The newly adopted Regulation on notification of security incidents
On June 11, 2021, the Regulation on notifications of incidents affecting networks, information systems and IT services (“Regulation”) – adopted by means of the Decree of the President of the Council of Ministers (DPCM) of 14 April 2021, no. 81– was published in the Italian Official Gazette.
The Regulation is one of several legal provisions implementing the Law Decree of 21 September 2019, no. 105, which established the Italian National Cybersecurity Perimeter (“NCSP”) and imposed specific obligations on essential operators[1] (“Operators included in the NCSP”) to safeguard networks, information systems and IT services that are pivotal to the life and functioning of the nation.
In addition to a classification of incidents involving information and communications technology (ICT) assets, depending on their severity, the Regulation strengthens the notification system regarding such incidents and provides for several security measures that Operators included in the NCSP shall implement within specific timeframes.
Classification of security incidents and notifications
The Regulation, which will take effect on June 26 – 15 days after its publication in the Italian Republic’s Official Journal – sets out a taxonomy of incidents (Article 2) having an impact on ICT assets and ranks them into two different categories depending on their severity and the time required for an effective response: severe and less severe breaches. Each type of incident is then assigned an identification code followed by a brief description.
Starting from January 1, 2022[2], the Operators included in the NCSP will be required to notify incidents to the Inter-ministerial Committee for the Security of the Republic (“CSIRT”). Depending on the severity of the breach, they will need to make this notification within six hours (for less severe breaches) or one hour (for severe breaches) from receiving knowledge of it[3] (Article 3).
Notifications, which, in addition to the above, may also be performed on a voluntary basis, will have to be made through the appropriate CSIRT communication channels.
It is worth noting that, the notification made in accordance with the Regulation also fulfills the notification requirement under the Legislative Decree of 18 May 2018, no. 65 – implementing the NIS Directive – and Legislative Decree 1 August 2003, no. 259 – the Italian Electronic Communications Code. Conversely, such notification does not absolve the operator from making a data breach notification to the competent data protection authority, pursuant to Article 33 of Regulation (EU) 2016/679 (GDPR), if the incident results in a personal data breach.
Identification of security measures
The Regulation identifies numerous security measures (Article 7), classified on the basis of their function (e.g. detection, response, recovery, etc.) and the ICT assets to which they are relevant. Operators included in the NCSP shall implement such measures within six or 30 months (depending on the type of measure) from the transmission of the list of ICT assets falling into the NCSP[4] or from the entrance into force of the Regulation (if the list was transmitted before such a date).
The Operators included in the NCSP shall promptly notify the Department of Information Security (DIS), through a form available on its website, once such security measures have been adopted. Additionally, they have an obligation to evaluate the need to update the security measures implemented if and when the ICT assets are changed. The update of the security measures shall be performed within the same timeframe provided for their first adoption (i.e. six or 30 months, depending on the type of measure).
National and EU agenda for cybersecurity
The Regulation is a fundamental step towards a broader framework aimed at strengthening cybersecurity – strongly promoted both at the national and European level.
With regard to Italy, as anticipated, the Regulation represents only one of six law provisions required to implement the measures introduced by the Law Decree of 21 September 2019, No. 105 (establishing the NCSP). Currently, only four of such legal provisions/regulations have been approved. In addition to the Regulation, Italy has approved the following:
- Decree of the President of the Council of Ministers (DPCM) of 30 July 2020, no. 131 – establishing the criteria for the identification of the Operators included in the NCSP and for the drafting and updating by them of the list of the relevant networks, information systems and IT services;
- An administrative act (not subject to publication), adopted by the President of the Council of Ministers – listing the Operators included in the NCSP;
- Decree of the President of the Council of Ministers (DPCM) of 5 February 2021, n. 54 – defining, among others, the procedures and deadlines by which the Operators included in the NCSP shall acquire supplies of ICT assets and services falling into the scope of the NCSP, as well as the procedures and deadlines by which the competent authorities shall carry out their verification and inspection activities.
As further evidence of the importance of cybersecurity in its agenda, the Italian government has adopted Law Decree of 14 June 2021, no. 82, providing urgent provisions on cybersecurity. In particular, the recently adopted legislation – which will come into force on June 29, 2021 – defines the “national cybersecurity architecture” (i.e. architettura nazionale di cybersicurezza) and establishes the National Cybersecurity Agency, which, among other things will be the legal unity competent to issue cybersecurity certifications.
The Italian strategy falls within a broader policy at the EU and international level. The EU, in particular, has long been attentive to cybersecurity, adopting the NIS Directive in 2016 and, subsequently, Regulation 2019/881 – the Cybersecurity Act. In order to fight the ever-growing cyber threats and challenges posed by new technology, the EU is currently working on a “NIS 2” Directive with the clear aim of addressing the limitations and deficiencies of the security system set up by the first “NIS” directive. The directive proposal, which was adopted in December 2020, will now have to be negotiated between the Council of the EU and the European Parliament.
Conclusions
There is a clear trend to strengthen cybersecurity across Italy and the EU. Companies are increasingly expected to actively provide, with a “security by design” approach, effective protection for their networks, IT systems and, ultimately, to all individuals and their data.
[1] Public and private operators, located in the national territory, on which depends the exercise of an essential function of the state or the provision of an essential service for the maintenance of civil, social or economic activities fundamental to the interests of the state.
[2] Until December 31, 2021, notifications may be performed on an experimental basis.
[3] Following the evidence obtained, also through monitoring, testing and control activities.
[4] Pursuant to Article 1, para. 2, lett. b) of Law Decree 105/2019, Operators included in the NCSP shall prepare and update, at least once a year, a list of the networks, information systems and information services whose malfunctioning, interruption, even partial, or improper use could be detrimental to national security, of their relevance, including their architecture and components.