Cybersecurity in Italy
Threats and actors in the field
Knowing the threats to cybersecurity. Preventing attacks and incidents. Taking action. A guide for businesses in five contributions on Italian cybersecurity legislation. In this contribution, the main threats to cybersecurity and the actors in the field.
The subject of cybersecurity, previously confined to sectoral regulations, has been the focus of European and Italian lawmakers since around 2018.
The exponential increase in cyber-attacks and the acquired awareness of the seriousness of their consequences to the detriment of the State, businesses and people have given a clear acceleration to the production of legislation.
From the GDPR to the European Electronic Communications Code, from the implementation of the NIS Directive to the perimeter of national cybersecurity, cybersecurity obligations now concern an increasingly wide range of subjects.
We will explore the contents and purposes of Italian cybersecurity legislation through five contributions, of which this is the first.
Let’s start then by looking at the data.
According to the ENISA (European Union Agency for Network and Information Security) Threat Landscape 2021 Report, published in October 2021, out of the nine cybersecurity threat categories, ransomware is the one that took the lead in 2021.
The ransomware scheme is that of extortion: hackers encrypt the data of an organisation and demand payment of a sum of money (usually in cryptocurrency) to restore access to it. In some instances, the attack is not limited to data encryption but also consists of data exfiltration, followed by the threat of disclosing the data to the public if the ransom is not paid.
Another category of cybersecurity threats that does not know any setbacks is the one linked to emails. Of these, phishing is the most notorious. In its simplest version, the hacker, pretending to be someone else, sends an email to the victim asking for information such as credit card numbers or passwords. The most sophisticated phishing technique that is becoming increasingly popular, at least in Italy, is called BE (Business Email Compromise). Typically, BEC is carried out in this way: the hacker steals the credentials to access the email account of an employee or a manager of an organization through a normal phishing action; then, pretending to be a top manager, he/she asks his/her own employee to make a payment on a certain bank account or, pretending to be a supplier, he/she asks the client to make the payment due onto other bank details than those originally communicated by the legitimate supplier.
On the other hand, the number of attacks due to malware is decreasing, compared to 2020.
If those mentioned above are the primary cybersecurity threats to the generality of businesses, for providers of public communications networks and publicly available electronic communications services, security incidents caused by intentional external actions represent a small percentage.
The ENISA Telecom Security Incidents 2020 Annual Report, issued by ENISA in June 2021, shows that, out of the total security incidents experienced by telecom operators, 61% were caused by system failures (mostly hardware failures and software bugs), 26% by human errors, 9% by natural phenomena (such as fires, floods, etc.) and only 4% by cyber attacks.
When a security incident occurs, you know, there is always a victim.
Potentially, anyone can be a victim of a security incident.
However, as we will see below, some players are more involved than others, either because they operate in industrial sectors that are more exposed to the risk of cyber attacks or because they provide essential services whose failure can even jeopardize national security. In this perspective, according to the ENISA Threat Landscape 2021, the most affected sectors were public administration, digital services and the pharmaceutical and medical sector.
Incidents are almost always caused by individuals.
Although – as we have seen – not all security incidents are the result of intentional external actions, hackers certainly represent – at least in the collective imagination – the main protagonists of this phenomenon.
They are individuals or, most of the times, organised groups acting in their own or third parties’ interest in order to obtain profits or other illegal advantages. In some cases, the activity of hackers is part of more complex geopolitical strategies of national states, which tolerate or even support their criminal activities. Last year, the most active hacker groups, in terms of both the number of attacks and the size of ransom demands, were Conti and REvil.
On the opposite side, besides the police and judicial authorities, responsible for preventing and repressing cybercrime phenomena, there are several state authorities charged in various ways with handling security incidents.
The Italian Data Protection Authority (the “Authority”) is the authority responsible for receiving reports of personal data breaches. It has both sanctioning and inspective powers.
The National Cybersecurity Agency (the “Agency”), set up by Law Decree No. 82/2021, it is the authority that, inter alia, helps and supports national public and private subjects providing essential services, in preventing and mitigating incidents as well as in restoring systems. The Computer Security Incident Response Team (“CSIRT”), the National Evaluation and Certification Centre for technological scrutiny of national strategic digital assets and the National Coordination Centre for cybersecurity in turn operate within the Agency. Like the Authority, the Agency has inspection and sanctioning powers.
On a temporary basis and until the Agency becomes fully operational, the Ministry of Economic Development and, in particular, the Directorate General for Communications Technology and Information Security, which heads the Higher Institute for Communications and Information Technologies (Istituto Superiore delle Comunicazioni e delle Tecnologie dell’Informazione, “ISCTI”), retains its previous competences.
In addition to the Ministry of Economic Development, the Prime Minister’s Office and certain of its internal bodies such as the Interministerial Committee for Cybersecurity (Comitato Interministeriale per la Cybersicurezza, “CIC”) and the Interministerial Committee for the Security of the Republic (Comitato Interministeriale per la Sicurezza della Repubblica, “CISR”), the Department of Information for Security (Dipartimento delle Informazioni per la Sicurezza, “DIS”) and the other four Ministries (i.e., besides the Ministry of Economic Development, the Ministries of Infrastructure and Sustainable Mobility, Economy, Health and Ecological Transition) acting as NIS authorities are likewise charged with handling security incidents.
GDPR and data breaches
The second contribution on Italian legislation on cybersecurity. This contribution focuses on personal data breach and the obligations of data controllers and processors under the GDPR.
Article 4(12), of Regulation (EU) 2016/679 (hereinafter, the “GDPR”) defines “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
Personal data breaches can therefore be categorised into:
- confidentiality breach, where there is an unauthorised or accidental disclosure of, or access to, personal data;
- availability breach, where there is an accidental or unauthorised loss of access to, or destruction of, personal data; and
- integrity breach, where there is an unauthorised or accidental alteration of personal data.
There are two main obligations that the GDPR imposes on a data controller in the event of a personal data breach.
The first one, under Article 33(1) of the GDPR, is that of notifying the breach to the competent supervisory authority; the second one, under Article 34(1) of the GDPR, is that of communicating the breach to data subjects.
Data breach notification to supervisory authorities is always mandatory, unless the breach is “unlikely to result in a risk for the rights and freedoms of individuals”.
There is a risk for the rights and freedoms of individuals when the breach is even only potentially capable of causing material or immaterial damage to the data subject.
As concerns the notification timeframe, notification must be made “without undue delay and, where feasible, within 72 hours after [the controller] having become aware of it”, that is to say, from the time when it is reasonably certain that a security incident resulting in compromising the personal data has occurred. In case of notifications made after 72 hours, the controller shall be under an obligation to give reasons for the delay. A processor who becomes aware of a breach shall on the other hand notify the controller without undue delay and, therefore, as soon as possible.
As for the form, content and methods of transmission of the notification to the supervisory authority, it is the supervisory authority itself that establishes the relevant requirements, which may also go beyond the minimum requirements set out in the GDPR.
More specifically, from 1 July 2021, the notification to the Authority may be made exclusively via the online procedure available in the Authority’s online services portal and accessible at https://servizi.gpdp.it/databreach/s/.
Notification may be made directly by the controller, through a legal representative, or a proxy acting on the controller’s behalf, authorised by a power of attorney to act in the procedure in the name and on behalf of the controller.
The notifying person (whose identity is established at the time of accessing the service via SPID (Public Digital Identity System), CIE (Electronic Identity Card) or CNS (National Service Card), or at the time of signing the notification by digital signature) is required to provide a certain amount of information. The information requested can be classified as follows:
A) Data of the notifying person;
B) Type of notification;
C) Data controller;
D) Contact details for information relating to the breach;
E) Any further persons involved in the processing;
F) Information concerning the breach;
G) Likely consequences of the breach;
H) Measures taken to address the breach;
I) Assessment of risk to data subjects;
L) Communication of the breach to data subjects;
M) Other information;
N) Information on cross-border violations;
O) Information on breach concerning processing carried out by a controller established outside the European Economic Area.
Communication to data subjects is, on the other hand, mandatory “when the breach of personal data is likely to result in a high risk to the rights and freedoms of natural persons”. The risk threshold required for disclosure is therefore higher than that required for notification; not all breaches notified to the supervisory authority therefore need to be communicated to data subjects.
As concerns the timeframe for communication, communication must be made “without undue delay”, i.e. as soon as possible.
The main purpose of such requirement is to provide data subjects with detailed information as to the measures they can take to protect themselves against any detrimental consequence of a breach.
There are no specific procedures or formalities for making the communication.
Article 34 (2) GDPR requires only that the communication, besides identifying the name and contact details of the Data Protection Officer (DPO) or other contact point, describe, in clear and simple terms, the nature of the personal data breach, the likely consequences of the breach and the measures taken or proposed to be taken to address the breach.
There is, however, no obligation to communicate when:
- the data controller has implemented, in relation to the data breach, appropriate technical and organisational measures, in particular those that render the data unintelligible to anyone who is not authorised to access it (such as encryption or tokenization);
- immediately after the breach, the data controller has taken steps that ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise (e.g., the data controller has taken prompt action against the individual who gained unauthorised access to the data before the latter being able to use it); or when
- contacting data subjects would involve a disproportionate effort (e.g., contact information was lost due to the breach); in such case, a public communication or similar measure may be taken.
In consideration of the above, it is clear that the assessment of the existence of a risk (or a high risk), as soon as one becomes aware of a breach, is essential to understand whether to make the notification to the competent supervisory authority and the communication to data subjects as well as, of course, to take effective measures to limit and resolve the breach.
In this regard, the WP29, with its “Guidelines on Personal data breach notification under Regulation 2016/679 (WP250)”, subsequently adopted by the European Data Protection Board, lists and describes seven risk factors to consider, referring to the document of December 2013 “Recommendations for a methodology of the assessment of severity of personal data breaches” adopted by ENISA, containing a methodology for data breach severity assessment, as a useful tool allowing controllers to prepare an action plan. Such factors include:
- type of breach;
- nature, sensitivity and volume of personal data;
- ease of identification of individuals;
- severity of consequences for individuals;
- special characteristics of the individual;
- special characteristics of the data controller;
- the number of affected individuals.
By way of example, based on the aforementioned guidelines, a cyber-attack making a hospital’s medical records unavailable for a period of 30 hours should be notified to the Authority and communicated to the data subjects, involving a high risk for the patients’ health and privacy.
By contrast, a brief power outage lasting a few minutes at a controller’s call centre, preventing customers from calling the controller and accessing their records, would not amount to breach subject to notification or communication.
There is, moreover, a further requirement placed on the data controller in case of breach, regardless of whether or not the breach is notified and communicated to the authority and to data subjects.
The data controller is indeed required to document any personal data breach, including the circumstances surrounding the breach, its consequences and any remedial action taken. Also in respect of such activity, there are no specific procedures or formalities; in practice, companies have set up a data breach register completed with the above information. This is obviously a tool that allows the controller to demonstrate for accountability purposes (and the authority to verify) compliance with the applicable legislation.
It should be noted that the rules described above, introduced and fully regulated by the GDPR, now also apply, pursuant to the Authority’s order of 30 July 2019, also to personal data breach notification obligations imposed on providers of electronic communication services under Directive 2002/58/EC (so-called “e-Privacy Directive”) and the relevant national implementing legislation (Legislative Decree 69/2012, which in turn amended, in that regard, Legislative Decree 196/2003), as well as to communication obligations regarding health records, biometrics, circulation of information in the banking sector and the exchange of personal data between public administrations.
Finally, a few pieces of statistical information.
In terms of breaches notified to the Authority, 1,443 cases were recorded in 2019 and 1,387 cases in 2020; by contrast, in 2018 there were 650 cases only (see 2020 and 2021 annual reports, respectively).
Out of the approximately 60 measures published by the Authority on the matter in the last year (April 2021-January 2022), almost all of them targeted actions connected with internal incidents (e.g., incidents of erroneous transmission/sharing of data with unauthorised parties), while in the other cases said measures addressed external intentional actions associated with ransomware attacks.
With regard to the type of sanctions applied, the Authority issued warnings or administrative fines to the persons involved.
Among the highest sanctions, the Authority sanctioned a credit institution for EUR 1,650,000, not for a specific breach under Articles 33 and 34 of the GDPR, but for its failure to adopt technical and organisational measures capable of ensuring a level of security adequate to the risk, a circumstance that in fact emerged in the course of the Authority’s investigation.
The next contribution will focus on the Electronic Communications Code and the obligations of providers of public communications networks and publicly available electronic communications services.
The electronic communications code and the obligations imposed on providers of public communications networks and publicly available electronic communications services
The third contribution on Italian legislation on cybersecurity. This contribution focuses on the obligations laid down in the Electronic Communications Code for providers of public communications networks and publicly available electronic communications services in relation to security measures to be adopted and reporting of major incidents.
Certain companies have IT security obligations beyond those imposed on them under the GDPR.
This is the case, for example, of companies providing public communications networks or publicly accessible electronic communications services. These include telecommunications operators, providers of Internet messaging services and of VoIP services and providers of other Internet communications services.
There are two obligations for providers of public communications networks or publicly available electronic communications services.
The first obligation is to take the (technical and organisational) measures identified by the Agency to manage the risks posed to the security of publicly accessible electronic communications networks and services (e.g. the use of encryption technologies).
Furthermore, the Agency may issue binding instructions to providers of public communications networks or publicly available electronic communications services to remedy a security incident or prevent one from occurring when a significant threat has been identified.
To date, the Agency has not yet established such measures. Therefore, reference must still be made to the measures set out in Article 4 of the Ministry of Economic Development’s Decree of 12 December 2018 in relation to critical assets.
The measures identified by the Decree include, in particular:
- definition and updating over time of security policies, approved by the company Management;
- identification of the main risks to the security and integrity of networks and services and definition of the methods for managing them;
- definition of roles and assignment of responsibilities to employees, whose availability in the event of security incidents must be ensured;
- definition (and verification of compliance) of the requirements to be met by services and products provided by third parties and definition of the methods for managing security incidents relating to or caused by third parties and affecting the network or the service provided;
- provision of training courses to staff, rotation of staff with positions of responsibility and definition of intervention procedures in case of breach of security policies;
- adoption of physical and logical security measures (e.g. procedures for assigning and revoking access rights; authentication mechanisms gauged on the basis of the type of access; protection mechanisms against unauthorised physical access or unexpected events; monitoring and recording of accesses, etc.);
- implementation of protection systems and malware detection systems and adoption of measures to prevent the tampering or alteration of software used in the network and in information systems, as well as the disclosure of critical security data, such as passwords and private keys;
- adoption (and verification of compliance) of operating procedures relating to the operation of critical systems and preparation and updating over time of a database of system configurations to enable their possible recovery, as well as an inventory of critical assets;
- assignment of a technical structure with adequate competence and availability to manage security incidents, as well as adoption of procedures for the detection, management and resolution of incidents;
- development of a contingency plan and adoption of disaster recovery procedures;
- periodic performance of tests, checks and other monitoring activities.
The second obligation is to notify the Agency and the CSIRT of security incidents that are considered significant for the proper functioning of networks and services.
The identification of significant security incidents is the responsibility of the Agency, the law only indicating the parameters that the Agency must consider in order to identify them, namely:
a) the number of users affected by the security incident;
b) the duration of the security incident;
c) the geographical spread of the area affected by the security incident;
d) the extent of the impact on the operation of the network or service;
e) the extent of the impact on economic and social activities.
While waiting for the Agency to identify significant security incidents, the criteria set out in Article 5 of the Ministry of Economic Development’s Decree of 12 December 2018 shall apply, whereby a security incident – meaning “a breach of security or loss of integrity that results in a malfunction of electronic communications networks and services” – is significant when:
a) its duration exceeds one hour and the percentage of users affected is higher than fifteen percent of the total number of domestic users of the service concerned;
b) its duration exceeds two hours and the percentage of users affected is higher than ten percent of the total number of domestic users of the service concerned;
c) its duration exceeds four hours and the percentage of users affected is higher than five percent of the total number of domestic users of the service concerned;
d) its duration exceeds six hours and the percentage of users affected is higher than two percent of the total number of domestic users of the service concerned;
e) its duration exceeds eight hours and the percentage of users affected is higher than one per cent of the total number of domestic users of the service concerned.
Pending the transfer of cybersecurity functions from the Ministry of Economic Development to the Agency, the relevant notification must be made to the CSIRT and ISCTI (Istituto Superiore delle Comunicazioni e delle Tecnologie dell’Informazione – Higher Institute for Communications and Information Technologies).
The deadline for notification is 24 hours from the detection of the incident. The notification made within 24 hours must include at least information about:
a) the service concerned;
b) the duration of the incident, if concluded, or the estimated conclusion if still ongoing;
c) the estimated impact on the users of the service concerned expressed as a percentage of the national user base for said service.
In addition, within 5 days of notification, a report must be submitted which contains:
a) a description of the incident;
b) the cause of the incident such as, by way of example only and without limitation, human error, failure, natural phenomenon, malicious action, failure caused by a third party;
c) the consequences on the service provided;
d) the infrastructures and systems affected;
e) the impact on interconnections at national level;
f) the response actions to mitigate the impact of the incident;
g) the actions to reduce the risk of recurrence of the incident or similar incidents.
In order to verify compliance with the obligations described above, the Agency may request from network and service providers any and all information necessary for assessing the security of networks and services (in particular, documents relating to security policies), as well as carry out audits and inspections, either directly or through an appointed third party.
Sanctions in case of breach of the obligations described above are quite high.
Failure to comply with security measures shall be punished with an administrative fine between Euro 250,000 and Euro 1,500,000 and failure to report significant security incidents with an administrative fine between Euro 300,000 and Euro 1,800,000. Finally, failure to provide the information necessary to assess security shall be punished with an administrative fine between Euro 200,000 and Euro 1,000,000.
However, sanctions may be reduced by up to one-third, taking into account the minor nature of the breach, any efforts made by the party in question to eliminate or mitigate the consequences of the breach, and the economic importance of the operator.
The next contribution will focus on the NIS Directive and the obligations of operators of essential services and of suppliers of digital services.
The NIS Directive and the obligations of essential services operators and digital services providers
This fourth contribution on Italian cybersecurity legislation deals with the obligations imposed by the NIS Directive on security of network and information systems upon essential services operators and digital services providers.
Directive (EU) 2016/1148 on security of network and information systems (the “NIS Directive”), transposed in Italy by Legislative Decree No. 65/2018, provides for measures for a high common level of security of network and information systems used by essential services operators (“ESOs”) and digital services providers (“DSPs”).
ESOs are those operators that provide a service essential to the maintenance of key social and/or economic activities in the areas of energy, transport, banking, financial market infrastructure, health, drinking water supply and distribution as well as digital infrastructure. They are identified by NIS authorities by their own measures. The list with the names of ESOs is kept at the Ministry of Economic Development and is updated every two years.
DSPs include entities providing digital e-commerce, cloud computing and search engine services, having their principal place of business, registered office or appointed representative in the national territory.
Pursuant to Article 12 of Legislative Decree No. 65/2018, ESOs are required to:
a) take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations;
b) take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of such services;
c) notify the CSIRT (Computer Security Incident Response Team) of any incidents having a significant impact on the continuity of the essential services they provide.
Similar obligations are provided for by Article 14 of Legislative Decree No. 65/2018 on the part of DSPs, which are required to:
a) identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services within the Union;
b) take measures to prevent and minimise the impact of incidents affecting the security of their network and information systems on the services offered within the Union, with a view to ensuring the continuity of such services;
c) notify the CSIRT of any incident having a substantial impact on the provision of a service offered by them within the Union.
Notifications of the relevant incidents must be made “without undue delay”, according to the terms set out by the CSIRT and, where appropriate, by each sectoral NIS authority by its own guidelines.
Furthermore, any entities that cannot be classified as ESOs or DSPs are entitled to make notifications on a voluntary basis according to the terms of Article 17 of Legislative Decree No. 65/2018.
Finally, both ESOs and DSPs are required to provide the information necessary to assess the security of their network and information systems and to remedy any failure or deficiency identified.
The Agency (in whose structure the CSIRT is included, as mentioned above) is the authority responsible for monitoring the application of the NIS Directive, designated by Article 7 of Legislative Decree No. 65/2018 as the national competent NIS authority and single point of contact for network and information systems security. The following authorities (cooperating with the national competent NIS authority) are on the other hand designated as sectoral authorities:
a) the Ministry of Economic Development for the digital infrastructure sector, IXP, DNS, TLD sub-sectors, and for digital services;
b) the Ministry of Infrastructure and Sustainable Mobility, for the transport sector, air, rail and road sub-sectors;
c) the Ministry of Economy and Finance, for the banking and financial market infrastructure sectors;
d) the Ministry of Health, for health assistance activities provided by the operators employed, appointed or entrusted by, or having an agreement with, the same, and the Regions and the Autonomous Provinces of Trento and Bolzano, either directly or through the competent local health authorities, for health assistance activities provided by operators authorised and accredited by the Regions or Autonomous Provinces in the respective local areas of competence;
e) the Ministry of Ecological Transition for the energy sector, electricity, gas and oil subsectors; and
f) the Ministry of Ecological Transition and the Regions and the Autonomous Provinces of Trento and Bolzano, either directly or through the competent local authorities, for the drinking water supply and distribution sector.
In case of non-compliance with the obligations under the NIS Directive, administrative sanctions of up to EUR 150,000 shall apply, to be imposed by the competent national NIS authority.
Remarkably, in response to certain issues of concern that have emerged in these first years of implementation of the NIS Directive, the European Commission submitted a proposal for its revision (commonly referred to as “NIS2 Directive”), which provides, inter alia, for: notification of major accidents within 24 hours; the broadening of the scope of the Directive to cover medical device manufacturers, waste management operators and postal and courier services operators; identification of ESOs directly by the Directive and not by Member States; obligation on Member States to impose administrative fines, in any event increased up to €10 million or 2% of the total worldwide annual turnover of the undertaking concerned.
The national cyber security perimeter
Fifth and last contribution on Italian cybersecurity legislation. This contribution focuses on the national cyber security perimeter and the obligations imposed on those included in the perimeter with regard to notification of incidents and to the award of contracts for the supply of ICT goods, systems and services.
The national cyber security perimeter was established by Article 1 (1) of Decree Law No. 105/2019 “in order to ensure a high level of security of the networks, information systems and IT services of public administrations, public and private bodies and operators headquartered in the national territory, that are instrumental to the exercise of essential functions of the State, or the provision of a service essential for the maintenance of civil, social or economic activities that are fundamental to the interests of the State, and whose malfunctioning, interruption, whether partial or not, or improper use, could be prejudicial to national security”.
The Decree Law in question delegates to subsequent Decrees of the President of the Council of Ministers the function of defining:
a) the criteria and methods for identifying the entities included in the national cyber security perimeter and the rules governing the obligations resulting from the inclusion in the national security perimeter;
b) the procedures for reporting incidents occurring on networks, information systems and IT systems included in the perimeter and the relevant security measures;
c) the procedures, methods and deadlines to be complied with by public administrations, national bodies and operators, both public and private, included in the national cyber security perimeter, planning to award contracts for the supply of ICT goods, systems and services to be used on the networks, information systems and for the performance of the IT services identified in the list sent to the Presidency of the Council of Ministers and the Ministry of Economic Development.
Moreover, the Decree Law identifies the tasks of the National Assessment and Certification Centre (Centro di Valutazione e Certificazione Nazionale, “CVCN”), with reference to the procurement of ICT products, processes, services and associated infrastructures – if intended for networks, information systems, IT systems included in the national cyber security perimeter. The CVCN is entrusted with the task of ensuring security (and the absence of vulnerabilities) of products, hardware and software intended to be used in networks, information systems and IT services of the entities included in the perimeter.
Moving on to the analysis of the implementing decrees, Decree of the President of the Council of Ministers No. 131 of 30 July 2020 (the so-called “DPCM 1”) laid down the criteria and procedural methods for the identification of the entities included in the national cyber security perimeter and defined the criteria for the preparation and updating of the list of the networks, information systems and IT services relevant to them.
The entities included in the perimeter are identified in Article 2 of DPCM 1, which distinguishes between entities exercising “essential functions” of the State and entities exercising “essential services” for the maintenance of civil, social or economic activities fundamental to the interests of the State.
The first category includes all those entities entrusted by law with tasks aimed at ensuring continuity of government action and of constitutional bodies, internal and external security and defence of the State, international relations, security and public order, administration of justice and functionality of economic, financial and transport systems.
The second category includes those (public or private) entities carrying out: activities instrumental to the exercise of essential State functions; activities necessary for the exercise and enjoyment of fundamental rights; activities necessary for the continuity of supplies and the efficiency of infrastructures and logistics: research activities and activities relating to production environments in the field of high technology and in any other sector, where they are of economic and social importance, also for the purposes of ensuring national strategic autonomy, competitiveness and development of the national economic system.
Article 3 defines the sectors of activity included in the perimeter: priority is given to entities operating in the government sector, which concerns the activities of the CISR (Interministerial Committee for the Security of the Republic) administrations; it also includes other entities engaged in activities related to the interior, defence, space and aerospace, energy, telecommunications, economy and finance, transport, digital services, critical technologies, and social security/labour institutions.
The list of entities included in the perimeter is contained in an administrative act, adopted at the proposal of the CISR by the President of the Council of Ministers.
On the other hand, Decree of the President of the Council of Ministers No. 81 of 14 April 2021 (the so-called “DPCM 2”) defines the modalities for the notification of incidents affecting networks, information systems and IT services related to the national cyber security perimeter.
In particular, Article 2 of DPCM 2 provides for the obligation, for entities included in the perimeter, to notify security incidents affecting their ICT goods.
The taxonomy of incidents is provided by Tables 1 and 2 of Annex “A” to DPCM 2, which classify events on the basis of their severity. Less serious incidents are listed in Table 1, and can be classified in the following categories: i) infection; ii) failure; iii) installation; iv) lateral movements; v) actions on targets, including cases of unauthorised exfiltration of data. The most serious cases are instead identified by Table 2, which identifies the following categories: (i) “actions on targets”, which include cases of inhibition of response functions, impairment of control processes and intentional disservice; (ii) “disservice”, which includes cases of breach of the expected service level, defined by the entity included in the cyber security perimeter pursuant to the provisions of the security measures contained in Annex B, especially in terms of availability of ICT goods, as well as cases of breach of corrupted data or execution of corrupted operations through the ICT good and unauthorised disclosure of digital data related to ICT goods.
Said distinction is functional to the different timing established by DPCM 2 for fulfilling the notification obligation: incidents indicated in Table 1 must be notified to the CSIRT within six hours, whereas most serious incidents – indicated in Table 2 – must be notified within one hour, starting from the moment in which the entities included in the Perimeter became aware thereof, including by means of monitoring, testing and control activities.
Notification to the CSIRT shall be made through appropriate communication channels, in the ways published on the CSIRT website. At the specific request of the CSIRT, the entity included in the perimeter shall update the notification within six hours of such request.
Once the plans for the implementation of the activities to restore ICT goods affected by the notified incident have been defined, the entity included in the perimeter that made the notification shall promptly notify the CSIRT and shall submit, at CSIRT’s request and within 30 days, a technical report illustrating the significant elements of the incident, including the consequences of the impact of the incident on ICT goods and the remedial actions taken, unless the relevant judicial authority has previously communicated the existence of specific investigation secrecy requirements.
Entities included in the perimeter may also notify, on a voluntary basis, incidents relating to ICT goods not included in the tables under Annex A or incidents included in said tables but relating to non-ICT networks and systems.
The body in charge of managing notifications received by the CSIRT is the Security Intelligence Department (Dipartimento delle informazioni per la sicurezza – DIS), which forwards them to the competent authorities (to the office of the Ministry of the Interior in charge of security and regularity of telecommunication services; to the department of the Presidency of the Council of Ministers in charge of technological innovation and digitalization, if notifications come from a public entity; to the Ministry of Economic Development, if notifications come from a private entity; to the competent NIS Authority if the notification is made by entities falling within the scope of the NIS legislation).
DPCM 2 also identifies the security measures that entities included in the perimeter are required to adopt with respect to the relevant ICT goods and services.
Said measures are listed in Annex B to DPCM 2, with respect to the categories identified by Decree Law No. 105/2019, and must be implemented according to a specific timeline. At each update of the list of ICT goods, entities included in the perimeter shall adjust the security measures, with the same timing provided for the first adoption.
Finally, the third decree implementing the Decree Law establishing the security perimeter is the DPCM of 15 June 2021 (in Official Gazette No. 198 of 19 August 2021) – the so-called “DPCM 3” – which, together with Presidential Decree No. 54 of 5 February 2021, identifies the categories of ICT goods, systems and services to be used in the national cyber security perimeter and the methods and procedures relating to the functioning of the CVCN.
In particular, DPCM 3 defines the procedures, methods and deadlines to be complied with by public administrations, national bodies and operators, both public and private, included in the perimeter of national cyber security, planning to award contracts for the supply of ICT goods, systems and services, intended to be used on networks, information systems and for the performance of IT services identified in the list sent to the Presidency of the Council of Ministers and the Ministry of Economic Development.
Of significant importance is the obligation for entities included in the cyber security perimeter to notify the CVCN of their intention to initiate procurement procedures in relation to such ICT goods, systems and services.
DPCM 3 identifies, on the basis of the technical criteria set out in Article 13 of Presidential Decree 54/2021, four categories of ICT goods, systems and services subject to prior assessment by the CVCN, namely (i) hardware and software components providing telecommunications network functionalities and services (access, transport, switching); (ii) hardware and software components providing functionalities for the security of telecommunications networks and the data processed by them; (iii) hardware and software components for the acquisition of data, monitoring, supervision, control, implementation and automation of telecommunications networks and industrial and infrastructure systems; (iv) software applications for the implementation of security mechanisms.
The same DPCM provides that the categories identified be updated at least once a year by decree of the President of the Council of Ministers, taking into account technological innovation and changes in technical criteria.
This article is for information purposes only and is not, and cannot be intended as, a professional opinion on the topics dealt with. For further information please contact Paolo Gallarati, Giulio Uras, Virginia Paparozzi, Marco Cappa and Cecilia Moioli.