In Italy, there are several laws and regulations that set out the fundamental cybersecurity and data protection requirements.
Italian Data Protection Code
The Italian Data Protection Code (Legislative Decree 196/2003) regulates the processing of personal data and establishes the obligations of data controllers and processors.
GDPR
The General Data Protection Regulation (GDPR) is a European regulation that establishes a single set of rules for the protection of personal data across the EU. The Regulation was transposed in Italy through Legislative Decree 101/2018
National Cybersecurity Perimeter
Decree-Law No 105 of 2019 (converted and amended by Law No 133 of 18 November 2019) formally established a National Cybersecurity Perimeter. Its provisions aim to ensure a high level of security for networks, information systems and IT services of both the public administration and national, public, and private services, entities, and operators.
The Italian Cybersecurity Framework
The framework was introduced by the DPCM 81/2021 and requires operators of essential services and digital service providers to take appropriate measures to manage cyber risks and report cybersecurity incidents. In terms of incident response and notification requirements, the framework requires operators of essential services and digital service providers to report cybersecurity incidents to the Computer Emergency Response Team and the competent authority within 72 hours or less of becoming aware of them.
Decree-Law No 82 of 14 June 2021
Decree-Law No 82 of 14 June 2021 “Urgent provisions on cybersecurity, definition of the national cybersecurity architecture and establishment of the National Cybersecurity Agency” redefined national cybersecurity governance and established a specialised national agency.
Transposition of Specific European Regulations
In terms of the transposition of EU regulations and directives, the following should be noted:
Regarding differences between data breach incidents and cybersecurity incidents that may not involve personal information, it is important to note that while data breaches typically involve the unauthorised access to or disclosure of personal information, cybersecurity incidents can involve a range of activities that threaten the confidentiality, integrity, or availability of information systems or data, regardless of whether personal information is involved.
In terms of enforcement and penalties, the Italian Data Protection Code establishes fines of up to EUR20 million or 4% of an organisation’s global annual revenue, whichever is greater, for serious violations of the regulation.
In addition, operators of essential services and digital service providers who fail to comply with the requirements of the Italian Cybersecurity Framework may face penalties and sanctions from the relevant authorities.
The essential requirements for cybersecurity, which include data security, secure software development, and incident response, are primarily governed by international standards, particularly the ISO/IEC 27002:2022. These standards outline a range of controls and procedures to protect information and manage information security risks, particularly in the context of supplier relationships and cloud services.
In Italy, a multitude of regulatory bodies and government entities are tasked with overseeing cybersecurity and the protection of personal data.
The framework for implementing and overseeing the Network and Information Security (NIS) Directive is notably decentralised, involving five ministries as the competent NIS authorities.
For audits and investigations, the Italian Data Protection Authority, among other regulators, is authorised to conduct inspections and audits to verify adherence to data protection and cybersecurity regulations. These probes can be triggered by complaints, reports from individuals, companies, or government bodies.
Furthermore, several non-regulatory government authorities are directly involved in cybersecurity efforts. These include incident response teams, critical infrastructure entities like the National Centre for Cybersecurity, and secure software review bodies such as the National Centre for Software Technologies (CNTS). Law enforcement agencies, including the Italian State Police and the Central Anti-Crime Directorate, also play a crucial role in addressing cybercrime and bringing perpetrators to justice.
In Italy, the procedural framework that cybersecurity regulators or data protection authorities (DPAs) adhere to for conducting investigations and levying penalties is dictated by the specific laws and regulations in question. Generally, this process encompasses several key steps:
Individuals or entities subject to such proceedings are entitled to due process, ensuring their right to be notified of the accusations, to present a defence, and to appeal any sanctions imposed.
The criteria or legal benchmarks employed to ascertain the occurrence of a violation can differ, influenced by the incident’s specifics and the applicable regulatory framework.
Distinguishing between data breaches and other forms of cybersecurity incidents is critical. Data breaches specifically refer to unauthorised access to or disclosure of personal data. Conversely, cybersecurity incidents encompass a broader spectrum of activities that may compromise the confidentiality, integrity, or availability of information systems or data, without necessarily involving personal information.
Regarding supply chain and software vulnerabilities, the DPA may conduct investigations to verify if personal data has been jeopardised or if there has been a breach of the Data Protection Regulation. Should a violation be identified, the DPA is authorised to impose penalties in accordance with the GDPR. For incidents not involving personal data, alternative regulatory or legal standards may be applicable.
EU Network and Information Security 2 (NIS2) Directive
National cybersecurity strategy
Each EU member state is required to adopt a national cybersecurity strategy. This includes strategic objectives, resources, policy measures, governance frameworks, risk assessment mechanisms, incident response measures, and stakeholder co-ordination.
Implementation aspects
Specific policies under national cybersecurity strategy
Notification and assessment
Cybersecurity Information Exchange Framework
The implementation of information sharing works as follows:
Responsibilities of Entities
Italy’s data protection and cybersecurity landscape is intricately aligned with the EU’s regulatory standards, yet it extends significantly beyond these parameters.
The safeguarding of critical infrastructure represents a paramount concern for the Italian government, with cybersecurity serving as a foundational pillar to bolster the resilience and security of these essential systems. In pursuit of this goal, Italy has instituted a comprehensive regulatory framework and set of requirements tailored to the cybersecurity needs of critical infrastructures. This framework mandates compliance for organisations operating within key sectors such as energy, transportation, and telecommunications, among others.
Moreover, this regulatory environment is further enriched by incorporating standards from the Network and Information Security Directive 2 (NIS2), the Digital Operational Resilience Act (DORA), and the PSNC, alongside the mandates of the ACN for engagement with the Italian public administration. Central to these expanded requirements is the adherence to international standards such as ISO 27001:2022, focusing on information security management systems, and ISO 22301:2019, which pertains to business continuity management systems. These incorporations underscore Italy’s comprehensive approach to enhancing the security and resilience of its critical infrastructures, ensuring they meet both European and international best practices.
In the past year, the landscape of cybersecurity law and regulatory activity has seen notable developments, reflecting the evolving nature of cyber threats and the need for robust cybersecurity measures. The Italian Council of Ministers approved a bill aimed at strengthening national cybersecurity through three new measures necessary in the current geopolitical context characterised by cyber attacks and AI cyber warfare.
The bill grants the ACN an additional mission beyond those established by the founding decree No 82 of 2021: to promote and develop initiatives, including public-private partnerships, leverage artificial intelligence as a resource for enhancing national cybersecurity, while also encouraging the ethical and proper use of AI-based systems. This perspective, influenced by the approach of the Undersecretary to the Presidency of the Council of Ministers, Alfredo Mantovano, sees AI not merely as a risk but as an opportunity to strengthen the country’s cybersecurity.
The bill also emphasises the importance of co-ordinating responses between the ACN and the judiciary in cases of cyber attacks, a collaboration that was absent in the decree establishing the national cyber agency. It mandates prompt notification by the ACN to the national anti-mafia and anti-terrorism prosecutor in the event of attacks on IT systems, as well as reciprocal communication from public prosecutors to the ACN regarding cyber attacks.
Furthermore, the bill outlines the obligation for central public administrations and other significant entities to enhance their cyber defences through a dedicated cybersecurity strategy and the appointment of a cybersecurity liaison. Specifically, this includes central public administrations, in-house companies, regions, autonomous provinces of Trento and Bolzano, municipalities with populations over 100,000, regional capitals, urban public transport companies serving over 100,000 users, and local health companies. Failure to report cyber incidents can result in fines ranging from EUR25,000 to EUR125,000 by the ACN.
Entities must report cyber incidents to the ACN within 24 hours of becoming aware of them, followed by a complete notification of all available information within 72 hours. The cybersecurity liaison, chosen based on professional qualifications, will act as the administration’s single point of contact with the ACN regarding cybersecurity legislation and regulations.
The bill does not allocate new funding for these cybersecurity resilience measures; public administrations are expected to comply using existing resources. This raises concerns about the adequacy of financial resources given the increasing digitalisation of public and private sectors and the expanding “attack surface” vulnerable to cybercriminals and state-sponsored groups. The National Cybersecurity Strategy allocates, until 2026, 1.2% of gross national investments annually to cybersecurity, a target currently only on paper. The bill’s progression through parliament may bring changes, potentially addressing the issue of financial resource allocation.
Italy’s cybersecurity landscape is undergoing rapid development, reflecting broader global trends. In the upcoming year, several areas are poised for significant attention, as outlined below.
The rise of ransomware has been a notable trend in Italy, especially in 2023, with critical infrastructure and businesses being prime targets. The sophistication of these attacks is expected to increase, alongside heightened concerns over data theft and extortion tactics. The SolarWinds incident has cast a spotlight on the vulnerabilities within supply chains, prompting Italian organisations to prioritise securing their software supply chains against the backdrop of increasing interconnectivity risks.
The emergence of deepfakes represents a growing challenge to reputations, electoral integrity, and societal cohesion. Italian authorities are likely to tackle the misuse of such technologies and work to minimise their harmful impacts. Additionally, the expansion of AI usage brings to the fore issues related to its malicious application, such as adversarial AI, and potential security weaknesses in AI systems, prompting Italy to possibly enhance investments in research and regulatory frameworks to address these issues.
On the policy and regulatory front, the National Cybersecurity Strategy for 2023-2027 aims at fortifying national cyber resilience and fostering the development of innovative cybersecurity solutions, which will significantly influence the cybersecurity domain in the near future. The transposition of the EU’s NIS 2 directive into Italian law will enforce more stringent cybersecurity requirements for vital sectors, necessitating that organisations gear up for compliance. Furthermore, the ACN, established in 2021, is set to take a more visible role in orchestrating national cybersecurity initiatives, delivering threat assessments, and bolstering incident response activities, with its influence expected to grow in 2024.
The GDPR governs the processing of personal and sensitive data by both private and public entities, ensuring such activities respect the rights and freedoms of individuals.
Additionally, the provisions of the National Cyber Security Perimeter (Perimetro di Sicurezza Nazionale Cibernetica) extend to the networks, information systems, and IT services of public administrations as well as national, public, and private entities and operators. This Perimeter encompasses entities involved in:
At the European level, legislation such as the NIS Directive, and its enhancement, NIS 2, targets operators of essential services and digital service providers. Moreover, DORA has been introduced to bolster the digital operational resilience of the financial sector, ensuring that firms can withstand, respond to, and recover from ICT-related disruptions and threats. This act, along with the National Cyber Security Perimeter, signifies a comprehensive approach to enhancing cybersecurity and operational resilience across critical sectors and the financial industry, reflecting an integrated effort to safeguard both personal data and the essential functions of the state and economy against cyber threats.
Regarding the implementation of the NIS Directive, the Italian government has previously embraced a decentralised approach, assigning the roles of “competent NIS authorities” to five ministries: Economic Development, Infrastructure and Transport, Economy and Finance, Health, and Environment, and Land and Sea Protection. This will change in 2024, as the government intends to centralise the approach, giving the ACN the power to regulate and monitor NIS2 and DORA compliance. The ACN was established with the mission of safeguarding national interests in the realm of cybersecurity.
Moreover, the Italian Computer Security Incident Response Team (CSIRT) was established through Legislative Decree 65/2018 to enhance national cybersecurity incident response capabilities.
The National Assessment and Certification Centre (CVCN) serves as a key institution for overseeing entities within the National Cybersecurity Perimeter. These entities are required to notify the CVCN when acquiring ICT assets, systems, and services intended for use in networks, information systems, and the provision of IT services, ensuring a monitored and secure procurement process in line with national cybersecurity standards.
ENISA
ENISA serves as a hub of expertise for cybersecurity within the European Union. It supports EU member states, the private sector, and citizens by developing advice, recommendations, and good practices in information security.
The agency’s aim is to strengthen the resilience of Europe’s critical information infrastructure and networks and to foster a collaborative environment among member states to enhance network and information security across the EU.
DPAs such as the Italian “Garante” are critical in the landscape of personal data protection. Their role encompasses a variety of responsibilities, including:
In Italy, the regulation of the financial sector plays a pivotal role in bolstering the cybersecurity of financial institutions, thus safeguarding the system’s integrity and stability.
The Bank of Italy stands at the forefront of financial sector regulation, supervising a broad spectrum of entities including banks, financial institutions, and payment service providers. It has undertaken numerous initiatives to enhance cybersecurity within the financial sector, notably:
Beyond the financial sector, other regulatory authorities in Italy contribute to advancing cybersecurity within their domains.
The Italian Communications Authority, which oversees the telecommunications sector, champions cybersecurity efforts focused on network security and data protection. Similarly, the Italian Energy Authority, which regulates the energy sector, emphasises cybersecurity, particularly in the protection of critical infrastructure and incident response strategies.
With the potential inclusion of the ACN as the monitoring authority for compliance with DORA, the landscape of cybersecurity regulation in Italy’s financial sector might see further enhancement. This development would position the ACN as a key player in ensuring that financial entities not only comply with cybersecurity regulations but also possess resilience against digital operational disruptions.
Collectively, these regulatory bodies in Italy are dedicated to fostering a secure cyber environment across various sectors, formulating and implementing regulations, and facilitating co-operation among different regulatory entities and law enforcement agencies to mitigate cyber threats and handle cybersecurity incidents efficiently.
Beyond the DPA and financial sector regulators, Italy hosts a range of critical regulators and agencies dedicated to advancing cybersecurity.
The Italian Postal and Communications Police specialises in cybercrime investigations and the enforcement of cybersecurity and data protection laws. This specialised law enforcement body plays a crucial role in maintaining digital security and privacy.
ANAC champions transparency and combats corruption within the public sector. It ensures that governmental bodies and public institutions implement effective cybersecurity protocols to safeguard sensitive data and thwart potential breaches.
The National Centre for Cybersecurity is tasked with crafting and executing national cybersecurity strategies. It also co-ordinates cybersecurity initiatives across various governmental entities and industrial sectors, reinforcing Italy’s cyber defences.
The Digital Transformation Team spearheads the digital overhaul of government operations, promoting the integration of modern technologies. This agency is pivotal in enhancing the digital infrastructure and cybersecurity posture of public sector entities.
Finally, the Italian Competition Authority oversees the enforcement of competition laws and curtails anti-competitive behaviours in the market. It advocates for businesses to adopt stringent cybersecurity measures, protecting confidential information and preventing unauthorised data access.
Together, these entities form a comprehensive network aimed at bolstering Italy’s cybersecurity framework, safeguarding digital spaces against threats, and ensuring the secure and ethical use of information technologies across all sectors.
Cybersecurity and data protection are governed by a variety of frameworks and standards, each designed to provide guidance and establish best practices across different aspects of cybersecurity. Here are some of the key frameworks:
Moreover, the updated Confindustria Guidelines for implementing an Organisation, Management, and Control Model in accordance with Legislative Decree No 231 of 8 June 2001, emphasise the necessity for businesses to foster integrated compliance approaches, including in cybersecurity. This integration mandates that all IT and security measures are harmonised and effectively shield the company from potential liabilities.
In parallel, the DPA’s guidelines for personal data protection are essential. These guidelines encompass a variety of topics, such as handling data breaches, minimising data collection, and embedding privacy into the design of systems and processes.
Additionally, the revised ISO/IEC 27001 standard, which now encompasses cloud security and data protection requirements, outlines specific policies and procedures. This standard, along with the directives from Prime Ministerial Decree No 81/2021 regarding the National Cybersecurity Perimeter, sets a comprehensive framework for securing digital assets and protecting sensitive information in the evolving cyber landscape.
In the realm of cybersecurity, various frameworks and standards are commonly applied to establish “reasonable security”. These frameworks and standards are instrumental in guiding organisations towards implementing and maintaining robust security practices. The key frameworks and standards include ISO 27001:2022 and ISO 22301:2019.
When discussing legal requirements and applicable standards in cybersecurity, it is essential to highlight that various frameworks and standards serve as benchmarks for establishing “reasonable security”. Based on DORA, NIS2, and PSNC perspectives, here is a concise overview:
Multinational relationships play a crucial role in addressing and managing cybersecurity risks and incidents. Here is an overview of the key aspects of these relationships:
Italy also participates in various other international organisations and initiatives related to cybersecurity, such as the G7, the Organization for Security and Co-operation in Europe (OSCE), and the Global Forum on Cyber Expertise (GFCE).
In Italy, the GDPR safeguards personal data by requiring organisations to adhere to comprehensive security protocols during data processing activities. These protocols mandate:
The EU Market Abuse Regulation (MAR) governs the safeguarding of essential business data and confidential information in Italy. Organisations are required to comply with comprehensive security measures under MAR, which include keeping an updated list of insiders, publicising insider information, reporting personal transactions, adhering to market sounding protocols, notifying authorities of suspicious transactions, creating a robust compliance function, and securing certification. These measures are designed to deter insider trading and market manipulation, safeguard confidential information, and promote market integrity.
Key affirmative security requirements, encompassing necessary reporting, certification, or other external involvement for critical infrastructure, networks, systems, information systems, or software, are mandated to adhere to the stringent standards set forth by DORA, NIS2, and PSNC. This adherence underscores a comprehensive compliance framework that extends to being in line with NIS, ISO 27001:2022, and ISO 22301:2019. Such a holistic approach to cybersecurity and resilience mandates ensures that entities not only meet specific regulatory requirements but also align with internationally recognised best practices for information security management and business continuity, enhancing the overall security posture and resilience of critical infrastructures and digital operations.
Reporting of Information Security Events
Organisations are required to establish mechanisms for personnel to report observed or suspected information security events promptly.
This supports timely, consistent, and effective reporting, crucial for preventing or minimising the impact of security incidents.
Directive on Reporting Significant Incidents
The NIS2 Directive mandates a multi-stage approach for reporting significant incidents.
Essential or important entities must submit an early warning within 24 hours of becoming aware of a significant incident, followed by an incident notification within 72 hours. This approach balances swift reporting for mitigation and in-depth reporting for drawing lessons to enhance cyber resilience.
The directive emphasises the importance of initial assessments in determining the severity of incidents, considering various factors like the affected network, information systems, the severity and technical characteristics of cyber threats, and the vulnerabilities being exploited.
Key affirmative security requirements for areas such as the Internet of Things (IoT), supply chain security, secure software development, and other data or systems are designed to establish a robust cybersecurity framework. These requirements necessitate adherence to standards that may include mandatory reporting of security incidents, obtaining relevant certifications, and engaging with external audits or assessments to verify compliance.
Specifically, for IoT and connected devices, this means implementing measures to protect against unauthorised access and ensuring data integrity across devices and networks. Supply chain security emphasises the importance of vetting and continuously monitoring third-party vendors for compliance with security standards, thereby mitigating risks posed by interconnected ecosystems. Managing third-party risks is a central focus of DORA, NIS2, and PSNC, highlighting the critical importance of ensuring that external partners and suppliers adhere to stringent cybersecurity and resilience standards.
This comprehensive management approach includes ensuring compliance with NIS directives, as well as aligning with ISO 27001:2022 for information security management and ISO 22301:2019 for business continuity management. The emphasis on third-party management under these frameworks underscores the necessity for organisations to rigorously assess, monitor, and control the security and resilience of their supply chains and external business relationships, ensuring that all interconnected systems and services meet high standards of security and reliability, thereby safeguarding against potential vulnerabilities and enhancing the overall security posture of the organisation.
In the realm of secure software development, adopting practices that integrate security considerations throughout the software development lifecycle (SDLC) is essential, including code reviews, vulnerability assessments, and patch management. These efforts are complemented by adherence to international standards such as ISO 27001:2022 for information security management and ISO 22301:2019 for business continuity management, ensuring a comprehensive approach to safeguarding critical data and systems across all facets of technology and operations.
Within the Italian cybersecurity legislative framework, there are no explicit requirements specifically targeting ransomware attacks.
However, Article 379 of the Italian Criminal Code criminalises assisting anyone in obtaining the proceeds or benefits from a crime. Consequently, paying a ransom to a perpetrator of a ransomware attack could be interpreted as facilitating a criminal offence, making such payments generally discouraged and, in certain situations, potentially unlawful.
Moreover, organisations are mandated to report cybersecurity incidents, which include ransomware attacks, to the DPA. Depending on the specifics of the incident, there may also be an obligation to inform law enforcement agencies, ensuring a co-ordinated response to such cyber threats.
The legislative framework set out by PSNC, DORA and NIS2 encompasses the same definitions, as follows:
Reporting Requirements
Detailed Reporting
Entities must provide an intermediate report on status updates and a final report within one month after the incident notification, detailing the incident, its impact, and mitigation measures.
Sensitive information is covered within the DORA, NIS2 and PSNC frameworks; personal data is covered within the GDPR and data protection framework.
Every asset of an organisation identified by the government within the DORA, NIS2 and PSNC frameworks and every asset in which personal data is processed for GDPR compliance, are covered.
In the EU, medical devices are governed by the Medical Devices Regulation (MDR) and the In-Vitro Diagnostic Medical Devices Regulation (IVDR). These regulations establish a comprehensive legal framework to ensure the safety and efficacy of medical devices, detailing specific criteria for their design, production, and application.
Additionally, the cybersecurity of networks and information systems related to these activities falls under the jurisdiction of the NIS Directive. Notably, the NIS2 Directive classifies manufacturers of medical devices and in vitro diagnostic medical devices as Important Entities (IEs), which, in the context of a public health emergency, may be designated as Essential Entities (EEs) due to their critical importance.
In Italy, the regulation of medical devices is overseen by the Ministry of Health and the Italian Institute of Health. The cybersecurity requirements for medical devices are articulated in the Ministerial Decree of 2 April 2020, concerning the “Technical requirements for medical devices and software”. According to this decree, medical devices must be crafted and engineered to meet contemporary standards, with a strong emphasis on security and resilience against cyber threats. The decree outlines explicit cybersecurity obligations, including:
Furthermore, the decree mandates that medical device manufacturers report any security incidents or breaches that could affect the device’s safety or functionality to the Italian Institute of Health.
The security requirements for industrial control systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, encompass various aspects of information security. These requirements are primarily guided by the principles of secure system architecture and engineering, as outlined in the ISO/IEC 27002 standard.
At present, there are no specific legal security obligations for IoT devices.
Nevertheless, when these devices are engaged in processing personal data or form a component of the infrastructure of organisations pivotal to national security, they fall under the purview of the GDPR for data protection and the National Cybersecurity Perimeter for cybersecurity concerns. In such instances, it is advisable to consult the ISO 27400 standard for guidance on securing IoT devices, ensuring compliance with relevant regulations and bolstering the overall security posture of the involved systems.
As of now, there are no legal mandates specifically concerning security measures in software development.
However, it is important to note that the Agency for Digital Italy (AgID) has released a comprehensive set of guidelines aimed at fostering secure software development practices. These guidelines are designed to guide organisations through each phase of the Software Development Life Cycle (SDLC), recommending the identification and application of suitable security measures to enhance the overall security of the development process.
In Italy, the obligation to report cybersecurity incidents is articulated through a variety of laws and regulations, such as the NIS Directive, the GDPR, and rules pertaining to entities within the National Cybersecurity Perimeter.
The GDPR, particularly Articles 33 and 34, mandates that data controllers report security breaches that could potentially harm the rights and freedoms of individuals to the DPA and to the affected data subjects within 72 hours of detection. Furthermore, Article 28 of the GDPR stipulates that processors must immediately inform controllers about any security incidents that have occurred.
Under Article 12 of the NIS Directive, operators of essential services are required to inform the Italian CSIRT and the relevant NIS authority about incidents that significantly disrupt the continuity of the essential services they offer.
Prime Minister’s Decree 81/2021 sets forth that entities within the national cybersecurity perimeter must alert the Supervisory Authority regarding any security incident affecting their ICT assets and/or services. Annex A of this decree specifies the timeframe for incident notification, categorised by the severity of the incident.
While there is no explicit legal requirement for individuals in Italy to report cybersecurity incidents, they are encouraged to report such incidents to law enforcement or consumer protection bodies, especially in instances of cybercrime victimisation.
In the context of cybersecurity incidents, the “risk of harm” thresholds dictate when an entity must notify government authorities, affected individuals, or other third parties about a security breach or cyber threat. These thresholds are essential for managing and mitigating the impact of such incidents on individuals’ privacy and financial security, as well as on the stability of the financial system, following the obligations of incident reporting included in the GDPR, DORA, NIS2 and PSNC.
Regarding cybersecurity defence measures, organisations are at liberty to select and implement the strategies they find most suitable, taking into account all relevant legal obligations, particularly when it involves monitoring network activities. Organisations may employ software solutions to oversee network traffic, pinpoint anomalies, and spot potential security threats. Nonetheless, the deployment of such software needs to be conducted in a transparent manner, ensuring full compliance with privacy regulations.
Network monitoring practices also fall under specific regulatory mandates related to the surveillance of employee activities, which encompass:
The overlap between cybersecurity and privacy legislation introduces potential conflicts and complexities. Cybersecurity laws are designed to defend computer systems, networks, and sensitive information against cyber threats. In contrast, privacy laws focus on protecting individuals’ personal information and their rights to privacy.
Conflicts can emerge when actions taken to bolster cybersecurity, such as monitoring or retaining data, clash with privacy regulations that restrict how personal data can be collected and stored. For instance, tracking employees’ internet usage or email communication to enhance cybersecurity might run afoul of privacy regulations that protect individuals’ private communications.
To effectively manage these challenges, organisations are encouraged to find a balance between implementing cybersecurity initiatives and upholding the privacy of personal data. Adopting a risk-based approach to both cybersecurity and privacy can help ensure that cybersecurity enhancements do not violate privacy rights, and that any disclosure of personal data is strictly limited to what is necessary for adherence to applicable laws and regulations.
At present, beyond the obligations to report security incidents and data breaches as dictated by the national regulatory framework, there are no compulsory directives for the dissemination of cybersecurity information to governmental bodies. Nonetheless, numerous initiatives are underway to engage organisations in the practice of sharing information about cyber threats, with the goal of enhancing national cybersecurity levels.
Within this framework, the significant contribution of the ACN merits attention. In its efforts to formulate and execute the national security strategy, the ACN has encouraged organisations to participate actively in fortifying the nation’s cybersecurity infrastructure. To this end, the ACN has forged multiple partnerships with private sector entities, facilitating the exchange of cybersecurity-related information, thereby contributing to a more secure cyber environment.
Within both the national and European frameworks, the voluntary exchange of information on cybersecurity and cyber threats is recognised as a valuable tool for preventing and swiftly reacting to emerging cyber-attacks.
Particularly in the context of security incidents, Legislative Decree 65/2018, through its Article 18, provides for the option of voluntary reporting by entities not classified as operators of essential services or digital service providers. Such voluntary notifications from organisations possessing IT systems and infrastructure akin to those required to report mandatorily can empower competent NIS authorities and the CSIRT to undertake preemptive measures. These measures aim to prevent incidents that might adversely affect services deemed essential, thereby enhancing overall cybersecurity resilience.
Azienda Ospedaliera Bianchi Melacrino Morelli
The DPA imposed a fine of EUR7,000 on Azienda Ospedaliera Bianchi Melacrino Morelli. The controller had mistakenly sent a document containing health data of the data subject to the wrong recipient. The DPA found that the healthcare facility had not taken sufficient technical and organisational measures to protect personal data.
Padua University Hospital
Padua University Hospital was fined EUR5,000 for unlawful disclosure of personal health data. The controller accidentally sent an email to all the people participating in a clinical trial by using carbon copy (Cc) instead of blind carbon copy (Bcc), thereby unintentionally making known the email addresses of all patients waiting for a heart transplant. The Padua University Hospital notified the Italian DPA of a personal data breach pursuant to Article 33 of the GDPR.
In order to remedy the violation and reduce its negative effects on the people involved, instructions were given to inform each individual concerned about the mistake, urging them to delete the email previously sent and not to use the email addresses of other recipients.
The DPA investigated whether the processing of personal data of the email recipients was in violation of the basic principles set out in Article 5 of the GDPR.
The hospital argued that the seriousness of the potential impact for the interested parties was average, considering that the health data – the existence of a scheduled heart transplant – was isolated and common to all the interested parties and not accompanied by any other sensitive data. Furthermore, out of 19 email addresses only seven were recognisable, while the other 12 were not immediately traceable to the account holder. The hospital further argued that the violation was partly due to the COVID-19 pandemic and the shortage of staff. Finally, the hospital stated that the author of the violation certainly did not benefit from the violation and no complaints were received from the data subjects following the breach notification to the data subjects.
The hospital also provided for the technical and organisational measures to be carried out in order to prevent data breaches in the future. These included staff training on the use of telematic tools in communications with patients.
The Italian DPA imposed a EUR80,000 fine on Commify Italia S.r.l., a messaging service company, for unlawfully storing the content of text messages sent by its customers (approximately 7,250 users), and other unlawful conduct relating in particular to the measures taken to ensure the security of the processing of traffic data and the absence of a legal basis for carrying out anti-fraud checks.
The DPA, in the course of inspections initiated as a result of a report and a complaint, found that the full contents of messages sent by customers (usually legal persons) were stored without their express consent. Among the contents of the messages, consisting mostly of service notices sent by users of the platform (banks, insurance companies, health care companies,) to their customers, were also passwords for operating banking services (OTPs – one-time passwords), authentication credentials, and special category data referring to health status or political party membership. The contents of the text messages could also be accessed by the company’s employees.
The company justified its activities by the mistaken belief that the contents of the text messages fell under traffic data, resulting in an obligation to retain them. In this regard, the DPA recalled that no legal regulation requires the retention of the content of communications, which, on the contrary, is expressly prohibited unless it is authorised by the user with specific and free consent for the provision of value-added services.
In addition, a number of other violations emerged in the course of the inspection activities, such as the retention of traffic data without a distinction being made between data retained for legal purposes and data retained for other purposes (such as billing or customer consultation), and a failure to distinguish retention durations based on the purpose of data retention. The company was also found to have carried out prior automated checks, with anti-fraud purposes, on the content of text messages sent by its customers to prevent possible phishing activities but without having a proper legal basis for doing so.
In Italy, the applicable legal standards for cybersecurity and data breach regulatory enforcement and litigation are primarily based on the Italian Data Protection Code (Legislative Decree No 196/2003) and the GDPR.
Moreover, if the violation is caused by a computer crime committed in the interests and to the advantage of the entity and this is the result of a lack of adequate security measures, such violation may entail, in addition to the administrative sanctions referred to above, criminal liability under Article 24-bis of Legislative Decree No 231/2001.
The DPA imposed a fine of EUR4,000 on Azienda socio-sanitaria locale n. 1 di Sassari. The controller had mistakenly sent a document containing health data of a data subject to the wrong recipient. The DPA found that the healthcare facility had not taken sufficient technical and organisational measures to protect personal data.
The DPA imposed a fine of EUR120,000 on Eurosanità S.P.A.. The controller operates various healthcare facilities. An individual had filed a complaint with the DPA for mistakenly receiving a document that contained medical records of another individual. The DPA found that the controller had not taken sufficient technical and organisational measures to protect personal data in order to avoid such incidents.
Within the Italian regulatory framework, class actions were initially defined and regulated within the Consumer Code (Article 140 bis). In 2019, the Parliament approved Law No 31 of 2019, aimed at reforming class action with the purpose of strengthening this institution by broadening its scope and placing it under the Code of Civil Procedure.
The rules for such actions are strict and require a large number of claimants to join the action before it can proceed. In general, collective actions are not common in Italy, and the courts have not yet dealt with many cybersecurity-related cases.
Organisations are increasingly expected to integrate cybersecurity into their corporate governance frameworks, treating it as a strategic risk that requires board-level attention and a proactive approach. This holistic view ensures that cybersecurity governance is not just about compliance but is also about protecting the organisation’s value and reputation in the long term and this obligation directly derives from the application of the DORA, NIS2 and PSNC frameworks.
When conducting due diligence in corporate transactions within the context of Italy’s cybersecurity legislative framework, it is crucial to address several key issues and considerations.
Initially, it is essential to ascertain if the target company has established an adequate cybersecurity programme that aligns with the applicable cybersecurity laws and regulations. The due diligence process should encompass an examination of the company’s information security policies, procedures, and protocols, as well as a review of any previous security incidents or data breaches it may have experienced.
Moreover, the examination should extend to the target company’s agreements and interactions with third-party vendors and service providers who have access to its systems and data. It is vital to evaluate whether these third parties implement robust security measures to safeguard the company’s systems and data effectively.
Additionally, a thorough assessment of the target company’s IT infrastructure, including its hardware, software, and cloud-based services, is necessary to uncover any vulnerabilities or weaknesses susceptible to cyber threats.
Finally, assessing the target company’s capacity to manage and respond to cybersecurity incidents or data breaches is imperative. This includes reviewing its incident response plan and evaluating its track record in handling such incidents.
Within the Italian legislative framework, there are no laws explicitly focused on non-cybersecurity that directly require organisations to disclose their cybersecurity risk profiles or experiences.
However, several laws and regulations, such as the GDPR and the Network and Information Security (NIS) Directive, mandate that organisations implement suitable measures to safeguard personal data and ensure the security of their network and information systems.
Furthermore, certain regulations, including the CONSOB Regulation for issuers and the Markets in Financial Instruments Directive II (MiFID II), compel publicly traded companies to disclose information pertinent to their investors. This requirement may encompass details concerning cybersecurity risks and incidents.
In summary, although there is no specific legislation demanding the disclosure of an organisation’s cybersecurity risk profile or incidents, various legal and regulatory provisions necessitate that organisations adopt adequate security measures to protect personal data and secure their network and information systems. These measures indirectly influence their cybersecurity risk profile and the potential requirement for disclosure.
The role of insurance is rapidly evolving, moving towards an insurtech approach that aims to address the risks associated with Business Email Compromise (BEC) and ransomware. However, in Italy, there is a challenge in comprehending the methods for accurately assessing the costs associated with individual policies. This shift signifies a dynamic change in the insurance landscape, aiming to encompass modern cybersecurity threats, yet the industry faces hurdles in precisely determining the financial implications of these policies.
Via Borgonuovo 12
20121 Milan
Italy
+39 028 424 7194
info.legal@ictlc.com www.ictlegalconsulting.comNavigating the Compliance Landscape: ISO 27001, ISO 22301, and DORA Regulations
Introduction
The convergence of international standards like ISO 27001 and ISO 22301 with the EU’s Digital Operational Resilience Act (DORA) marks a critical step forward in strengthening cybersecurity and operational resilience within the financial sector. In an era where digital threats are evolving rapidly, aligning industry practices with robust regulatory frameworks has become more crucial than ever. This article aims to dissect the synergy and compliance implications of ISO 27001 and ISO 22301, two pivotal standards in information security and business continuity management, in the context of DORA, a landmark EU regulation.
ISO 27001 focuses on establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS), providing a comprehensive set of requirements for protecting information assets. On the other hand, ISO 22301 emphasises the importance of a well-structured Business Continuity Management System (BCMS), ensuring that organisations can quickly recover and continue operations in the event of disruptions. The integration of these standards into the framework of DORA, which is designed to ensure the operational resilience of the financial sector against ICT (information and communication technology) risks, creates a multifaceted approach to risk management.
This alignment is particularly relevant in today’s interconnected digital ecosystem, where financial institutions are not only guardians of sensitive financial data but also pivotal players in the stability of broader economic systems. By exploring the intersecting requirements and objectives of ISO 27001, ISO 22301, and DORA, this article provides valuable insights for organisations striving to navigate this intricate regulatory landscape. The aim is to offer a comprehensive understanding of how these regulations interplay and the steps necessary for achieving compliance, thereby fostering a more resilient, secure, and trustworthy financial sector.
ISO 27001: a foundation for cybersecurity compliance
ISO 27001 is an international ISMS standard, designed to help organisations establish, implement, maintain, and continuously improve their information security management. The core of ISO 27001 is a comprehensive framework that assists in the identification and assessment of information security risks, the implementation of appropriate security controls, and the establishment of a culture of continuous improvement in information security practices.
At its heart, ISO 27001 emphasises the importance of identifying and managing risks to information security. It requires organisations to assess potential security threats systematically and to design and implement a coherent and comprehensive suite of information security controls or other risk treatment forms. These measures are intended to address those risks that are deemed unacceptable, and they must align with the organisation’s overall business and security strategy.
A critical aspect of ISO 27001 is its emphasis on a holistic, organisation-wide approach to information security. This includes the establishment of policies, procedures, and protocols to manage and mitigate risks. ISO 27001 also calls for the active involvement and commitment of top management, ensuring that information security is integrated into the organisation’s governance and becomes part of the everyday operational culture.
An important facet of ISO 27001 is its focus on continuous improvement. The standard encourages organisations to regularly review and refine their ISMS. This involves monitoring and reviewing the performance and effectiveness of the ISMS, conducting internal audits, and undertaking continual corrective and preventive actions based on internal audit findings, compliance reviews, and feedback from relevant interested parties.
In the context of legal and contractual compliance, ISO 27001 plays a pivotal role. As noted in the standard, compliance with legal, statutory, regulatory, and contractual requirements is crucial. This encompasses a broad spectrum of considerations, from the identification and adherence to applicable legislation and contractual obligations to the protection of records, privacy, and personally identifiable information, and the regulation of cryptographic controls.
In summary, ISO 27001 provides a robust foundation for cybersecurity compliance, offering a structured approach to managing and protecting information assets. By aligning with ISO 27001, organisations can demonstrate their commitment to cybersecurity and enhance their resilience against the ever-evolving landscape of digital threats.
ISO 22301: business continuity management systems
ISO 22301 provides a comprehensive framework for establishing, managing, and enhancing a Business Continuity Management System (BCMS). This standard plays a crucial role in enabling organisations to prepare for, respond to, and recover from disruptions effectively, thereby ensuring the continuity of critical business functions. It extends beyond the scope of information security, as outlined in ISO 27001, to encompass all aspects of business resilience.
Key components of ISO 22301 include:
By complementing ISO 27001, ISO 22301 enables organisations to have a more holistic approach to resilience. It ensures not only the security of information but also the continuity of operations under various conditions, thereby safeguarding the organisation’s ability to function and thrive in the face of unforeseen challenges. This comprehensive approach is essential in today’s dynamic business environment, where disruptions, whether natural or man-made, can have significant impacts on operational stability and security.
DORA: elevating digital resilience in the financial sector
DORA is an innovative regulatory framework established by the EU, designed to bolster the digital operational resilience of the financial sector. Aimed at mitigating and managing ICT risks, DORA creates a comprehensive set of requirements for financial entities. This regulation ensures that these entities are capable of withstanding, responding to, and recovering from a wide array of ICT-related disruptions, thereby safeguarding the integrity and stability of the financial system.
Key aspects of DORA include:
DORA represents a significant stride in the EU’s efforts to enhance the resilience of its financial sector against digital threats. By setting out clear guidelines and requirements, it ensures that financial entities not only respond effectively to ICT-related disruptions but also proactively manage and mitigate potential risks. This regulatory approach highlights the importance of digital resilience in maintaining the stability and integrity of the financial system in an increasingly interconnected digital world.
Integrating ISO standards with DORA regulations
Compliance overlap and synergies
The integration of ISO 27001 and ISO 22301 standards with the DORA regulations offers a strategic advantage for organisations in the financial sector. The focus of ISO 27001 on information security management is well-aligned with DORA’s emphasis on ICT risk management, providing a solid foundation for compliance. Implementing the controls outlined in ISO 27001 not only enhances an organisation’s information security posture but also significantly contributes to meeting the stringent requirements set out by DORA.
Similarly, ISO 22301, which addresses business continuity, plays a pivotal role in achieving the operational resilience objectives of DORA. Organisations that are compliant with ISO 22301’s guidelines on business continuity management will find themselves well-prepared to meet DORA’s resilience requirements, ensuring that they can maintain critical functions and quickly recover in the event of ICT-related disruptions.
Addressing specific DORA requirements
DORA’s requirement for the identification and classification of all ICT-related risks echoes the risk assessment process outlined in ISO 27001. This similarity provides a streamlined approach for organisations to integrate their existing ISO 27001-based risk management processes with the requirements of DORA.
Moreover, DORA places significant emphasis on the importance of information sharing and co-operation among financial entities and competent authorities. This requirement resonates with ISO 27001’s emphasis on stakeholder communication and engagement, further underscoring the synergy between the two regulatory frameworks.
The aspect of data protection under DORA is also in harmony with ISO 27001’s control on information security incident management, ensuring that organisations have robust mechanisms in place to address and manage security incidents effectively.
Implementation strategies
By effectively integrating ISO 27001 and ISO 22301 with DORA regulations, organisations in the financial sector can achieve a robust and comprehensive approach to managing ICT risks, ensuring operational resilience, and maintaining compliance with critical regulatory requirements.
Conclusion
The integration of ISO 27001 and ISO 22301 with DORA regulations represents a significant advancement for organisations in the financial sector, particularly in enhancing their cybersecurity and operational resilience. Understanding the synergies and overlaps in compliance between these standards and regulations is crucial for effective navigation through this complex regulatory landscape.
ISO 27001’s comprehensive approach to information security management systems (ISMS) aligns seamlessly with DORA’s focus on managing ICT risks. This alignment ensures that implementing ISO 27001’s controls can significantly contribute to fulfilling the requirements set by DORA. Likewise, ISO 22301’s emphasis on business continuity management systems (BCMS) is integral to achieving DORA’s objective of operational resilience. Organisations already compliant with ISO 22301 will find themselves well-equipped to meet the resilience requirements of DORA.
DORA’s mandates, such as the identification and classification of ICT-related risks, resonate with the risk assessment processes of ISO 27001. Additionally, DORA’s emphasis on information sharing and co-operation among financial entities and competent authorities parallels ISO 27001’s focus on stakeholder communication, further demonstrating the complementary nature of these frameworks.
Moreover, the data protection aspects under DORA align with ISO 27001’s controls on information security incident management, ensuring that organisations have robust mechanisms in place to manage and mitigate security incidents effectively.
For organisations in the financial sector, it is essential to leverage the strengths of ISO 27001 and ISO 22301 to meet the stringent requirements of DORA. This integration not only ensures legal compliance but also fortifies defences against digital disruptions, enhancing the overall resilience and security posture of the organisation. Continuous monitoring and improvement, fundamental principles of the ISO standards, are crucial in adapting to the evolving landscape of digital threats and regulatory changes.
In summary, the harmonisation of ISO 27001 and ISO 22301 with DORA regulations provides a strategic framework for financial organisations to enhance their cybersecurity measures and operational resilience. By effectively navigating these combined regulations, organisations can ensure robust compliance, safeguard against digital disruptions, and maintain the integrity and stability of the financial system.
Via Borgonuovo 12
20121 Milan
Italy
+39 028 424 7194
info.legal@ictlc.com www.ictlegalconsulting.com