(Oct. 16, 2019) On September 22, 2019, Decree Law No. 105 of September 21, 2019 (Decreto-Legge 21 settembre 2019, n. 105) (D.L. No. 105), containing urgent provisions on national cybersecurity, entered into force in Italy. The purpose of the new legislation is to guarantee the highest level of security for networks, information systems, and information technology (IT) services for the public administration and private entities.
National Cybersecurity Perimeter
The new Law aims to ensure the security of networks and IT systems by preventing their malfunctioning, interruption, and improper use. To that effect, the Law institutes the Interministerial Committee for the Security of the Republic (Comitato interministeriale per la sicurezza della Repubblica), and creates a “national cyber security perimeter” (the perimeter). A presidential decree to be issued within four months will identify the public agencies and private entities to be included in the perimeter—namely, those performing an essential function of the state, the interruption, malfunction, or improper use of whose networks would be detrimental to national security. New regulations to be issued by the president of the Council of Ministers must address the requirements for notifying the Italian IT Security Intervention Group (Gruppo di intervento per la sicurezza informatica in caso di incidente) of incidents impacting networks, information systems and IT services. These notifications must be also forwarded to the Security Information Department and the Cybersecurity Team. (Art. 1(1), 1(2).)
Measures for Ensuring High Levels of Security
The new measures contemplated to guarantee high levels of security for networks, information systems and IT services include (a) security policies related to organizational structures and risk management, (b) mitigation and management of accidents and their prevention, (c) physical safety and data protection, (d) integrity of networks and information systems, (e) monitoring, testing and control, and (f) training and awareness. (Art. 1(3).)
Under the new Law, the Presidency of the Council of Ministers is responsible for inspection and verification of compliance with the new legislation by public agencies and private entities in particular, with provisions related to crime prevention and suppression, protection of order and public security, and the defense and military security of the state. (Art. 1(6)(c).)
Broadband Networks
The new Law indicates that implementing regulations must provide for an assessment of vulnerability factors that could compromise the integrity and security of the networks and data of networks with 5G technology. (Art. 3.)
Cybernetic Crises
The President of the Council of Ministers is empowered to adopt urgent measures in the presence of serious and imminent risks to national security related to the vulnerability of networks, information systems, and IT services. (Art. 5(1).)
Additional Staff Resources
The new Law directs the government to hire a maximum of 77 new staff members for the administration and implementation of the newly established measures and mechanisms. (Art. 2.(1).)
Punishable Conduct
The new Law sets fines for improper conduct related to the cybersecurity of the country, including (a) the failure to comply with obligations to prepare and update lists of networks, information systems, and IT services required by the Law, and (b) noncompliance with notification requirements concerning the adoption of security measures. Additionally, certain violations disqualify the offender from assuming management, administration, and control positions at public and private entities for a determined period of time. All penalties are applied by the Presidency of the Council of Ministers, with the assistance of the Agency for Digital Italy (Agenzia per l’Italia Digitale). (Art. 1.)