identification of the companies which will be included by competent ministries in the new italian national cybersecurity perimeter under law decree no. 105 of 21 september 2019 (hereinafter “cybersecurity perimeter”).
With the creation of the cybersecurity perimeter, the italian government intends to impose a high standard of security for private and public network and information systems operating within the national territory, whose efficient functioning is essential for the state or from which the provision of essential services depends, for the maintenance of civil, social or economic activities fundamental to the public interest.
According to the schedule set out by the law (which has been seriously delayed due to the covid-19 pandemic), this d.p.c.m. establishes criteria to determine the public and private actors concerned and to impose on them the inventory of ict systems for the activities included in the cybersecurity perimeter. After this d.p.c.m. there will be another 3 presidential decrees, to fully implement the cybersecurity perimeter, also by including specific security measures.
Criteria for the identification of entities included in the cybersecurity perimeter
Art. 2 sets out the criteria under which the ministries shall identify the entities which perform essential functions(whose tasks are aimed at ensuring the continuity of the action of government and constitutional bodies, internal and external security; state defense, international relations, security and public order, administration of justice, functionality of economic, financial and transport systems) and essential services (activities instrumental to the exercise of essential functions of the state, necessary for the exercise and enjoyment of fundamental rights or for the continuity of logistic systems) for the state.
In addition, art. 3 identifies the areas of activity in which the subjects to be included within the cybersecurity perimeter: internal security; defense; aerospace; energy; telecommunications; economy and finance; transportation; digital services; critical technologies; critical technologies (such as ai and robotics), social security and labour.
The list of entities identified according to articles 2 and 3 might be classified by the prime minister office, with the aim to preserve them through suitable methods to ensure security through appropriate organizational techniques.
Obligations for the entities included in the cybersecurity
Provisions implementing the cybersecurity perimeter have to be read in comparison with those provided under the network and information security directive eu 2016/1148 (hereinafter “nis”), implemented in italy by legislative decree no. 65/2018.
The first difference between nis and cybersecurity perimeter deals with the duty notify, within six hours from the event (instead of 24 hours under the nis), the computer security incident response – team italia (csirt-italia) within the italian department of information security of the prime minister office (dipartimento delle informazioni per la sicurezza or “dis”) – of any security breach. Worth of note is the strict definition of “breach” under art. 1, (h), of d.p.c.m. “every event of accidental or intentional nature that determines the malfunction, the interruption, even partial, improper use of networks, systems information or ict services”, requiring a high level of control on every aspect of ict systems.
Furthermore, in the event of a “serious breach”, the intervention of the cybernetic security department (nucleo per la sicurezza cibernetica or “nsc”) will be required.
Whenever an entity included in the cybersecurity perimeter intends to proceed with the procurement of ict goods, systems and services to be applied on the networks, information systems and for the performance of it services, such entity shall submit to national evaluation and certification center (centro di valutazione e certificazione nazionale or “cvcn”).
Art. 7 of the d.p.c.m. establishes that each entity included in the cybersecurity perimeter shall draft and update on an annual basis the inventory of its ict assets, which includes networks, information systems and it services identifying those intended to perform essential activities and essential functions.
In addition to the inventory, it is required to carry out a risk assessment on such ict assets.
The attention given by the legislator and the government to cybersecurity shows greater understanding of the virtual space and how criminal activities may seriously affect crucial aspects of everyday life and business.
The cybersecurity perimeter is an essential measure for national security towards the full digitalization of everyday life of public and private entities and for citizens at large.
When the cybersecurity perimeter will be fully operative, the high level of cybersecurity framework established by nis, european cybersecurity act (and also gdpr) will be broadened also to entities which fall out the scope of those acts. The result will be a more secure level of digital evolution oriented to security international standards (e.g. Iso/iec 27001:2013).
Next steps will be on ministries, which will identify entities inside the cybersecurity perimeter, and on the prime minister office, which will draf the next d.p.c.m. in order to fully implement law.