This fourth contribution on Italian cybersecurity legislation deals with the obligations imposed by the NIS Directive on security of network and information systems upon essential services operators and digital services providers.
Directive (EU) 2016/1148 on security of network and information systems (the “NIS Directive”), transposed in Italy by Legislative Decree No. 65/2018, provides for measures for a high common level of security of network and information systems used by essential services operators (“ESOs”) and digital services providers (“DSPs”).
ESOs are those operators that provide a service essential to the maintenance of key social and/or economic activities in the areas of energy, transport, banking, financial market infrastructure, health, drinking water supply and distribution as well as digital infrastructure. They are identified by NIS authorities by their own measures. The list with the names of ESOs is kept at the Ministry of Economic Development and is updated every two years.
DSPs include entities providing digital e-commerce, cloud computing and search engine services, having their principal place of business, registered office or appointed representative in the national territory.
Pursuant to Article 12 of Legislative Decree No. 65/2018, ESOs are required to:
a) take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations;
b) take appropriate measures to prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of such essential services, with a view to ensuring the continuity of such services;
c) notify the CSIRT (Computer Security Incident Response Team) of any incidents having a significant impact on the continuity of the essential services they provide.
Similar obligations are provided for by Article 14 of Legislative Decree No. 65/2018 on the part of DSPs, which are required to:
a) identify and take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of offering services within the Union;
b) take measures to prevent and minimise the impact of incidents affecting the security of their network and information systems on the services offered within the Union, with a view to ensuring the continuity of such services;
c) notify the CSIRT of any incident having a substantial impact on the provision of a service offered by them within the Union.
Notifications of the relevant incidents must be made “without undue delay”, according to the terms set out by the CSIRT and, where appropriate, by each sectoral NIS authority by its own guidelines.
Furthermore, any entities that cannot be classified as ESOs or DSPs are entitled to make notifications on a voluntary basis according to the terms of Article 17 of Legislative Decree No. 65/2018.
Finally, both ESOs and DSPs are required to provide the information necessary to assess the security of their network and information systems and to remedy any failure or deficiency identified.
The Agency (in whose structure the CSIRT is included, as mentioned above) is the authority responsible for monitoring the application of the NIS Directive, designated by Article 7 of Legislative Decree No. 65/2018 as the national competent NIS authority and single point of contact for network and information systems security. The following authorities (cooperating with the national competent NIS authority) are on the other hand designated as sectoral authorities:
a) the Ministry of Economic Development for the digital infrastructure sector, IXP, DNS, TLD sub-sectors, and for digital services;
b) the Ministry of Infrastructure and Sustainable Mobility, for the transport sector, air, rail and road sub-sectors;
c) the Ministry of Economy and Finance, for the banking and financial market infrastructure sectors;
d) the Ministry of Health, for health assistance activities provided by the operators employed, appointed or entrusted by, or having an agreement with, the same, and the Regions and the Autonomous Provinces of Trento and Bolzano, either directly or through the competent local health authorities, for health assistance activities provided by operators authorised and accredited by the Regions or Autonomous Provinces in the respective local areas of competence;
e) the Ministry of Ecological Transition for the energy sector, electricity, gas and oil subsectors; and
f) the Ministry of Ecological Transition and the Regions and the Autonomous Provinces of Trento and Bolzano, either directly or through the competent local authorities, for the drinking water supply and distribution sector.
In case of non-compliance with the obligations under the NIS Directive, administrative sanctions of up to EUR 150,000 shall apply, to be imposed by the competent national NIS authority.
Remarkably, in response to certain issues of concern that have emerged in these first years of implementation of the NIS Directive, the European Commission submitted a proposal for its revision (commonly referred to as “NIS2 Directive”), which provides, inter alia, for: notification of major accidents within 24 hours; the broadening of the scope of the Directive to cover medical device manufacturers, waste management operators and postal and courier services operators; identification of ESOs directly by the Directive and not by Member States; obligation on Member States to impose administrative fines, in any event increased up to €10 million or 2% of the total worldwide annual turnover of the undertaking concerned.
This article is for information purposes only and is not, and cannot be intended as, a professional opinion on the topics dealt with. For further information please contact Paolo Gallarati, Giulio Uras and Marco Cappa.