In Italy, there are several laws and regulations that set out the fundamental cybersecurity and data protection requirements.
Italian Data Protection Code
The Italian Data Protection Code (Legislative Decree 196/2003) regulates the processing of personal data and establishes the obligations of data controllers and data processors.
The General Data Protection Regulation (GDPR) is the European Regulation that establishes a single set of rules for the protection of personal data. The Regulation was transposed in Italy through Legislative Decree 101/2018, which amends the Italian Data Protection Code.
National Cybersecurity Perimeter
Decree-Law No 105 of 2019 (converted and amended by Law No 133 of 18 November 2019) formally established a National Cybersecurity Perimeter (PSNC). Its provisions aim to ensure a high level of security for networks, information systems and IT services of both the public administration and national, public, and private services, entities, and operators.
The Italian Cybersecurity Framework
The framework was introduced by the DPCM on 8 July 2020 and requires operators of essential services and digital service providers to take appropriate measures to manage cyber risks and report cybersecurity incidents. In terms of incident response and notification requirements, the framework requires operators of essential services and digital service providers to report cybersecurity incidents to the Computer Emergency Response Team and the competent authority within 72 hours of becoming aware of them.
Decree-Law No 82 of 14 June 2021
Decree-Law No 82 of 14 June 2021 called “Urgent provisions on cybersecurity, definition of the national cybersecurity architecture and establishment of the National Cybersecurity Agency”, redefined national cybersecurity governance and established a specialised national agency.
Transposition of Specific European Regulations
In terms of the transposition of EU regulations and directives, the following should be noted.
Regarding differences between data breach incidents and cybersecurity incidents that may not involve personal information, it is important to note that while data breaches typically involve the unauthorised access to or disclosure of personal information, cybersecurity incidents can involve a range of activities that threaten the confidentiality, integrity, or availability of information systems or data, regardless of whether personal information is involved.
In terms of enforcement and fines, the General Data Protection Regulation establishes fines of up to EUR20 million or 4% of an organisation’s global annual revenue. In addition, operators of essential services and digital service providers who fail to comply with the requirements of the Italian Cybersecurity Framework may face fines and sanctions from the relevant authorities.
In Italy, there are several regulators and government authorities responsible for cybersecurity and personal data protection.
The Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) is responsible for monitoring the compliance to GDPR and Italian Data Protection Code.
The Italian Communications Regulatory Authority (AGCOM) is responsible for regulating the communications sector in Italy. The Italian Computer Security Incident Response Team (CSIRT) is responsible for managing and responding to cybersecurity incidents affecting government entities and critical infrastructure. The National Anti-Corruption Authority (ANAC) is responsible for ensuring the integrity and transparency of public procurement processes, including in the procurement of IT systems and services. The National Cybersecurity Agency (ACN) was established through Decree-Law No 82 of 14 June 2021 to protect national interests in the field of cybersecurity and to provide a path to transfer the Computer Security Incident Response Team responsibilities to the ACN.
As far as the implementation and supervision of the Network and Information Security (NIS) Directive legislation is concerned, the institutional model is highly decentralised. In fact, five ministries are designated as competent NIS authorities.
In terms of audits and investigations, the Italian Data Protection Authority and other regulators have the power to conduct inspections and audits to ensure compliance with data protection and cybersecurity laws. Investigations may also be initiated as a result of complaints or incidents reported by affected individuals, companies, or government entities.
In addition to these regulatory bodies, there are also various non-regulatory government authorities that play a direct role in cybersecurity. These include incident response entities, critical infrastructure agencies such as the National Centre for Cybersecurity, and secure software review entities such as the National Centre for Software Technologies (CNTS). Law enforcement agencies such as Polizia Postale are also directly relevant to cybersecurity, as they are responsible for investigating cybercrime and prosecuting cybercriminals.
In Italy, the administrative process that cybersecurity regulators or data protection authorities must follow to investigate and impose fines depends on the specific laws and regulations that are being enforced. However, in general, the process typically involves the following steps.
Respondents have the right to due process, which includes the right to be informed of the charges against them, to respond to the charges, and to appeal any fines imposed. The specific legal standards or criteria that are used to determine whether a violation has occurred can vary depending on the nature of the incident and the laws and regulations being enforced.
The main difference between data breach incidents and other cybersecurity events is that data breaches typically involve the unauthorised access to or disclosure of personal information, while cybersecurity incidents can involve a range of activities that threaten the confidentiality, integrity, or availability of information systems or data, regardless of whether personal information is involved.
In the case of supply chain and software vulnerabilities, the DPA may investigate to determine whether any personal data has been compromised or whether any violation of the Data Protection Regulation has occurred. If a violation is found, the DPA may impose fines under the GDPR. However, if no personal data is involved, other regulatory or legal frameworks may apply.
Legislative Decree No 101 of 2018 established the national transposition of the provisions of the General Data Protection Regulation (GDPR). The Decree harmonised the provisions of the Italian Privacy Code with the ones set out in European Regulation 2016/679.
Directive (EU) 2016/680
Legislative Decree 51/2018, dated 18 May 2018, transposed Directive (EU) 2016/680 in Italy. This legislative decree contains a series of requirements to regulate the adoption of security measures regarding the protection of personal data processed by law enforcement agencies in the context of judicial police activities.
Legislative Decree 65/2018 transposes EU Directive No 2016/1148 on the security of networks and information systems within the Union (the so-called NIS Directive). It is necessary to mention that, following the proposed update in December 2020, the NIS2 Directive was approved on 14 December 2022 by the European Parliament and the Council. Currently, from a regulatory point of view, the NIS Directive is still in force; however, the operational implementation of NIS2 is in progress and its transposition is expected no later than 17 December 2024.
Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) came into force across the European Union on 17 January 2023. The DORA Regulation addresses the need to establish a new regulatory framework to ensure adequate operational resilience standards for entities belonging to the financial sector.
Cyber Resilience Act
The European Commission has published two proposals for a Regulation known as the Cyber Resilience Act (CRA). The CRA is aimed at ensuring that all products with digital elements that are placed on the European market present sufficient guarantees in terms of cybersecurity, thus revealing an adequate level of accountability of the manufacturers.
It has to be noted that data protection and cybersecurity are regulated in a centralised manner and there are no subnational obligations.
In recent years, there has been an exponential increase in the attention and valorisation of the interaction between private companies and major governmental and non-governmental organisations for the purposes of sharing cybersecurity information.
In this context, it is worth mentioning the role of the National Cybersecurity Agency (ACN), which, in defining and implementing the national security strategy, has called on organisations to get involved in strengthening the country’s security. The ACN has initiated several collaborations with private companies aimed at sharing information relevant to cybersecurity. The most recent include:
Italy’s data protection and cybersecurity regime is broadly aligned with the European Union’s (EU) regulatory framework, and it goes far beyond it.
In Italy, the protection of critical infrastructures is a priority for the government, and cybersecurity plays a crucial role in ensuring the resilience and security of these systems. To this end, Italy has established a set of regulations and requirements for the cybersecurity of critical infrastructures. These requirements apply to organisations that operate critical infrastructures, including those in the energy, transportation, and telecommunications sectors.
In the legislative and regulatory framework of the European Union, there have been several developments during the last 12 months. Specifically, it is worth mentioning:
At the national level, Italy has further implemented its regulatory framework through the establishment of the National Cyber Security Perimeter.
In addition, it is worth mentioning that, in the context of Decree-Law No 105 of 21 September 2019, also known as “Decreto Crescita 2.0” or “Growth Decree 2.0”, the Italian government established the Cybersecurity Fund (Fondo per la Cybersecurity).
More specifically, the Decree-Law includes a range of provisions related to economic growth, including tax incentives for businesses and measures to support small and medium-sized enterprises.
In this context, the Cybersecurity Fund is intended to encourage Italian businesses to invest in cybersecurity and to promote the development of a robust cybersecurity industry in Italy.
While other countries may have similar requirements related to cybersecurity in their laws, the specific provisions of the “Decreto Crescita 2.0” are unique to Italy. The law reflects the Italian government’s recognition of the importance of cybersecurity and its efforts to promote the development of a secure digital economy in Italy.
There are several issues and aspects that impact the current cyber landscape, and, to date, emerging threats and the geo-political context are particularly relevant.
It has been observed that cyber-attacks on companies worldwide increased by 42% in the first six months of 2022. Particular attention was drawn to the increase in state-sponsored hacker groups and the massive use of ransomware as the main weapon of attack.
In this scenario, the National Agency for Cybersecurity, which can act as a regulator of the supply chain of public administrations, has recently issued an important measure (Directorial Decree 307/2022) regulating the requirements for cloud service providers and, in general, for providers of cloud-based solutions (IaaS, PaaS, SaaS).
These requirements are based on two parallel tracks and a distinction between categories of data processed by providers.
In this sense, the requirements identified concern the possession of specific certifications such as ISO/IEC 27001, ISO 9001, ISO 20000-1, ISO 22301, and the compliance with the provisions of DPCM 81/2021, ie, with the set of technical and organisational security measures derived from the American NIST framework and readapted for Italy by the National Interuniversity Consortium for Informatics (CINI), thus de facto equating the position of the providers with that of the subjects included in the National Cybersecurity Perimeter.
In conclusion, in the course of 2023, vendors of cloud, IaaS, PaaS and SaaS solutions for the Italian public administration will have to align themselves with the main international standards in terms of cybersecurity and with the regulations affecting companies whose compromise could harm national security.
The GDPR regulates the processing of personal data by private individuals and public entities to ensure that said processing is carried out respecting the rights and freedoms of the data subjects.
The provisions of the National Cyber Security Perimeter apply to the networks, information systems and IT services of public administrations and national, public and private entities and operators. Specifically, the Perimeter includes entities that perform:
As far as legislation at the European level is concerned, it should be noted that the NIS Directive and the subsequent NIS2 Directive apply to operators of essential services and digital service providers.
As far as the implementation of the NIS Directive is concerned, the Italian government has adopted a decentralised model that provides for the designation of five ministries (Economic Development, Infrastructure and Transport, Economy and Finance, Health and Environment, and Land and Sea Protection) as “competent NIS authorities”.
In addition, the Italian Computer Security Incident Response Team (CSIRT) was established by Legislative Decree 65/2018.
The National Cybersecurity Agency (ACN) was established by Decree-Law No 82 of 14 June 2021 to protect national interests in the field of cybersecurity.
The National Assessment and Certification Centre (CVCN) is one of the reference bodies for the monitoring of the subjects included in the National Cybersecurity Perimeter. Specifically, for such entities, there is an obligation to notify the CVCN to procure the supply of ICT assets, systems and services for use on networks, information systems and for the performance of IT services.
The European Union Agency for Cyber Security (ENISA) is a European Union agency established in 2004 with the aim of improving the level of cybersecurity in Europe. ENISA supports member states in developing and implementing cybersecurity policies and strategies. The agency aims to promote co-operation and information sharing between member states, institutions, and the private sector.
In Italy, ENISA provides technical assistance and advice to the Italian government and other stakeholders. The agency supports the development of cybersecurity capacity in Italy through training and capacity building initiatives. ENISA promotes information sharing between Italian stakeholders and other EU member states, improving co-ordination and co-operation on cybersecurity.
In Italy, the Data Protection Authority is the Garante per la Protezione dei Dati Personali, also known as the “Garante Privacy”.
The Garante Privacy is an independent administrative authority responsible for assuring the protection of personal data and privacy rights. It is responsible for ensuring compliance with the EU General Data Protection Regulation (GDPR) and the Italian Data Protection Code and works closely with other regulatory bodies and law enforcement agencies to investigate and prosecute violations of the data protection legislative framework.
The Garante Privacy has a range of powers and responsibilities, including the following.
In Italy, financial sector regulators play an important role in ensuring the cybersecurity of financial institutions and protecting the integrity and stability of the financial system.
The primary financial sector regulator in Italy is the Bank of Italy (Banca d’Italia), which oversees banks, financial institutions, and payment service providers.
The Bank of Italy has implemented several measures to promote cybersecurity in the financial sector, including:
Other sectoral regulators in Italy also have a role to play in promoting cybersecurity in their respective industries.
For example, the Italian Communications Authority (Autorità per le Garanzie nelle Comunicazioni) regulates the telecommunications sector and promotes cybersecurity in areas such as network security and data protection.
In addition, the Italian Energy Authority (Autorità per l’Energia Elettrica il Gas e il Sistema Idrico) oversees the energy sector and promotes cybersecurity in areas such as critical infrastructure protection and incident response.
Overall, sectoral regulators in Italy work to promote cybersecurity within their industries, develop and enforce regulations, and collaborate with other regulatory bodies and law enforcement agencies to protect against cyber threats and respond to incidents.
In addition to the Data Protection Authority and financial sector regulators, there are several other key regulators and agencies in Italy that have a role to play in promoting cybersecurity.
The Italian Postal and Communications Police (Polizia Postale e delle Comunicazioni) is a specialised law enforcement agency that focuses on investigating cybercrimes and enforcing laws related to cybersecurity and data protection.
The Italian National Anti-Corruption Authority (Autorità Nazionale Anticorruzione) is responsible for promoting transparency and preventing corruption in the public sector. It works to ensure that government agencies and public institutions adopt appropriate cybersecurity measures to protect sensitive information and prevent data breaches.
The National Centre for Cybersecurity (Centro Nazionale per la Cybersecurity) is a government agency that is responsible for developing and implementing national cybersecurity strategies and co-ordinating cybersecurity efforts across government agencies and industry sectors.
The Italian Digital Transformation Team (Equipe di Trasformazione Digitale) is a government agency that is responsible for driving digital transformation across government agencies and promoting the adoption of new technologies.
The Italian Competition Authority (Autorità Garante della Concorrenza e del Mercato) is responsible for enforcing competition laws and preventing anti-competitive practices in the marketplace. It works to ensure that businesses adopt appropriate cybersecurity measures to protect sensitive information and prevent data breaches.
It is advisable for organisations to put in place a comprehensive cybersecurity framework to address any specific risks and have a global approach to possible threats. This should at least include policies and procedures on information security, access control, asset management, encryption, network management, third-party management and business continuity.
The National Institute of Standards and Technology (NIST) Framework and the CINI (Comitato Interministeriale per la Sicurezza della Repubblica Italiana) Framework are both IT security management tools.
The NIST Framework was developed in the United States by the National Institute of Standards and Technology and provides a set of guidelines and best practices for IT security management. It consists of three main parts:
The CINI Framework was developed in Italy and is based on the NIST Framework but adapted to the specific needs of Italy. It was introduced by DPCM 81/2021 and it consists of four main parts:
Provisions and Guidelines
Under Article 14 of Legislative Decree 65/2018 (concerning digital service providers) and Article 32 of the GDPR, organisations must demonstrate that they have put in place all the appropriate technical and organisational measures to prevent risks to the freedoms and rights of data subjects.
In addition, the latest Confindustria Guidelines for the implementation of an Organisation, Management and Control Framework pursuant to Legislative Decree No 231 of 8 June 2001 specify that companies must promote integrated forms of compliance, also in the field of cybersecurity, so that all IT and security procedures put in place are co-ordinated with each other and suitable to protect the company from any possible form of liability.
Furthermore, the guidelines of the Italian Data Protection Authority for the protection of personal data must also be considered. These guidelines cover a range of topics, including data breaches, data minimisation and privacy by design.
Lastly, specific policies and procedures are described in the new version of the ISO/IEC 27001 standard, which has integrated cloud security and data protection requirements, and in the provisions of Prime Ministerial Decree No 81/2021 on the National Cybersecurity Perimeter, based on the CINI framework.
There is no single consensus or commonly applied framework for “reasonable security” in Italy. Instead, organisations are expected to take a risk-based approach to cybersecurity and implement appropriate measures based on their specific risks and threats.
However, there are some frameworks and guidelines that are commonly used by organisations in Italy to guide their cybersecurity practices. For example, the NIS Directive and Legislative Decree 105/2019 provide specific requirements for operators of essential services and public administrations, respectively. Additionally, AgID guidelines and guidelines from the Italian Data Protection Authority provide guidance on best practices for information security and personal data protection.
In practice, organisations in Italy may use a combination of these frameworks and guidelines, along with other standards such as ISO 27001 and NIST Cybersecurity Framework, to develop and implement their cybersecurity programmes. The specific measures that organisations implement may vary based on their size, industry, and specific risks and threats.
In any case, it must be emphasised that the existence of DPCM 81/2021, based on the CINI framework (ie, the Italian adaptation of the NIST framework) and Directorial Decree 307/2022, shifts the focus to the national adoption of the security measures contained therein, and in 2023 they will become a benchmark for the main organisations operating in Italy.
Written Information Security Plans or Programmes
There is no specific legal requirement for written information security plans or programmes in Italy, but it is generally considered a best practice for organisations to document their cybersecurity policies and procedures. Organisations may use guidelines such as ISO 27001 or NIST Cybersecurity Framework to develop their information security plans.
Incident Response Plans
The NIS Directive and Legislative Decree 105/2019 require operators of essential services and public administrations, respectively, to develop and implement incident response plans. Guidelines from the Italian Data Protection Authority and AgID provide guidance on developing and implementing incident response plans.
Required Security Practices
The specific security practices required will depend on the industry and the data being protected. However, the NIS Directive and Legislative Decree 105/2019 provide specific security requirements for operators of essential services and public administrations, respectively.
Appointment of Chief Information Security Officer
There is no legal requirement for organisations to appoint a Chief Information Security Officer (CISO) in Italy. However, it is generally considered a best practice for organisations to designate a person or team responsible for overseeing cybersecurity.
For organisations falling within the National Cyber Security Perimeter, such an obligation can be found in DPCM 81/2021, as it requires such companies to appoint a person in charge of contacts with the competent authority, who can be responsible for the implementation of the technical and organisational security measures contained in the aforementioned regulation.
Involvement of Board of Directors
The involvement of the board of directors in cybersecurity is not specifically required by law in Italy. However, the NIS Directive and Legislative Decree 105/2019 require operators of essential services and organisations falling within the National Cyber Security Perimeter, respectively, to ensure that their senior management is involved in cybersecurity risk management.
Conducting Internal Risk Assessments, Vulnerability Scanning, Penetration Tests, Etc
There is no legal requirement for organisations to conduct internal risk assessments, vulnerability scanning, or penetration testing in Italy. However, it is generally considered a best practice for organisations to conduct these activities to identify and address potential security risks and an activity that is aligned to the obligation arising from Article 32 of the GDPR.
Multi-Factor Authentication, Anti-Phishing Measures, Protection Against Business Email Compromise, Ransomware, Threat Intelligence
There are no specific legal requirements for multi-factor authentication, anti-phishing measures, protection against business email compromise, ransomware, or threat intelligence in Italy. However, guidelines from the Italian Data Protection Authority and AgID provide guidance on best practices for information security and personal data protection and DPCM 81/2021 that regulates the technical and organisational security measures that organisations falling within the National Cyber Security Perimeter has to implement explicitly includes the above-mentioned measures.
Insider Threat Programmes
There are no specific legal requirements for insider threat programmes in Italy. However, it is generally considered a best practice for organisations to develop and implement a programme to mitigate the risks associated with insider threats, but it can be deduced from the application of the whole cybersecurity legislative framework.
Vendor and Service Provider Due Diligence, Oversight and Monitoring
There are specific legal requirements for vendor and service provider due diligence, oversight, and monitoring in Italy. Organisations are expected to ensure that their vendors and service providers implement appropriate security measures to protect the data and systems they are entrusted with. This obligation arises from the application of the Italian Cybersecurity Perimeter.
Use of Cloud, Outsourcing, Offshoring
There are specific legal requirements for the use of cloud, outsourcing, or offshoring in Italy. The National Agency for Cybersecurity, which can act as a regulator of the supply chain of public administrations, has recently issued an important measure (Directorial Decree 307/2022) regulating the requirements for cloud service providers and, in general, for providers of cloud-based solutions (IaaS, PaaS, SaaS).
Payment of Ransomware
Paying ransomware is generally discouraged as it can encourage further attacks and there is no guarantee that paying the ransom will result in the return of data, it can be also considered a criminal activity pursuant Article 379 of the Italian Criminal Code.
Secure Software Development or Patching
There are no specific and general legal requirements for secure software development or patching in Italy. However, it is generally considered a best practice for organisations to implement a software development lifecycle that includes security considerations and to promptly patch known vulnerabilities. For organisations falling within the National Cyber Security Perimeter, such an obligation can be found in DPCM 81/2021.
Responsible Disclosure of Software Vulnerabilities
In Italy, there is no specific legal requirement for responsible disclosure, but some industry groups and professional associations have established guidelines and best practices for vulnerability disclosure.
For example, in 2015, the National Cyber Security Center (CNS) established a vulnerability disclosure framework for public administration entities.
In addition, some Italian companies and organisations have established their own responsible disclosure programmes to encourage security researchers to report vulnerabilities in their products and services.
The legal requirement for organisations to provide training to their resources in Italy is based on Article 29 GDPR and for organisations falling within the National Cyber Security Perimeter, such an obligation can be found in DPCM 81/2021.
Italy is an active participant in many international initiatives and organisations related to cybersecurity, including the following.
Italy also participates in various other international organisations and initiatives related to cybersecurity, such as the G7, the Organization for Security and Co-operation in Europe (OSCE), and the Global Forum on Cyber Expertise (GFCE).
Personal data in Italy is regulated by the GDPR, which mandates that organisations comply with various affirmative security requirements when carrying out data processing activities. These requirements can include:
The EU Market Abuse Regulation (MAR) regulates the protection of material business data and material non-public information in Italy. To comply with MAR, organisations must adhere to various affirmative security requirements. These include maintaining an up-to-date insider list, disclosing inside information, disclosing personal transactions, conducting market audits according to the established rules, reporting suspicious transactions, establishing an effective compliance function, and obtaining certification.
These affirmative security requirements aim to prevent insider trading and market manipulation, protect material non-public information, and ensure a fair market.
In July 2019, as required by the Network and Information Security (NIS) Directive and Legislative Decree 65/2018, Italy provided organisations with guidelines on risk management and the prevention, mitigation and notification of cyber incidents and attacks.
Moreover, the Agency for Digital Italy (AgID), now within the powers of the ACN, accredited CSA STAR certification as the only alternative to ISO 27001 certification (integrated with ISO 27017 and 27018) to certify the security of software as a service cloud services for the Italian Public Administration.
In addition, the Decree of the President of the Council of Ministers 81/2021 on the National Cybersecurity Perimeter provided technical and organisational security measures aimed at managing security incidents and improving the cybersecurity posture of institutions that are critical for national security.
The Legislative Decree 105/2019 mandates that organisations implement appropriate technical and organisational measures to prevent denial-of-service (DoS) attacks and ensure the availability and integrity of their information systems.
Affirmative security requirements include regular risk assessments, vulnerability testing, intrusion detection, and incident response plans. Critical infrastructure operators must report any cyber incidents to the National Cybersecurity Agency and obtain certification from a third-party assessment body.
Service providers and cloud operators must ensure that their networks and systems meet the same security standards. In the event of a DoS attack or similar incident, organisations must promptly report it to the authorities, work to restore the availability of the systems and minimise damage. Failure to comply with these requirements may result in sanctions or fines, and the National Cybersecurity Agency may also initiate investigations and audits to ensure compliance.
The implementation of a business continuity management system can provide the necessary elements to implement these and other measures aimed at improving organisations’ availability profiles. Specific requirements for the implementation of such a system are identified and detailed within the ISO/IEC 22301: 2019 standard.
With regard to IoT devices, reference can be made to the publication of the first version of the standard ISO/IEC 27400:2022. The standard contains guidelines, principles, and controls to mitigate information security and data protection risks in IoT applications.
Supply Chain Security
In the national legislative framework, supply chain security is a fundamental requirement. Specifically, reference can be made to:
Secure Software Development
AgID published a set of guidelines to implement a secure software development process, during all software development lifecycle (SDLC) phases, through the identification and implementation of appropriate security actions. These also include guidelines for threat modelling and identification of mitigation actions in accordance with Security/Privacy by Design principles.
In the context of the Italian cybersecurity legislative framework, there are no specific requirements applicable to ransomware attacks.
However, under Article 379 of the Italian Criminal Code, it is a criminal offence to helps someone to secure the product or profit or the price of an offence.
This means that payment of a ransom to an attacker who has carried out a ransomware attack may be considered as aiding and abetting a criminal offence. Therefore, it is generally discouraged, and in some cases it may even be illegal.
Additionally, companies are required to report any cybersecurity incidents, including ransomware attacks, to the Data Protection Authority. They may also be required to notify law enforcement, depending on the circumstances.
A potentially reportable data security incident, breach or cybersecurity event is typically defined as an actual or suspected unauthorised access, acquisition, use, disclosure, disruption, or destruction of personal or confidential data or information systems, or any other event that compromises the security or integrity of such data or systems.
The definition of a reportable event may vary depending on the jurisdiction or industry and may be based on factors such as the nature and scope of the incident, the types of data involved, and the potential harm or risk to affected individuals or organisations.
In many cases, data security incidents or breaches are subject to notification or reporting requirements, which may include timelines for reporting, methods of reporting, and specific information that must be included in the report. Failure to report a reportable event may result in fines or fines, depending on the relevant legal framework.
Under Italian law, data breach and cybersecurity event reporting and notification requirements are primarily governed by the GDPR and the Italian Data Protection Code.
The data elements covered in these requirements include the categories of personal data and the approximate number of data subjects affected by the breach.
When reporting the event, organisations must also provide additional information regarding the nature of the breach, its possible consequences, and technical and organisational measures that have been implemented to address it and to prevent it from happening again.
When reporting and notifying a data breach or cybersecurity event in Italy, the following elements of the system are typically covered:
Medical devices are regulated in the EU by the Medical Devices Regulation (MDR) and the In-Vitro Diagnostic Medical Devices Regulation (IVDR). These regulations provide a legal framework for the safety and performance of medical devices and establish specific requirements for their design, manufacture and use.
Furthermore, with regard to aspects related to the security of the networks and information systems involved in the above-mentioned activities, it should be noted that these are regulated by the NIS Directive.
Specifically, it is worth mentioning that the NIS2 Directive identifies manufacturers of medical devices and in vitro diagnostic medical devices as Important Entities (IEs) that, if considered critical during a public health emergency, are classified as Essential Entities (EEs).
In Italy, medical devices are regulated by the Ministry of Health through the Italian Institute of Health. The cybersecurity requirements for medical devices are specified in the Ministerial Decree of 2 April 2020 on the “Technical requirements for medical devices and software”.
Under this decree, medical devices must be designed and developed in accordance with the state of the art, with particular attention paid to ensuring their security and protection against cyber threats. The decree establishes specific requirements for cybersecurity, including:
The decree also requires manufacturers of medical devices to report any security incidents or breaches that may impact the safety or performance of the device to the Italian Institute of Health.
In Italy, industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems are subject to cybersecurity regulations and standards, such as Legislative Decree no 65/2018 on the cybersecurity of networks and information systems, as well as the technical regulations issued by the Italian National Agency for New Technologies, Energy and Sustainable Economic Development (ENEA).
ENEA has issued guidelines on the technical measures to be implemented to ensure the security of ICS and SCADA systems, including the use of firewalls, intrusion detection and prevention systems, secure remote access controls, and encryption of sensitive data.
There are currently no legally binding security requirements for IoT devices.
However, in cases where such devices are involved in the processing of personal data and/or are part of the infrastructure of organisations critical to national security, the corresponding requirements of the GDPR and/or, as far as cybersecurity is concerned, the requirements of the National Cybersecurity Perimeter are applicable and it is recommended to refer to the ISO 27400 standard.
There are currently no legally binding security requirements for secure software development.
In this context, however, it is worth mentioning that AgID published a set of guidelines to implement a secure software development process, during all SDLC phases, through the identification and implementation of appropriate security actions.
In Italy, reporting requirements for cybersecurity incidents are governed by several laws and regulations, including the NIS Directive, the GDPR, and the provisions for the entities included in the National Cybersecurity Perimeter.
Articles 33 and 34 of the GDPR require data controllers to notify security incidents where the breach is likely to result in risks to the rights and freedoms of data subjects to the DPA and data subjects within 72 hours of becoming aware of them.
In addition, pursuant to Article 28 of the GDPR, the processor shall promptly inform the controller of security incidents that have occurred.
According to Article 12 of the NIS Directive, operators of essential services shall notify the Italian CSIRT and the competent NIS authority of incidents having a significant impact on the continuity of the essential services provided.
Prime Minister’s Decree 81/2021 requires those included in the national cybersecurity perimeter to notify the Supervisory Authority of any security incident impacting the organisation’s ICT assets and/or services. Annex A of the decree establishes the timing for notifying incidents according to a classification based on their severity.
Although there is no specific legal obligation in Italy for individuals to report cybersecurity incidents, they may report incidents to law enforcement agencies or consumer protection organisations, specifically if they have been victims of cybercrime.
In Italy, any data breach that could result in a risk to the rights or freedoms of individuals must be notified to the Italian DPA (Garante per la Protezione dei Dati Personali) without undue delay and, where feasible, not later than 72 hours after having become aware of the breach.
The threshold for notifying affected individuals depends on the severity of the breach and the risks it poses to individuals. If the breach poses a high risk to the individuals’ rights and freedoms, the data controller must also inform the affected individuals without undue delay.
In addition, specific notification obligations apply to certain types of personal data, such as health data, where the breach can pose a risk to the health or safety of the data subjects.
There are no specific thresholds or standards for notifying other third parties, apart from the ones listed above, under Italian law. The decision to notify other third parties will depend on the circumstances of the breach and the legal and contractual obligations of the data controller.
As far as defence measures for cybersecurity are concerned, organisations are free to adopt and implement those they deem most appropriate, while considering all legal requirements, especially in the case of network monitoring activities. Specifically, organisations may use software to monitor network traffic, detect anomalies, and identify potential security threats. However, the use of such software must be transparent and comply with privacy laws.
Network monitoring activities are also subject to regulatory requirements concerning the monitoring of employees’ activities. These include the following.
The intersection of cybersecurity and data protection laws gives rise to potential conflicts and challenges. Cybersecurity laws aim to protect computer systems, networks, and data from cyber threats, while privacy laws aim to safeguard individuals’ personal data and privacy rights.
When these intersect, conflicts may arise because measures that enhance cybersecurity, such as monitoring or data retention, may conflict with data protection laws that limit the collection and retention of personal data. For example, monitoring employees’ internet activities or email communications to improve cybersecurity may conflict with data protection laws that mandate the protection of individuals’ private communications.
To navigate these conflicts, organisations must balance the need for cybersecurity measures with the protection of individuals’ personal data and privacy rights. To this end, it is advisable for organisations to adopt a risk-based approach to cybersecurity and privacy, ensuring that measures to enhance cybersecurity do not infringe on individuals’ privacy rights, and that the disclosure of personal data is limited to the extent necessary to comply with the relevant laws and regulations.
Currently, apart from the security incident and data breach reporting obligations derived from the national regulatory framework, there are no mandatory requirements in place for sharing cybersecurity information with government authorities.
However, there are several initiatives to involve organisations in cyber threat information sharing practices with the aim of increasing the level of national cybersecurity.
In this context, it is worth mentioning the role of the ACN, which, in defining and implementing the national security strategy, has called on organisations to get involved in strengthening the country’s security. The ACN has initiated several collaborations with private companies aimed at sharing information relevant to cybersecurity.
In the national and European context, the voluntary sharing of information regarding cybersecurity and cyber threats is considered as an effective instrument to be able to prevent and promptly respond to new forms of cyber-attacks.
Specifically, regarding security incidents, reference can be made to the provisions of Article 18 of Legislative Decree 65/2018, which sets out the possibility of voluntary notification for entities that are not identified as essential service operators or digital service providers. The notification of an incident occurring to an organisation that has IT systems and infrastructure like those of the entities for which notification is mandatory may enable the competent NIS authorities and the CSIRT to put in place preventive actions to avoid incidents that could impact on services that are considered essential.
Currently, cybersecurity enforcement in Italy is mainly conducted by the Italian DPA, which has issued several notable fines for data breach violations. Sanctioned entities include:
Some of the most significant fines issued by the Italian Data Protection Authority include:
In Italy, the applicable legal standards for cybersecurity and data breach regulatory enforcement and litigation are primarily based on the Italian Data Protection Code (Legislative Decree no 196/2003) and the General Data Protection Regulation (GDPR).
Moreover, if the violation is caused by a computer crime committed in the interest and to the advantage of the entity and this is the result of a lack of adequate security measures, such violation may entail, in addition to the administrative sanctions referred to above, criminal liability under Article 24-bis of Legislative Decree No 231/2001.
There have been a number of high-profile data security incidents and breaches in Italy that have resulted in private litigation. For example, in 2017, Italian telecommunications company Telecom Italia was sued by a group of consumer associations for a data breach that exposed the personal information of around 600,000 customers. The plaintiffs alleged that Telecom Italia failed to take adequate security measures to protect their personal data and sought damages of EUR100 million.
In another case, a class action lawsuit was filed against the Italian branch of the University of Maryland after a data breach that exposed the personal information of over 300,000 students and staff. The plaintiffs alleged that the university failed to adequately protect their personal data and sought damages of EUR1 billion.
More recently, in 2021, a group of Italian consumers filed a class action lawsuit against Meta for a data breach that exposed the personal information of over 533 million users worldwide, including over 35 million in Italy. The plaintiffs alleged that Facebook failed to take adequate security measures to protect their personal data and sought damages of EUR5 billion.
In the Italian regulatory framework, class actions were initially defined and regulated within the Consumer Code (Article 140 bis). In 2019, the Parliament approved Law No 31 of 2019, aimed at reforming class action with the purpose of strengthening this institution by broadening its scope and placing it under the Code of Civil Procedure.
The rules for such actions are strict and require a large number of claimants to join the action before it can proceed. In general, collective actions are not common in Italy, and the courts have not yet dealt with many cybersecurity-related cases.
In recent years, there has been an increase in individual claims related to data breaches and cybersecurity incidents in Italy.
In general, the disposition of these cases in court will depend on the specific facts of the case and the evidence presented.
In the national regulatory framework, there are no specific provisions on roles for corporate governance and specific standards for the resilience of organisations.
However, it is worth mentioning that the issue of governance is addressed within the provisions of the National Cybersecurity Perimeter. Specifically, reference can be made to the security measures that entities must implement, which include those related to corporate governance and provide for the drafting and updating of appropriate documentation regarding roles and responsibilities for cybersecurity and how risk is assessed and managed. Those aspects are regulated through DPCM 81/2021.
In conducting diligence in corporate transactions in the Italian cybersecurity legislative framework, several issues and considerations should be considered.
First of all, it is important to determine whether the target company has implemented an adequate cybersecurity programme and whether it complies with relevant cybersecurity laws and regulations. Due diligence should include a review of the company’s information security policies, procedures, and protocols, as well as its past security incidents or data breaches.
In addition, a review should be performed on the target company’s contracts and relationships with third-party vendors and service providers that have access to the company’s systems and data. Due diligence should assess whether these third parties have adequate security measures in place to protect the company’s systems and data.
Furthermore, an evaluation of the target company’s IT infrastructure, including hardware, software, and cloud-based services should be carried out in order to identify any vulnerabilities or weaknesses that could be exploited by cyber threats.
Lastly, it is important to assess the target company’s ability to respond to cybersecurity incidents or data breaches. This includes a review of its incident response plan and its history of incident response.
There are no cybersecurity-specific laws in the Italian legislative framework that specifically mandate the disclosure of an organisation’s cybersecurity risk profile or experience.
However, there are various laws and regulations, such as the GDPR and the NIS Directive that require organisations to take appropriate measures to protect personal data and secure their network and information systems.
In addition, some regulations, such as the CONSOB Regulation on issuers and the MiFID II Directive, require publicly traded companies to disclose information that may be relevant to their investors, which could include information about cybersecurity risks and incidents.
Overall, while there is no specific law mandating the disclosure of an organisation’s cybersecurity risk profile or experience, various laws and regulations require organisations to take appropriate measures to protect personal data and secure their network and information systems, which may indirectly impact their cybersecurity risk profile and the need for disclosure.
There are insurance policies that cover cybersecurity breaches, and they are usually included in the broader coverage related to personal data protection. They also cover cybersecurity and losses resulting from events such as cyber terrorism and cyber-attacks, as well as service interruptions and access interruptions.
The use of such insurance policies has become more widespread since the GDPR came into force, which, among other things, requires the adoption of appropriate technical and organisational security measures. In this context, the coverage of the risk is often conditional on the policyholder putting in place the security measures required by the Regulation.
Via Borgonuovo 12
+39 0284 2471 94
+39 0270 0512 email@example.com www.ictlc.com
Nowadays, reliance on technology and the internet has become increasingly crucial for businesses of all sizes, with many embracing digitalisation to enhance efficiency and broaden their customer base. However, with the growing dependence on digital technology comes the escalating risk of cyber threats, which can have serious consequences for businesses and their clients. In Italy, cybersecurity is a growing concern, and businesses operating in the country must take steps to protect themselves from the various threats that exist in the digital world.
Current Cyber Threats Landscape
The ENISA Threat Landscape report of 2022 offers a comprehensive view of the current cyber threat landscape in Europe.
First of all, the report reveals the strong impact of the geopolitical context on the threat landscape. Specifically, it was observed that the Russian-Ukrainian conflict has led to a significant increase in hacktivist activity. In this context, the operations carried out by cyber actors in concert with kinetic military action, the increase in cybercrime, and the presence of aid by nation-state groups during this conflict have also been observed.
Furthermore, it emerged that threat actors have increased their capabilities, also through the use of zero-day exploits to achieve their operational and strategic goals. In addition, it was highlighted that threat groups have an increased interest and exhibit an increasing capability in supply chain attacks and attacks against managed services providers.
The main threats identified include ransomware, malware, and social engineering and, according to the report, the attacks are mainly aimed at compromising availability of the services. Specifically, it was observed that:
Updates in the European Legislative Framework
Reform of the NIS Directive
The NIS Directive constituted, together with the General Data Protection Regulation (GDPR), an important first step towards an integrated framework for cybersecurity at the European level.
However, since its introduction in 2016, the cyber threat landscape has changed considerably and therefore the scope of this framework needed to be updated and expanded to address contemporary risks and future challenges. In particular, there were still insufficient and divergent levels of resilience among the various member states and a low level of awareness.
In this context, on 16 December 2020, the European Commission presented a proposal to update the Directive in order to repeal and replace the current legal text considering the limitations that emerged from the application of NIS Directive.
The NIS 2 Directive (Directive EU 2022/2555) is based on five fundamental pillars:
NIS 2 Directive, approved by the European Parliament on 10 November 2022, was published in the Official Journal of the European Union on 27 December 2022 and officially came into force on 17 January 2023.
From this date, EU member states were given a deadline of 21 months to adopt and publish the relevant national transposition legislation.
The Cyber Resilience Act
In an effort to strengthen cybersecurity measures across the European Union (EU), the European Commission has published two proposals for a Regulation known as the Cyber Resilience Act (CRA).
The CRA is aimed at ensuring that all products with digital elements that are placed on the European market present sufficient guarantees in terms of cybersecurity, thus revealing an adequate level of accountability of the manufacturers, with an approach that aims to a security-by-design principle that encompasses all phases of the lifecycle of a given product.
The Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) came into force across the European Union on 17 January 2023.
The DORA Regulation addresses the need to establish a new regulatory framework to ensure adequate operational resilience standards for entities belonging to the financial sector. More specifically, DORA aims to be a benchmark for companies operating in the financial sector in the event of malfunctions or threats related to information and communication technologies (ICT) assets.
As a primary goal, the Regulation aims to implement an alternative and unified solution to deal with ICT risk management and incident handling at the EU level. Doing so requires a harmonised strategy to optimise operational resilience plans for the financial sector that may help to ensure business continuity in the context of unforeseen events, such as cyber-attacks. Additionally, the Regulation pays specific attention to the supply chain of financial institutions and requires the identification, assessment, and monitoring of critical suppliers.
As far as data protection is concerned, it is worth mentioning that the European Data Protection Board (EDPB) approved the first certification mechanism according to Article 42 (5) of the GDPR, which is called Europrivacy, to further strengthen the guarantees of accountability of data controllers and processors.
Updates in the National Legislative Framework
Italy has made significant progress in its implementation of a regulatory framework at the national level to increase the comprehensive level of cybersecurity within the country, with particular reference to those organisations whose compromise could harm national security and the strategic interests of the State. In fact, the country has taken further steps to enhance its cybersecurity framework by enacting the National Cyber Security Perimeter, which includes Prime Minister Decree 81/2021 and Presidential Decree 54/2021.
These steps highlight Italy’s commitment to protect its citizens and businesses from the ever-increasing risks posed by cyber threats.
Moreover, the National Assessment and Certification Centre, which operates as part of the National Cybersecurity Agency (ACN), has gone a step further to develop a comprehensive risk analysis methodology to punctually regulate the management of third parties.
As a result, the issuance of special guidelines on the conduct of risk assessment activities on suppliers of entities included in the scope of the Perimeter has been made possible. Such measures are critical in protecting Italy’s vital national infrastructure and ensuring the smooth functioning of its economy in the face of emerging cyber threats.
ACN Provision 307/2022
The National Agency for Cybersecurity, which can act as a regulator of the supply chain of public administrations, has recently issued an important measure (ACN Provision 307/2022) regulating the requirements for cloud service providers and, in general, for providers of cloud-based solutions (IaaS, PaaS, SaaS).
These requirements are based on two parallel tracks and a distinction between categories of data processed by providers.
In this sense, the requirements identified concern the possession of specific certifications (such as ISO/IEC 27001, ISO 9001, ISO 20000-1, ISO 22301) and compliance with the provisions of DPCM 81/2021, ie, with the set of technical and organisational security measures derived from the American NIST framework and readapted for Italy by the National Interuniversity Consortium for Informatics (CINI), thus de facto equating the position of the providers with that of the subjects included in the National Cybersecurity Perimeter.
In conclusion, in the course of 2023, vendors of cloud, IaaS, PaaS and SaaS solutions for the Italian public administration will have to align themselves with the main international standards in terms of cybersecurity and with the regulations affecting companies whose compromise could harm national security.
The National Cybersecurity Strategy
In an increasingly digitalised and connected world, cybersecurity has become of paramount importance. For this reason, the National Cybersecurity Strategy was created to plan, co-ordinate and implement measures to make the country more secure and resilient. The strategy aims to achieve 82 measures by 2026.
The National Cybersecurity Strategy aims to address the following challenges.
In order to best meet the challenges outlined above, three key objectives and related measures were identified to ensure the effective implementation of the strategy.
The protection of national strategic assets through a systemic approach focusing on risk management and mitigation, consisting of both a regulatory framework and measures, tools and controls that can enable the country’s resilient digital transition. In this context, it is particularly important to develop strategies and initiatives to assess and evaluate the security of ICT infrastructures, including procurement and supply-chain aspects with national impact, is particularly important.
The measures identified to ensure an effective and permanent level of protection include:
The response to national cyber threats, incidents and crises, through the deployment of high national monitoring, detection, analysis and response capabilities and the activation of processes involving all actors in the national cybersecurity ecosystem.
The basis for providing a timely and decisive response include:
The secure development of digital technologies, research and industrial competitiveness that is able to respond to market needs.
To further increase the commitment to support development, the following must be considered fundamental:
Three enabling factors for the realisation of the objectives described have been identified within the Strategy.
Specifically, the development of new initiatives and the strengthening of existing ones to create a strong national workforce of experts and young talents with the necessary skills and competence to be applied to information technology in general and cybersecurity in particular.
Promoting a cybersecurity culture
Another enabling factor, which runs parallel to the training needs, is the promotion of a cybersecurity culture, in order to increase the awareness of the public and private sector and civil society of cyber risks and threats. These include not only cyber-attacks proper, but also the dissemination of fake content and the phenomenon of cyberbullying, which, although it is not new, still creates social alarm.
Co-operation must be increased on both the national and international level.
Implementation at the national scale is envisaged on various levels including the governmental level; the public-private, public-public relationships; and academia and research. In this context, there are plans to set up operational tables with the entities included in the National Cybersecurity Perimeter, divided by sector, depending on the issues and contingent needs, in order to create greater synergies between the Public Administration and the industry.
In the international field, the aim is to increase co-operation by proactively participating in European and international initiatives and promoting bilateral collaborations.
International Co-operation for Cybersecurity
At the international level, Italy co-operates in promoting respect for human rights, fundamental freedoms and democratic values in the cyber domain, with the aim of ensuring that it remains a global, open, stable and secure space in which international law and shared principles are respected.
To this end, the State participates in major co-operation, cyber diplomacy and capacity building initiatives with partner countries that are experiencing rapid digital development. This is also achieved through the implementation of the Confidence Building Measure (CBM) of the Organisation for Security and Cooperation in Europe (OSCE) with the aim of avoiding the development of political-military tensions arising from the use of ICT technologies.
Furthermore, Italy supports the methodologies and tools for deterrence and response to cyber-attacks defined at both EU and NATO levels.
In this context, the country participates in international initiatives and is committed to maintaining relations with countries of interest to promote the exchange of knowledge with the aim of improving the cybersecurity posture of organisations, starting with the critical ones, at a global level.
Via Borgonuovo 12
+39 0284 2471 94
+39 0270 0512 firstname.lastname@example.org www.ictlc.com