The newly approved Decree-Law upon the implementation of a national cyber security perimeter is a relevant innovation laying on a legislative background that has been recently growing both in quantity and in quality. Cyber security has recently been under the spotlight worldwide, following major national incidents and crisis, making the institution of a protection system not only a necessary, but also a primary concern.
In Italy, a relevant step ahead was already made with the issuance of the “Decreto Gentiloni” (Prime Minister’s decree – DPCM, February 17th 2017), with the creation of an institutional structure endorsing the implementation of cybernetic security, all responsibilities being traced back to the Prime Minister. One of the key institutions in this scenario was the CISR (Interministerial Committee for the security of the Republic), formed by different ministries (e.g. Defence, Foreign Affairs, Economic development…) and politically dependent on the Prime Minister’s office. This institution, assisted by its own tech department, still plays a central role in the current setting, providing for the political guidelines pertaining the subject.
An essential moment, in the evolution of the cyber security regulation in our country, was the implementation of the NIS Directive, European Directive on Network and Information Systems Security (UE/2016/1148), through the issuing of Legislative Decree 65/2018. Besides the GDPR regulation, entrusted to the government, other relevant innovations were introduced. The peak position of the Prime Minister’s Office was confirmed, as well as his leading role; a new centralised cyber incident collection system was set, through the CSIRT (computer security incident response team), now implemented by art 1 paragraph 3(a) of the new Decree-law that provides for the procedures to notify such incidents.
Moreover, one of the relevant goals of the newly approved Decree, was set by the NIS Directive itself, which provided for the competent authorities to identify essential services operators and to define minimum security measures, later set by the AgID (Agency for Digital Italy) . The purpose, fully implemented by the present Decree, with the creation of the “Cyber security Perimeter”, leading to the identification and protection of those essential services and functions providers, was to create an armour around such operators, both private and public entities, in order to shield the Republic from possible attacks and subsequent national crisis, preventing them and setting the ground to solve them as easily as feasible.
In this background, the Italian Council of Ministers, on September 19th 2019, has approved the new Decree-law (n. 105 21/09/2019) upon the aforementioned implementation of a national cyber security perimeter. The Decree-law is a legislative act with efficacy of law, issued by the Government and even if it is immediately valid and binding, it must however be converted into a full enforceable law by the Parliament within 60 days from its issue date; should not be the case, it will lose effectiveness ex tunc, i.e. since the moment it has been issued.
The aim of the law, as already mentioned above, is to guarantee a high level of safety for the networks, the information systems and the informatic services of the Public Administration, the institutions and private entities on which relies the implementation of an essential function or the provision of an essential services for the country.
Different entities and individuals will be included in this “perimeter” and thus required to comply with the measures and obligations provided for by this document. These public administrations, entities and national operators will be identified within 4 months from the conversion date of this Decree, by the Prime Minister upon proposal of the CISR (Interministerial Committee for the security of the Italian Republic), following two main criteria established by the law itself.
In specific: (i) the operator implements an essential function or guarantees an essential service for the civil, social or economic activities for the Country; (ii) the implementation of such functions depends on the use of networks, informatic systems and information services, whose malfunction, interruption or improper use would create a prejudice for national safety.
Article 1 paragraph 2(b) provides for the obligations of the entities, as identified. The latter will have to prepare and update (at least once a year) a list of networks, information systems and the informatic services they have in use, following criteria that will be established by the CISR and forward such list to the Prime Minister’s office and to the Ministry of Economic Development, which will send it in turn to the Security Intelligence Department.
According to article 1 paragraph 3(a) of the Decree, within 10 months from the conversion date of the Decree the CISR and the Prime Minister’s office will define the procedures to notify incidents affecting the systems and the services mentioned above. In the same time lapse, they will set out measures to guarantee high levels of safety, pertaining to organisational structure, incident management, physical and logical data protection, networks and information system integrity and monitoring, testing and control of the systems and the aforementioned services.
Article 1 paragraph 6(a) focuses on the ICT procurement phase. The entities and individuals in the perimeter which intend to outsource ICT device production, delivery and services (except the ones required for the prevention, detection and prosecution of criminal offences), must communicate their intention to the CVCN (National Centre for Evaluation and certification). The latter is entitled to impose conditions and require hardware and software tests, within 30 days, and to include clauses in the relevant invitation to tender in order for CVCN to be able to suspend or terminate the award, following a negative result of the evaluation implemented by accredited laboratories (to which the service was outsourced).
The CVCN will also develop and adopt new cyber certification tactics, if the existing ones prove themselves not to be adequate in order to protect the new perimeter.
Article 1, para. 9(a-h) lists the consequences of non-compliance with the provisions, with fines starting from an amount of €200.000 up to €1.800.000.
Article 3 regulates the provisions on broadband telecommunications networks with 5G technology. Its paragraph 2 refers to the special powers granted to the government, for the services based on the technology above, by art 1bis of the Decree-law n. 21 March 15th 2012 (converted by the law n. 56 May 11th 2012) as emended on March 26th 2019. Such Decree included the 5G-based broadband electronic communications services among the activities of strategic relevance, that enable the Government to impose a veto on the adoption of the company’s resolutions regarding relevant operations. To the purpose of this article, paragraph 2 lists as relevant operations: the (i) conclusion of agreements for the purchase of goods or services relating to the design, construction, maintenance and operation of networks for electronic broadband communications services based on 5G technology or; (ii) the acquisition of high intensity technology, when implemented with entities outside the European Union. The newly approved decree-law mentions such powers, subjecting them to a previous evaluation upon the elements indicating a possible risk to the integrity and safety of the networks and the data flowing through them.
According to Article 5, the President of the Council of Ministers, in the presence of a serious and imminent risk to national security, connected with the vulnerability of networks, systems and services and in the event of a cybernetic crisis may order the total or partial deactivation of one or more devices or products used in the networks. Such power is granted when indispensable, for the time strictly necessary to eliminate the specific risk factor or to mitigate it and it is, however, subjected to a resolution of the Interministerial Committee for the Security of the Italian Republic.
In conclusion, the Decree-law (n. 105 21/09/2019) is a clear statement of the commitment and efforts of the Italian Government into regulating the subject, to guarantee a higher level of safety for the web and a more modern and agile setting to take action in the event of crisis and to keep up to the wave of innovation and cyber-oriented legislation that is quickly and inevitably taking over the world.
