Legal framework

Legislation

Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?

Dedicated cybersecurity laws are a relatively recent phenomenon in the Italian legal system. Before the boom of the internet and computer technology throughout the 1980s and the 1990s, there were no specific provisions. To fill this gap, the Italian government adopted a series of laws and regulations, both sectoral and general in scope. The most relevant are listed chronologically below.

  • Law No. 547/1993, amending the provisions of the Criminal Code and Code of Criminal Procedure with regard to cyber and computer crimes, introduced new categories of crimes and punishments to provide more effective enforcement tools to police and judicial authorities.
  • Law No. 675/1996, implementing Directive 95/46/EC, introduced provisions on data privacy and security that are also relevant to cyber resilience, and created the Italian Data Protection Authority. This was then followed by Law No. 269/1998, instituting a police force tasked with the mission of fighting cybercrime, internet fraud and online child pornography (the Postal Police).
  • Government Directive of 16 January 2002 on information and telecommunications security for public administrations underlined for the first time the strategic value of data assets and the need to adequately protect them in public IT networks.
  • The provisions of Law No. 675/1996 were subsequently abrogated by Legislative Decree No. 196/2003 – the current Italian Data Protection Code – as well as by its Annex B on Minimum Security Measures (the Annex B) regarding the security of the processing of personal data by private and public bodies.
  • Legislative Decree No. 259/2003 (the Electronic Communications Code) introduced the computer emergency response teams network (CERTs). CERTs are composed of institutional and private entities charged with the task of technical assistance and cooperation in the field of cybersecurity and cyber resilience of critical infrastructures and essential services (eg, telecommunications, healthcare, banking, finance, energy and transport).
  • Legislative Decree No. 82/2005 (the Digital Administration Code) strengthened provisions on cyber and data security obligations to be implemented by public administrations in light of a greater wave of digitalisation of the public sectors, also with the introduction of the Computer Emergency Response Team of the Public Administration (CERT-PA). In the same year, Law No. 255/2005 created the national strategic centre for cyberthreats at the Ministry of the Interior and placed it under the direction, control and coordination of the Postal Police, which was then granted more enforcement powers.
  • In 2007, to face socio-national and political–international changes and new economic, cyber and energy challenges, the entire national intelligence apparatus underwent a profound reform process under Law No. 124 of 3 August 2007, which established the Information System for the Security of the Republic. Within it, under the general supervision of the President of the Council of Ministers, and with the coordination of the Department of Information for Security (DIS), several different institutions operate, such as the Information and External Security Agency, the Information and Internal Security Agency and the Interministerial Committee for the Security of the Republic (CISR). Article 5 of Law No. 124/2007 regulates the functions of the CISR, which is assigned tasks of advice, proposal and deliberation on the guidelines and general objectives of the information policy for security.
  • In light of the growing concerns surrounding cybersecurity and cyberthreats at an international level, Law No. 48/2008 ratified the 2001 Budapest Convention on Cybercrime and updated both the Data Protection Code and Legislative Decree No. 231/2001 on corporate criminal liability by introducing specific references to cyber and computer crimes.
  • The most recent developments saw the adoption of Legislative Decree No. 83/2012, establishing the Italian Digital Agency (AgID), and Law No. 133/2012, which modified Law No. 124/2007, granting extended powers over national critical infrastructures to cyber intelligence bodies (eg, the power of the President of the Council of Ministers, having heard the CISR, to adopt specific directives to strengthen information activities for the protection of critical material and immaterial infrastructures, with particular regard to cybernetic protection and national cybersecurity). The government therefore adopted several national cybersecurity plans, aimed at exponentially developing nationally integrated Computer Incident Response Capabilities. Furthermore, Decree No. 174 of 30 October 2015 converted, with modifications, by Law No. 198 of 11 December 2015, and in particular article 7-bis, paragraph 5, attributed tasks of consulting, proposal and resolution to the CISR, which is convened by the President of the Council of Ministers in crises involving aspects of national security.
  • Pending the implementation, on 18 May 2018, of the Directive No. 2016/1148/EU, on network and information security (the NIS Directive), on 17 February 2017, the Decree of the President of the Council of Ministers (the Cybersecurity Decree) was adopted, setting out ‘Strategic Guidelines for the National Cyberspace Protection and ICT security’ and updating the existing regulatory framework to replace the former Decree of the President of the Council of Ministers of 24 January 2013. Through this act, the government has deeply innovated and strengthened the national cybersecurity strategy.
  • In March 2017, the Presidency of the Council of Ministers adopted the National Plan for Cyberspace Protection and ICT Security, which identified the actions to be taken to give full implementation to the National Strategic Framework for Cyberspace Security, in line with what was set forth under the previous plan referring to the years 2014–2015 and with the Prime Minister’s Decree of 17 February 2017 setting out ‘Strategic Guidelines for the National Cyberspace Protection and ICT Security’. With this additional document, Italy adopted an integrated strategy to activate the involvement of both the private and public stakeholders identified in the National Strategic Framework as well as of all those who, on a daily basis, make use of modern ICT technologies, starting with every citizen.
  • On 18 May 2018, after having received the necessary delegation from Parliament on 25 October 2017 (Law No. 163/2017), the government adopted Legislative Decree No. 2018/65 on the implementation of the NIS Directive (the NIS Directive Italian Decree), aligning the Italian legal system with the most recent legislative developments on cyber resilience taking place at the European level. In particular, the NIS Directive Italian Decree established the Italian competent authorities or the computer security incident response teams (CSIRT) with the functions of the national CERT and CERT-PA.
  • In February 2019, the National Evaluation and Certification Centre (CVCN) was established at the Higher Institute of Communications and Information Technology of the Italian Ministry of Economic Development to verify the safety conditions and the absence of vulnerability in products, equipment, and systems intended for use in the operation of strategic networks, services and infrastructures, as well as any other operator for which there is a national interest.
  • On 21 September 2019, the government adopted Law Decree No. 105/2019 (which entered into force on 22 September 2019) concerning urgent provisions on the cybernetic national security perimeter and the regulation of special powers in sectors of strategic importance, also in compliance with Regulation (EU) No. 2019/452 of 19 March 2019. The Decree provided for the institution of the cybernetic national security perimeter (the Perimeter), to which public administrations, national and private entities must belong if (i) they exercise an essential function of the state, or they provide an essential service for the maintenance of civil and economic activities fundamental for the state, and (ii) the exercise of that function or the provision of that service depends on networks, information systems and IT services whose malfunctioning, interruption or improper use may cause damage to national security. The Decree also set forth that to make the Perimeter operative, the subjects included in it shall be specifically identified, and specific procedures to notify incidents that have an impact on the networks shall be defined by further Decrees of the President of the Council of Ministers. Furthermore, pursuant to the Decree, the CVCN shall impose conditions and tests on hardware and software, and it will also be able to elaborate and adopt cybernetic certification schemes if those currently in force are not considered to be adequate to protect the security perimeter. The very strict sanctioning regime provided by the Decree should also be noted: for instance, the use of products or services on network or IT systems in violation of the conditions set forth by the CVCN are subject to administrative fines of up to €1.8 million.
  • On 8 November 2019, the Decree of the President of the Council of Ministers of 8 August 2019 was published in the Official Gazette, providing the dispositions on the organisation and functioning of the CSIRT. The CSIRT, which shall process personal data in accordance with article 58 of the Italian Data Protection Code and can be supported by AgID, is officially established at the DIS, which is the ‘single point of contact’ under article 7 of NIS Directive Italian Decree, representing the liaison between member state authorities and the Italian competent authorities (ie, the ministries listed in article 7 of the NIS Directive Italian Decree) to ensure cross-border cooperation on the security of network and information systems.

The Italian legislative framework on cybersecurity is also built on general provisions applicable to both the public and the private sector (eg, the Data Protection Code as amended by Legislative Decree No. 101/2018, which has repealed its Annex B), as well as secondary legislation and soft law tools used at industry level (eg, banking, marketing, big data and insurance). These may be adopted or revised by competent independent regulators (ie, the Authority for Communications Guarantees (AgCom) for telecommunications, the Institute for the Supervision of Insurance (IVASS) for insurance and the Italian Central Bank for banking). Furthermore, Regulation No. 679/2016/EU (the General Data Protection Regulation (GDPR)) brought important innovations in the cybersecurity field for both private and public entities as of 25 May 2018.

Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?

According to recent reports, cybersecurity threats most often involve healthcare, banking, finance, telecommunications and critical infrastructures. This trend has grown exponentially in recent decades, as it was complemented by the need to face more sophisticated cyberattacks to both individuals and legal entities. The riskiest subjects are large companies, exporters and operators working in a sector with high-end technological intensity.

Has your jurisdiction adopted any international standards related to cybersecurity?

The Italian Standards and Certification Institute (UNI), which is the Italian member of the European Committee for Standardization and the International Organization for Standardization (ISO), has adopted all the relevant international standards related to cybersecurity, most notably ISO/IEC 27001:2013 (currently, UNI CEI EN ISO/IEC 27001:2017 in Italy) and ISO/IEC 27032:2012, which provides guidance for improving the state of cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, and covering the baseline security practices for stakeholders in cyberspace. Even if not specifically related to cybersecurity, the GDPR also encourages the drawing up of codes of conduct (article 40) and the establishment of data protection certification mechanisms (article 42) that will contribute to the proper application of EU regulation and allow controllers and processors to demonstrate the compliance of their processing operations with the GDPR. It is not out of the question that further certification and standards relevant to data and cybersecurity obligations will be adopted or published. In fact, the Italian Data Protection Authority and the Italian government are currently working on mechanisms aimed at facilitating this process in a consistent and uniform way for both the private and public sector.

In addition to those measures, the Research Centre of Cyber Intelligence and Information Security of Sapienza University of Rome (CIS Sapienza), in collaboration with the Cybersecurity National Laboratory of the National Interuniversity Consortium for Informatics (CINI), introduced in Italy in 2016 the National Cybersecurity Framework (the Framework). The Framework, which derives much from the Framework for Improving Critical Infrastructure Cybersecurity adopted by the US National Institute of Standards and Technology, is not a security standard and can be adopted on a voluntary basis, but it appears particularly relevant in the Italian national system since it proposes a list of cybersecurity essential controls that can be adopted and implemented by medium, small or micro enterprises to reduce the number of vulnerabilities present in their systems and to increase the awareness of internal staff to resist the most common attacks.

What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?

Those responsible for securing cybersecurity compliance within private and public organisations must always implement measures adequate to the risk of the activities performed by the legal entity they operate for and the information they process (eg, cybersecurity obligations for legal entities processing health-related data or sensitive personal data are generally stricter under Italian law). This is a general rule shared by the letter of the Data Protection Code (ie, article 31 and the following), the provisions of the Criminal Code and those of Legislative Decree No. 231/2001.

From a data protection perspective, although provisions regarding security measures have been repealed from the Italian Data Protection Code, the GDPR has introduced the principle of accountability, under which the controller shall be responsible for and be able to demonstrate compliance with data protection regulations. Another relevant principle set forth by the GDPR is the one of integrity and confidentiality, under which data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Moreover, in accordance with privacy by design and by default principles, the data controller shall implement appropriate technical and organisational measures designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the EU Regulation and protect the rights of data subjects.

As provided by article 32.4 of the GDPR, controllers and processors shall take steps to ensure that any natural person acting under their authority who has access to personal data does not process them except on their specific instructions, unless their processing is required by European Union or member state law.

Therefore, responsible personnel and directors who do not prove to have implemented adequate cybersecurity compliance may face either criminal or civil liability, including the sanctions set forth under GDPR for unlawful data processing. In addition, the organisation they work for can also exercise its right of regress on them in the case of administrative sanctions being issued against it by an independent authority (ie, the Italian Data Protection Authority or others).

How does your jurisdiction define cybersecurity and cybercrime?

There had been no definition of cybersecurity and cybercrime in the Italian legal system, neither in statute nor in case law, until the introduction of the President of the Council of Ministers Decree of 24 January 2013, replaced in 2017 by the Cybersecurity Decree. Such notions were widely interpreted by means of reference to different laws, regulations, secondary legislation and soft law provisions issued throughout years by both Italian legislature and authorities such as the Italian Data Protection Authority. In any case, given that Italy ratified the Budapest Convention on Cybercrime by means of Law No. 48/2008, the terms for identifying illicit conduct relevant to computer crimes used thereby were widely considered the same under Italian law.

After the adoption of the aforementioned Prime Minister’s Decrees, this scenario has changed. A definition of security of network and information systems has been introduced (ie, cybersecurity): article 2, paragraph 1, letter i) of the Cybersecurity Decree states that cybersecurity is the condition in which cyberspace is protected by means of the adoption of ad hoc physical, logistic and procedural security measures, with respect to events, either deliberate or accidental, consisting in the access, transfer, modification, destruction, illicit control, damaging or blocking of the regular functioning of networks and information systems and their essential elements. Although the Decree does not define cybercrime, it also provides a definition of cyberthreat and cyber incident (ie, article 2, paragraph 2, letters l and m). With particular regard to the former, the legislator refers to conduct performed by individuals or groups with the aim of violating private or public cyberspace and damaging the security of networks and information systems.

Furthermore, the NIS Directive Italian Decree defines the ‘security of network and information systems’ in accordance with the definition given by the NIS Directive: the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.

In addition to this, with reference to data protection, article 32 of the GDPR provides that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, especially those from accidental or unlawful destruction, loss, alteration and unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed. The disposition is therefore significant because it entails a concept of cybersecurity being strictly interconnected to data privacy requirements and the governance of data flows within private and public networks. Despite the fact that the GDPR and the Data Protection Code only apply to personal data, their provisions recognise the importance of securing information assets of all kinds with sole regard to their vulnerability and level of sensitivity. Therefore, the mentioned principles of data protection on security processes can be considered a cybersecurity standard.

With regard to information system security and cybercrime enforcement, it could be said that the distinction between them is both of a technical and a legal nature under Italian law. On the one hand, the former refers to those IT requirements that shall be implemented in accordance with applicable cyber laws and regulations (eg, provisions and principles of the GDPR); on the other, cybercrime enforcement is delegated to competent regulatory, police and judicial authorities case by case (ie, depending on whether civil, criminal or administrative liability arises).

What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?

Security requirements relevant to different categories of data are not uncommon under Italian data protection and cybersecurity laws. However, one of the most relevant distinctions to bear in mind is that between personal and non-personal information. In the first case, specific and more robust data and cyber protection shall always be applied, while in the second, requirements may vary depending on the type or value of the information involved (eg, intellectual property rights-related and relevant to strategic infrastructures). This notwithstanding, as per article 14 of the NIS Directive Italian Decree, digital service providers shall identify and take appropriate technical and organisational measures to manage the risks related to network security and the information systems they use, as indicated in the relevant Decree.

With reference to personal data, the GDPR does not indicate minimum security measures to be adopted by controllers or processors (in accordance with the accountability principle), but generically prescribes, under article 32, that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (including, inter alia, the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and the existence of a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing).

In assessing the appropriate level of security, the GDPR underlines that account shall be taken in particular of the risks that are presented by processing, especially those from accidental or unlawful destruction, loss, alteration and unauthorised disclosure of or access to personal data. Therefore, cybersecurity measures shall be ‘adequate’ to the risks inherent to the processing; however, responsibility to self-assess and guarantee their effectiveness will only rely on data controllers, at their own peril.

To align national data protection provisions with the GDPR, Legislative Decree No. 101/2018 has modified the Italian Data Protection Code by repealing different dispositions incompatible with the EU Regulations, including Annex B to the Data Protection Code, which foresaw a series of specific (minimum) measures relevant to data security and aimed at protecting data and information assets on a general basis.

The GDPR has therefore produced a paradigm shift in security: from external regulation and control (as provided by the former Italian Data Protection Code) to a risk-based approach solely based on accountability – balanced with the possibility of higher administrative fines.

Notwithstanding this lack of normative prescription on minimum security measures concerning cybersecurity, one should mention soft law tools aimed at reducing risks in both the private and public sector.

With reference to the private sector, in 2016 CIS Sapienza, in collaboration with CINI, adopted the National Cyber Security Framework, providing a list of cybersecurity essential controls that can be adopted and implemented by medium, small or micro enterprises. The listed measures include, among others, the following:

  • data, personnel, devices, systems and facilities that enable the organisation to achieve business purposes are identified to manage these resources in accordance with their relative importance to business objectives and the organisation’s risk strategy;
  • services granted by third parties are minimised to limit them at those strictly necessary;
  • policies, procedures and processes are adopted to manage and monitor the organisation’s regulatory, legal, risk, environmental and operational requirements;
  • employees are selected and appointed in accordance with their respective roles on IT systems and risk management;
  • the legal framework on cybersecurity applicable to the company is identified, and it is constantly monitored to see that all relevant instructions are fulfilled;
  • all devices and systems offered for use to the employees have tools and software for security and data protection that are constantly and automatically updated;
  • each individual shall access only the information needed to execute the relevant role in the company, in accordance with specific authorisations;
  • basic staff training on cybersecurity risks is performed according to an established plan and schedule and with the aid of appropriate training techniques and tools (eg, e-learning, classroom training and tutorial material) in line with the specific characteristics of each organisation (eg, staff territorial distribution and prevailing use of external supplier);
  • a secure set-up of systems is carried out by the IT staff responsible (if applicable) or by externally designated companies;
  • backup and restoration of data is performed and regularly tested through the use of specific technology solutions that automate the main activities required (planning of savings, monitoring of results, etc);
  • users use robust passwords, possibly implemented through setup mechanisms and automatic controls, and frequently updated;
  • perimeter protection of networks is obtained through appropriate hardware and software solutions; and
  • the response to cybersecurity events takes place at least through the establishment of a company procedure, written accordingly to the applicable regulations and communicated to all involved parties (eg, employees, consultants and third parties).

With regard to the public sector, AgID’s Circular No. 2/2017, dated 18 April 2017, contains ‘Minimum ICT security measures for public administrations’. AgID has, therefore, identified the minimum ICT security measures that public administrations must implement (eg, technological, organisational and procedural controls) to combat the most frequent cyberthreats arising in the Italian public administration.

Further security measures and security standards to be adopted to ensure high levels of security of networks shall be defined by the Presidency of the Council of the Ministers and the Ministry of Economic Development, and specifically included in the upcoming government decree to be adopted within 10 months of the entry into force of the Law of Conversion of Decree No. 105/2019.

Scope and jurisdiction

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?

As a general remark, cyberthreats to intellectual property and industrial secrets are addressed by the provisions of both the Criminal Code and the Civil Code as well as by the letter of Legislative Decree No. 30/2005 (the Intellectual Property Code). These sources regulate and provide for several means for protecting intellectual property in both the online and offline environment, for example:

  • key provisions of the Criminal Code (ie, articles 473, 474 and 517-ter) punish counterfeiting, illicit use of trademarks and national commercialisation of fakes – either of a digital or a material nature;
  • article 623 of the Criminal Code punishes the revelation of trade secrets or scientific inventions known because of the relevant profession;
  • the Civil Code contains some general provisions on intellectual property rights that may extend to the cybersphere (ie, articles 2569 to 2594), of which the enforcement is delegated to the Civil Procedure Code; and
  • the Intellectual Property Code provides for sanctions against intellectual property infringement in general (ie, articles 117 to 143) and more specific provisions on anti-piracy, which often extend to cyberthreat prevention (ie, articles 144 to 146).

In addition to the above, Legislative Decree No. 70/2003 and AgCom’s Regulation on Online Intellectual Property Protection of 31 March 2014 also introduced legal tools aimed at preventing cyberthreats to intellectual property by means of notice and takedown procedures and other judicial and non-judicial remedies.

Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?

The NIS Directive, which has been implemented in the Italian legal system by means of the NIS Directive Italian Decree, has set up the basis for the coming years’ national cybersecurity strategy. This act aligns Italian laws with the most recent legislative developments on cybersecurity taking place at the European level. The Decree addresses cyberthreat prevention for a wide range of industries, critical infrastructures and providers of essential services operating in the economic, digital and public sector. The content of the Decree is substantially aligned with that of the NIS Directive and reflects its principles and structure with the aim of strengthening national cybersecurity resilience and fostering private–public partnerships to that extent.

Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?

Restriction of information sharing concerning cyberthreats is not addressed by any particular law or regulation under Italian legislation. Although cybercrime is always punished under the current legal regime (eg, article 615-quater and quinquies of the Criminal Code), reverse engineering of cyberweapons to pursue cyberattackers may also lead to sanctions. In such cases (paradoxically), the victim reacting to a cyberthreat may risk committing the crime of digital trespassing (ie, article 615-ter of the Criminal Code) and, therefore, be subject to punishment alongside the perpetrators.

In addition, information-sharing practices should be subject to particular cautions. This is especially with regard to possible data privacy claims or civil proceedings concerning the protection of private communications (ie, a fundamental right under article 21 of the Italian Constitution). Authorities can request privileged access to such information for investigation purposes. In such cases, prescriptions on the processing of personal data for police or judicial purposes may apply with the relevant limitations (eg, those set forth under the Italian Criminal Procedure Code and in other sources).

Without prejudice to the GDPR provisions, exceptions to such limitations introduced for the purpose of facing cyberthreats can be found in the jurisprudence of the Italian Data Protection Authority. For example, access to private communications is governed by the Italian Data Protection Authority’s Guidelines applying to the use of emails and the internet in the employment context of 1 March 2007. This source foresees that data controllers can only access employees’ electronic communications where there is a risk of serious and concrete violations or breaches of their information assets (ie, thus including possible cyberthreats). However, this can happen only where:

  • explicit consent for access of the employee involved has been provided;
  • an external counsel (ie, usually a lawyer) has been appointed for the purpose of carrying out defence investigations (also preventive) on behalf of the data controller; and
  • the search is limited to the specific objects or items the employer is looking for (ie, search by means of specific key words or hashtags to discover a competitor’s name or alias, external senders and unauthorised email exchanges).

What are the principal cyberactivities that are criminalised by the law of your jurisdiction?

Cybercrimes that are relevant to organisations can be tracked in two particular pieces of legislation: Legislative Decree No. 231/2001 on corporate criminal liability and the Data Protection Code. The former includes specific provisions on cyber and computer crimes performed by organisations, their representatives or those subject to the authority of the latter, as well as the relevant sanctions regime (article 24-bis). In particular, the general principle applicable to organisations for crimes and cybercrimes they have committed, directly or indirectly, is that criminal liability is always personal (ie, held by employees, directors or managers), whereas corporate liability has an administrative character impacting the organisation as a whole by means of fines or sanctions, and shall be recognised only if the entity’s personnel have committed the crime in the interest or for the advantage of the company. The following are some examples of the most frequent cybercrimes disciplined by the Italian Criminal Code:

  • unlawful access to an information system (article 615-ter);
  • detention and dissemination of access codes to computer or telematics systems (article 615-quater);
  • dissemination of equipment, devices or computer programs aimed at damaging or interrupting an IT or telematic system (article 615-quinques);
  • unlawful surveillance by means of information system (617-quater); and
  • damaging of software, information, data, IT programs or telematics systems (article 635-bis to quinquies).

With regard to the Data Protection Code, aside from applicability of the same general principle above, the conduct subject to sanctions has recently been updated as per Legislative Decree No. 101/2018. Consequently, the Data Protection Code provides criminal sanctions in cases of

  • unlawful processing of personal data (article 167);
  • illicit communication and dissemination of personal data processed on a large scale (article 167-bis);
  • fraudulent acquisition of personal data being processed on a large scale (article 167-ter);
  • falsity in declarations to the Data Protection Authority and interruption of the execution of the tasks or exercise of the powers of the Data Protection Authority (article 168); and
  • failure to comply with the provisions of the Data Protection Authority (article 170).

Finally, article 20 of the NIS Directive Italian Decree provides administrative fines for the operators of essential services acting in violation of the dispositions of the Decree, and article 1, paragraph 9 of Law Decree No. 105/2019 provides different fines (up to €1.8 million) for specific categories of violation related to cybersecurity, which will be better defined by upcoming government decrees.

How has your jurisdiction addressed information security challenges associated with cloud computing?

The NIS Directive Italian Decree defines cloud computing, in accordance with the NIS Directive, as a digital service that enables access to a scalable and elastic pool of shareable computing resources. The Italian Ministries listed in article 7 of the NIS Directive Italian Decree shall put into effect, and supervise, the application of the relevant dispositions of the Decree, also with specific reference to cloud computing. With reference to soft law guidelines referring to cloud computing, the framework adopted by CIS Sapienza and CINI for the private sector, as well as AgID Circular No. 2/2017 for the public sector, make direct reference to cloud systems, underlining the need for backup activities in those infrastructures as well for cybersecurity reasons.

Apart from those references, at the time of writing, no particular act, secondary legislation, guideline, decree, general order or other provision has been issued by competent institutions with specific regard to cybersecurity in cloud computing.

In any case, there are some issues relevant to cloud-based services to which particular attention should be given, both from a regulatory and a cybersecurity point of view. In particular, these are:

  • the regime of allocation of responsibilities and the contractual obligations with cloud providers;
  • data and information security compliance, with specific regard to sensitive personal data;
  • considering who should be responsible for the implementation of specific cybersecurity defences; and
  • extra-European Economic Area transfers and the governance of international data flows.

How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?

Obligations applicable to foreign organisations are the same as those applicable to domestic organisations. In particular, this has also been clarified by the scope of the NIS Directive, which applies to all operators providing essential or digital services (thus including online search, cloud computing and e-commerce) within the European Union, irrespective of their country of establishment. To this extent, the NIS Directive Italian Decree fully aligned applicable Italian provisions on cybersecurity to such extraterritorial scope of application.

Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

At present, business and private sector operators may refer to industry best practices. However, public administrations usually rely on national CERTs’ indications (ie, with particular reference to those coming from CERT-PA), the AgID’s sector-specific set of guidelines or other similar soft law tools aimed at reducing risks for computers and networks, in compliance with applicable statutes on cybersecurity. It has been noted that the NIS Directive Italian Decree has established the Italian CSIRT to replace the national CERT and CERT-PA, whose functions are described by the Decrees of the President of the Council of Ministers of 8 August 2019 and shall be further clarified by a forthcoming government decree in accordance with article 1 of Law Decree No. 105/2019.

In spite of this, it can be said that the Italian legal system is not aware of any particular additional cybersecurity protection that goes beyond what is mandatorily prescribed by the laws and regulations in force.

How does the government incentivise organisations to improve their cybersecurity?

For the operating expenses of the Italian CSIRT, the NIS Directive Italian Decree has authorised expenditure of €2.7 million for 2018, of which €2 million for investment expenses, and €700,000 annually from 2019.

The Cybersecurity Decree only foresaw generic provisions on incentivising and funding cybersecurity in the private and public sectors or by means of private–public partnerships. Current spending on cybersecurity is quite likely to remain unchanged unless future and more specific provisions are adopted by the government or in light of possible European initiatives (eg, statutes on defence spending, research and development funding).

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

Industry codes of practice and standards may vary greatly from sector to sector; however, as at the time of writing, none have been updated to meet the evolving legal scenario. This notwithstanding, it is likely that the forthcoming decrees to be adopted by the government in accordance with Law Decree No. 105/2019 will have a significant impact on current and future industry standards promoting cybersecurity and cyber resilience at a national level.

Within 10 months of the entry into force of the Law of Conversion of Decree No. 105/2019, the government shall define specific measures and security standards to be adopted to ensure high levels of security of networks, information systems and IT services.

Furthermore, the CVCN may process and adopt cyber certification schemes if, for national security reasons, the existing schemes of certification are not considered to be adequate for the needs of protection of the Perimeter.

Are there generally recommended best practices and procedures for responding to breaches?

Post-breach response strategies may vary greatly. They may depend on the degree of cybersecurity awareness that legal entities of both the public and the private sectors have. As a general remark, it could be said that intervention of third-party forensic firms is not uncommon, although often within the sole framework of the performance of defensive and preventive investigations.

In all cases involving personal data, the Italian Data Protection Authority’s jurisprudence (with particular regard to its Guidelines, which apply to the use of emails and the internet in the context of employment) also provide some useful indications on notice to employees and the adoption of ad hoc internal policies on data security and cyber resilience. In the case of breaches or cyber incidents, evidence of the adoption and implementation of such policies may be relevant from a burden of proof perspective (ie, either from a civil, criminal or administrative standpoint).

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Article 18 of the NIS Directive Italian Decree provides that entities that have not been identified as operators of essential services and are not digital service providers may notify, on a voluntary basis, incidents having a significant impact on the continuity of the services that they provide (likewise, article 20 of NIS Directive provision). Furthermore, the Cybersecurity Decree of 17 February 2017 provides for mandatory mechanisms of constant update and communication between private operators, CSIRTs, CERTs, intelligence services and the government (ie, article 11).

These mechanisms do not foresee the details of the practices or the procedures for communicating cyber incidents or cyberthreats, although the Decree states that this can happen by means of competent ministerial institutions (ie, through the offices of the Ministry of Defence and the Ministry of Economic Development). In addition, a lack of communication may also lead to sanctions of an administrative, civil or criminal nature.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The NIS Directive Italian Decree has appointed the DIS as the ‘single point of contact’ under article 8 of the NIS Directive, which represents the liaison between member state authorities and the Italian competent authorities (ie, the ministries listed in article 7 of the NIS Directive Italian Decree) to ensure cross-border cooperation on the security of network and information systems. The NIS Directive Italian Decree has also established the Italian CSIRT to replace the national CERT and CERT-PA, whose functions and organisation are described by the Decrees of the President of the Council of Ministers of 8 August 2019 and shall be further clarified by a forthcoming government decree in accordance with article 1 of the Law Decree No. 105/2019.

CERT, which operates on the basis of a public–private cooperative model, supporting citizens and businesses through actions to raise awareness, prevention and coordination of the responses to large-scale cyber events, has presented a significant example of how government and the private sector can cooperate in the field of cybersecurity, especially with respect to the cyber resilience of critical infrastructure and essential services. However, there is no particular way in which private and public partnerships or collaborations are meant to be developed.

To this extent, the Cybersecurity Decree of 17 February 2017 has also improved collaboration by strengthening the link between CSIRTs, the government and internal intelligence agencies in the management of cyber incidents and the drafting of best practices and procedures, which is also applicable to the private sector.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Cyber insurance is a fast-growing sector in Italy, and it is offered by all the major insurers operating at a national level. Despite great availability and choice, such products are far from common among all kinds of operators of both the public and the private sectors. Existing cyber risk insurances usually cover first- and third-party liability for negligence, accidents or faults. Furthermore, they have variable costs depending on the extension of the coverage and the kind of informational, data or ICT assets they are linked to.

Enforcement

Regulation

Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?

The competent NIS authorities (ie, the Ministries listed in article 7 of the NIS Directive Italian Decree) are responsible for the implementation of the NIS Directive Italian Decree with regard to the sectors referred to in Annex II and to the services listed in Annex III of the Decree, and supervise the application of the Decree at a national level, also exercising the related powers of investigation and imposing administrative sanctions. Therefore, the monitoring of compliance with information security standards from a regulatory point of view is allocated to several public intelligence bodies operating in different fields and networking together to increase cyber resilience and data security at a national level.

Authorities competent for prosecuting relevant cybercrimes are instead usually identified as judicial and police bodies, such as the above-mentioned Postal Police or competent territorial criminal and civil tribunals. Their enforcement, decision-making and investigative powers can be either sought upon request or activated ex officio (eg, in the case of serious cyberattacks, data breaches or extended frauds to individuals or legal entities).

In accordance with article 1, paragraph 12 of Decree No. 105/2019, the Presidency of the Council of the Ministers is the authority primarily responsible for ascertaining violations and for the imposition of sanctions on public entities, whereas the Ministry of Economic Development is responsible for private entities.

From a data protection perspective, the Italian Data Protection Authority can enforce the provisions of the GDPR and the Italian Privacy Code, imposing the relevant sanctions.

Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.

A specific description of the Presidency of the Council of the Ministers and the Ministry of Economic Development’s powers to monitor compliance, conduct investigations and prosecute infringements may be included in the relevant government decrees to be adopted, in accordance with Law Decree No. 105/2019, within 10 months of the entry into force of the Law of Conversion of this Decree.

From a data protection perspective, the Italian Data Protection Authority can act with broad powers to request information or demand the disclosure of specific documents relevant to possible cybersecurity accidents. These powers can also extend to monitor compliance, conduct investigations and prosecute infringements. Aside from the Italian Data Protection Authority’s regulatory enforcement action, other institutions may also be competent in cases of possible cybersecurity incidents. In particular, judicial, intelligence and police authorities can investigate the link between such incidents and the commission of computer crimes and cyberattacks, or commence proceedings and adopt countermeasures, as the case may be.

What are the most common enforcement issues and how have regulators and the private sector addressed them?

Most common enforcement issues concerning both regulators and the private sector may vary greatly. In particular, they may depend on a wide range of factors, such as:

  • the type of cyber defences adopted;
  • the categories and the amount of data being processed (either personal or non-personal);
  • the likeliness of possible cyberattacks and the measures in place to prevent them;
  • the adoption of disaster recovery tools and software; and
  • technological evolution in general.

The private sector has been reacting to cybersecurity issues in various ways, for example, by adopting industry best practices, codes of conduct or ad hoc information security certifications (eg, ISO 270001). This approach is quite common in ‘cyber-sensitive’ sectors, such as healthcare, banking, insurance, energy, telecommunications and digital services. However, it is also spreading fast in other industries, from retail to professional services, and from transport to entertainment.

With regard to the aforementioned sectors, operators have complied with regulatory enforcement. In particular, banking and healthcare face the most challenging scenarios. This is because the combination between new technologies and fast-growing business opportunities poses unprecedented cyber risks to their traditional cyber defences (eg, the blockchain, mobile payments, the internet of things, personal medicine, artificial intelligence applied to finance and investments, and so on).

What regulatory notification obligations do businesses have following a cybersecurity breach? Must data subjects be notified?

Pursuant to article 1 of Law Decree No. 105/2019 and article 4 of the Decree of the President of the Council of Ministers of 8 August 2019, the CSIRT shall be notified (copying the competent NIS Authority), without undue delay, by essential services providers and digital services providers, about all security incidents having a consistent impact on the continuity of the services provided by the latter, also in compliance with the NIS Directive Italian Decree, and other incidents are to be notified in compliance with obligations otherwise provided.

Furthermore, public administrations, institutions and national operators included in the Perimeter (as these subjects shall be further identified in detail by the upcoming government decree, to be adopted in accordance with article 1, paragraph 1 of Law Decree No. 105/2019 within four months of the entry into force of the Law of Conversion of this Decree) are also required to notify of incidents affecting networks, information systems and IT services.

With reference to data protection impacts following a cybersecurity breach, the data controller shall also notify the breach to the competent Data Protection Authority – unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons – within 72 hours of becoming aware of it, also informing the data subjects without undue delay when the data breach is likely to result in a high risk to the rights and freedoms of natural persons, pursuant to articles 33 and 34 of the GDPR.

Penalties

What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?

Penalties are generally identified with administrative fines and may vary depending on the type of breach occurred.

Article 1, paragraph 9 of Law Decree No. 105/2019 provides different fines (up to €1.8 million) for specific categories of violation. For example, the use of products and services on networks, on systems information and the completion of the IT services, in violation of the conditions imposed by the CVCN, is punished with a pecuniary administrative sanction from €300,000 to €1.8 million; non-compliance with the security measures referred to in paragraph 3, letter b of Decree No. 105/2019 (measures which shall be determined by upcoming government decrees by the Ministry of Economic Development and the Presidency of the Council of Ministers) is sanctioned with a fine between €250,000 and €1.5 million.

Article 20 of the NIS Directive Italian Decree also provides administrative fines for the operators of essential services acting in violation of the dispositions of the Decree.

Fines can be lighter in the case of cyber incidents resulting in a breach of non-personal data. However, penalties for failure to comply with cybersecurity requirements involving personal data may be more severe. In these latter cases, the Italian Data Protection Authority would be the competent authority in charge of issuing administrative fines in accordance with the letter of the GDPR (article 83) and the Data Protection Code. Such fines may also focus on entities operating specific industries of the public or the private sector (eg, electronic communications services).

Criminal penalties may also arise in the case of serious cybersecurity failures amounting to criminal offences, such as in the case of abuse of access to information systems or similar events. In these cases, although the principle of personal criminal liability would still apply, the responsible legal entity, in the interest of which the  crime was committed, may also be subject to sanctions, mainly of an administrative nature (such as fines or asset seizure) pursuant to Legislative Decree No. 231/2001.

What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?

Once again, the importance of the penalties may vary depending on the seriousness of the failure as well as on the extension of the threats or breaches involved. Furthermore, they may be of a civil, administrative or criminal nature and be applied jointly.

However, failure to notify the CSIRT of incidents that have an impact on networks, information systems and IT services, as required under article 1, paragraph 3, letter a) of Law Decree No. 105/2019, within the timeline defined by an upcoming government decree (to be adopted within 10 months of the entry into force of the Law of Conversion of this Decree), is punished with the administrative fine from €250,000 to € 1.5 million, unless the fact constitutes a crime, as provided for by article 1, paragraph 9, letter b) of Decree No. 105/2019.

How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?

Businesses, individuals or interested third parties may seek redress for unauthorised cyberactivity or failure to adequately protect their IT systems or data against either legal or natural persons by means of reporting to the competent administrative authorities or starting proceedings in court. Both remedies can be activated at the same time without particular exceptions. Additionally, compensation may be sought in front of civil tribunals once concrete proof of damage has been provided by the alleged damaged party.

Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

As per article 14 of the NIS Directive Italian Decree, digital service providers shall identify and take appropriate technical and organisational measures to manage the risks related to network security and the information systems they use.

To protect personal data, instead, controllers and processors shall comply with EU regulation, in particular with the provisions set forth under article 32 of the GDPR and in accordance with the principles of privacy by design, by default and accountability.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

In cases in which cyberthreats or attacks involve personal data, data breaches also occur. In such cases, in accordance with the accountability principle, article 33.5 of the GDPR provides that the controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken, to allow the supervisory authority to verify compliance with said disposition.

Digital services suppliers also have to adopt – notwithstanding the processing of personal data – the security measures set forth under article 14 of the NIS Directive Italian Decree, and must document their compliance with this disposition as set forth under article 13.2 and 15.2 of the Decree, which might also include a record of the cyberthreats or attacks occurred.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

The Cybersecurity Decree of 17 February 2017 introduced stronger reporting and information-sharing obligations for the private and the public sectors, with particular regard to operators of critical infrastructures and providers of essential services.

Furthermore, the NIS Directive Italian Decree of 18 May 2018 has innovated the scenario, having established the Italian CSIRT with the functions of the national CERT and CERT-PA. Article 12 of the Decree provided that essential services providers shall notify to the Italian CSIRT and, for information, the competent NIS authority, without unjustified delay, of incidents that have a significant impact on the continuity of the essential services provided by them.

These obligations foresee the duty to communicate cyberthreats or incidents to competent regulatory authorities, ranging from intelligence to government officials, by means of protected channels and without undue delay (the relevant time frame is not mentioned by the decree; however, this issue may be addressed by future best practices published by CSIRTs or other competent institutions). In addition to this, private operators should also allow access to their security operations centres and archives to regulatory authorities where it is necessary for facing cyberthreats or improving cyber resilience. This may also happen with regard to the provisions of Law No. 124/2007 on ‘Information system for the security of the Republic and new regulation of secrecy’. Finally, the obligations above do not exclude the duty of public and private operators to also report possible breaches to competent police, judicial and administrative authorities (ie, the Italian Data Protection Authority), as the case may be.

Time frames

What is the timeline for reporting to the authorities?

Apart from cases governed by the provisions of the EU Regulation on data protection under which possible data breaches must be reported to the Italian Data Protection Authority within a certain time (ie, within 72 hours of becoming aware of the breach), there is no such timeline in the Cybersecurity Decree, the NIS Directive Italian Decree or other relevant sources.

This may be subject to future modifications and amendments by means of guidelines and best practices that will be adopted and implemented at a national level by the Italian CSIRT and other competent authorities.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Pursuant to article 12 of the NIS Directive Italian Decree, the competent NIS Authority, in accordance with the Italian CSIRT, may, after consultation with the essential services provider notifying the breach, inform the public about single incidents if awareness is needed to avoid an accident or to handle an ongoing accident. Other than this provision and the obligations of reporting breaches prescribed by the GDPR on personal data breach notifications to the general public and the National Authority (ie, the Italian Data Protection Authority), there are no particular rules regarding an obligation to report threats or cybersecurity breaches to other members of the same sector.

However, this requirement may be included in industry codes of conduct, operational guidelines or best practices. It is not uncommon for companies to draft their own data breach and cybersecurity policies and attach them to commercial agreements, to make them binding sources and prevent future negative scenarios by attributing liabilities prior to the start of performing the obligations of a contract. This may well reduce the risk of IT incidents and force outsourcers to comply with non-negotiable cybersecurity standards and clauses. In addition to this, should outsourcers operate as data processors, such non-negotiable clauses should be reflected in the relevant data processing agreement, in accordance with article 28 of the GDPR. Moreover, in such cases, specific duties of cooperation with the data controller also fall on the data processor with regard to data breach notifications.

Update and trends

Update and trends

What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?

The Italian government adopted a series of laws and regulations, both sectoral and general in scope until Legislative Decree no. 65 of 18 May 2018 for the implementation of the NIS Directive, which aligned the Italian legal system with the most recent legislative developments on cyber resilience taking place at the European level.

More recently, the government adopted Law Decree no. 105/2019 (which entered into force on 22 September 2019) concerning urgent provisions on the Perimeter and the regulation of special powers in sectors of strategic importance. A more defined framework of security measures and standards to be adopted to ensure high levels of security of networks shall be defined by the Presidency of the Council of the Ministers and the Ministry of Economic Development, and specifically included in the upcoming government decree to be adopted within 10 months of the entry into force of the Law of Conversion of Decree No. 105/2019.

Law Stated Date

Correct On

Give the date on which the information above is accurate.

December 5th, 2019