On 20 November 2019, Law No. 133/2019 was published in the Official Gazette no. 272 (“Cyber-security Law”). Such legislation vests the Government with special powers in the areas of strategic security (“Golden Power”), in order to ensure the security of networks, information systems and IT services that are necessary for the performance of functions or the supply of services that could be damaged by improper use or interruptions.
More specifically, a Decree of the President of the Council of Ministers shall establish the national cybernetic security perimeter. Such Decree is to be adopted on the proposal of the CISR (Interministerial Committee for the Security of the Republic), subject to the opinion of the competent parliamentary committees, within 4 months after the entry into force of the conversion law.
The Cyber-security law, together with Legislative Decree No. 65/2018 (“Decree“), implements Directive (EU) 2016/1148 (“Network and Information Security Directive – hereinafter “NIS Directive”). Both the Cyber-Security law and the abovementioned Legislative Decree, in line with the national strategy for cyber protection and cyber security, organically address the issue of cyber security and establish new measures aimed at achieving a high level of security networks, information systems and IT services at national level.
The NIS Directive applies to public or private entities dealing with those services that are identified as “critical infrastructures” by the President of the Council of Ministers and the competent Ministers (e.g. the energy, transport, banking, financial market infra-structures, health, drinking water supply and distribution and digital infrastructure) and, thus, are bound by the new cyber security reporting obligations.
Firstly, this article outlines the main innovations introduced by the Cyber-security Law in the light of the NIS Directive; secondly, it gives some operational suggestions, aimed to comply with the requirements of the Cyber-security Law and the Decree; finally, this analysis explains advantages offered by the compliance advisory system to companies.
1. The main novelties of the Cyber regulation
The NIS Directive is the first horizontal legislation adopted at EU level for the protection of network and information systems across the Union. It is by now common knowledge that deliberate incidents causing disruption of IT services and critical infrastructures represent a serious threat to the functioning of the Internal Market and the Union.
Under this perspective, the NIS Directive aims to address the need by putting forward “the measures with a view to achieving a high common level of security of network and information systems within the Union so as to improve the functioning of the internal market”. The strategy also calls for the creation of an international policy that, in keeping with the existing international rules, can contribute to overcoming the digital divide, while preserving the openness and freedom of the Internet.
There are two categories of undertakings affected by the NIS Directive, under an admittedly differentiated approach in terms of obligations placed on each of them: operators of essential services (OSE) and digital services providers (DSP). The first category includes public administration, national, public and private bodies and operators with an office located in the national territory that perform an essential function for the state or an essential service for the maintenance of civil, critical societal and economic activities. On the other side, the DSP’s definition refers to any legal person who provides a digital service and more specifically an online marketplace, an online search engine, or a cloud computing service. It should be noted that, in comparison to the OSE, the NIS Directive does not require member states to identify digital service providers, thus warranting a catch-all approach.
2. IT security obligations
With specific reference to Italy, the addressees must adopt “adequate” and “proportionate” technical and organizational measures relating to the management of the risks connected to the security of network, information systems and IT services used in their operations; such measures are aimed to prevent and minimize the impact of IT incidents, taking into account the standards defined at the international and EU levels.
The addressees wishing to procure supplies of ICT goods, systems and services must notify the National Evaluation and Certification Centre (CVCN) established at the Ministry of Economic Development.
Recipients are required to notify “without undue delay” IT incidents with significant impact on the provision of services according to the thresholds established by the European Union.
The notification must be sent to the Italian Computer Security Incident Response Team (CSIRT), also informing the relevant NIS competent Authority (i.e. the Minister of Economic Development, the Minister of Infrastructure and Transport, the Minister of Economy and Finance, the Minister of Health and the Minister of the Environment). The CSIRT is a body established – as regards Italy – within the Department of Information for Security (DIS) with technical tasks in the prevention and response to computer incidents carried out in cooperation with CSIRTs of other European Union’s member states.
In particular, the CSIRT’s role is to monitor incidents at the national level, provide early warning, alerts and information to relevant stakeholders about risks and incidents, respond to incidents, provide dynamic risk and incident analysis and increase situational awareness, as well as to join a network of the CSIRTs across Europe.
On the other side, the DIS works as a single point of contact, ensuring both a unified coordination of activities at national level related to network and information systems security and the cross-border cooperation within the European Union.
Under the NIS Directive, Member States must lay down rules on penalties for breaches that are effective, proportionate and dissuasive.
The OSE or DSP can challenge the penalty decision, including the type of sanction and its amount, and request that the competent authorities appoint an independent person to review the decision. Nonetheless, regulatory enforcement under NIS is not only the legal incentive to improve their cybersecurity.
The GDPR also applies where a cybersecurity breach involves personal data.
Organizations may also be exposed to private law remedies, under contract or tort, for a failure to put in place adequate cybersecurity measures. In this context the NIS Directive may facilitate legal action by identifying standards of care that organisations are bound to ensure.
As regards the Italian legislative framework, the disciplinary system outlined by the Cyber- security Law and Decree impose administrative pecuniary sanctions from 200,000 to 1,800,000 euro against those who do not comply with obligations arising from their provisions, unless their conduct constitutes a criminal offence. For example, non-compliance with Cyber-security Law may lead to the committing of cybercrimes and unlawful processing of data pursuant to art. 24-bis of the Legislative Decree no. 231/2001.
4. The next steps
In order to comply with obligations under the Cyber-Security law, Italian companies have to:
- Establish an Advisory Team having the appropriate technical expertise in the legal, compliance, ICT management, cyber-security and protection of critical infrastructure to ensure the consistency of activities with what is necessary for regulatory compliance. Moreover, the Advisory Team must avoid an excess of consultants and collaborators (overstaffing) in order to protect the confidentiality and integrity of information and data related to the relevant appointment;
- Identify the requirements imposed by cybersecurity regulations and examine the documentary evidence with the aid of a gap analysis compared to the international guidelines on cybersecurity;
- Identify the related actions and measures to comply with the provisions of Legislative Decree No. 65/2018 and the Cyber-security Law by means of a tailor-made approach that singles out the most appropriate operational solution for the company;
- Draw up an Activity Plan of a systematic nature and for processes in which the fulfilments and actions will be described and planned on the basis of the following fundamental principles and rules:
- guarantee the confidentiality of the documentation in the management activities and the protected access of the operators;
- identify precisely all the phases in which cyber-compliance is articulated, the timing, the subjects involved in the process and the tasks entrusted to them;
- provide for controls in relation to the confidential processing of data and regular or random checks, by the parties authorised to access such data, to review the actual implementation of the Plan;
- define the procedure and standards for two-way communication with the competent authority as provided for by current legislation;
- provide for disciplinary sanctions against those who violate the protection measures provided for;
- Assistance to the company organisation to implement the appropriate security measures for the protection of networks, information systems and IT services.
5. The compliance advisory system
Finally, the compliance advisor system offers interesting benefits for Italian companies:
- Single digital market: It offers a “common language” to suppliers and users of IT security solutions – regardless of the sector they belong to – in order to communicate within the company. It is a tool capable of speeding up interactions between and within organizations in order to make the response to the cyber threat more efficient and shared;
- Cybernetic defence and cyber resilience: It introduces a culture of risk management within the company to fight the cyber threat and proposes cybersecurity as a tool to protect automation systems and information assets, to ensure continuity of operation and therefore operational continuity in service delivery;
- Competitiveness: It accelerates the company’s digitization process, creating value for the benefit of the business;
- Opportunities for economic growth: It enables better strategic decisions and process control as well as a better understanding of customer requirements and cost reduction;
- Simplicity of management: It is inspired by simplicity and integration within the existing control system, aimed at making it as easy as possible for recipients to read and understand, ensuring a high degree of customization with respect to the specific business of the company.
 The difference between the “NIS perimeter” and the “national cybernetic security perimeter” is that the former concerns all services considered essential for the security of markets, citizens or society in general, while the latter protects all services (and the relevant providers) that play a crucial role for the interests of the State in itself. For further details, see C. Gustozzi: “Così il Perimetro di sicurezza nazionale rafforzerà le difese cyber dell’Italia”, 2018, available at: https://formiche.net/2019/07/sicurezza-nazionale-difese-cyber-italia/.
 NIS Directive, Article 1.
 This objective also includes the fact that the EU should make cyberspace issues part of its common foreign and security policy and strengthen the role of third countries (non-EU member states) in cyber defence. For further details, see European Commission: “Cybersecurity Strategy of the European Union: An open, safe and Secure Cyberspace”, 2013, available at: https://eeas.europa.eu/archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf, accessed on: 20 February 2018.
 See article 4(2) on the definition of digital service and article 5(2) on the criteria an operator of essential services should meet.
 NIS Directive, Article 5(2) and Annex II.
 D. Markopoulou, V. Papakonstantinou, P. de Hert, “The new EU cybersecurity framework: The NIS Directive, ENISA’s role and the General Data Protection Regulation, 2019, in 35 Computer Law & Security Review, 2019, 1 ss.
 See article 5 of Law No. 124/2007 (as amended by Law No. 133/2012)
 NIS Directive, Article 9.
 Ibid., Article 21.
 Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
 Pursuant to the GDPR, the penalty is no less than 4% of the annual turnover of the organization that violates the rules, or 20 million euro; the serious penalty is the maximum fine that can be imposed for the most serious infringements, processing and handling of personal data without authorization. For further details, see L. Kovàcs, “Cyber security policy and strategy in the European Union and Nato, Land Forces Academy Review, Vol. XXIII, No 1(89), 2018.
 J.D Michels and I. Walden, “How safe is safe enough”, Queen Mary University of London, School of law- Legal research paper 291/2018.
Laureata in Giurisprudenza presso l’Università Bocconi, attualmente collabora con il dipartimento di compliance management e business investigations presso lo Studio Legale Bonelli-Erede. In particolare si occupa delle problematiche di compliance di una vasta gamma di clienti nei settori societario, bancario, finanziario e assicurativo. Durante la sua precedente esperienza professionale, invece, si è occupata di diritto bancario e finanziario in altri studi legali internazionali e ha svolto un internship program nell’area legal and compliance presso Banca IMI Securities Corporation a New York.