A noticeable global trend in the current geopolitical climate is for state agencies to enact rules protecting communications networks that are identified as essential/strategic to national security, for example:
- stipulating enhanced cybersecurity requirements and notification obligations in respect of these essential networks;
- imposing restrictions on specific suppliers and/or equipment supplied from certain jurisdictions perceived as unfriendly in the wider 5G supply chain.
This month's editorial looks at recent changes Italy has made to its cybersecurity and foreign investment laws to deal with these issues.
In November 2019, the Italian Government passed law No. 133/2019 (Law 133) which establishes the so-called 'National Cyber Security Perimeter' and amends the Italian legislation on foreign investments in certain strategic sectors.
The aim of Law 133 is to ensure a high level of security for networks, information systems and IT services as utilized by governmental agencies, public administrations, State-owned entities and private companies which exercise an essential function of the State or services that are fundamental for the Country's interests and whose failure may harm national security.
In order to establish the National Cyber Security Perimeter, within 4 months, the Italian Government will identify a number of public administrations, State-owned entities and private companies that will be subject to specific security-related obligations (Relevant Entities), such as the duty to:
- notify the Government and certain public agencies with a list of networks, information systems and IT services utilized by the Relevant Entities;
- notify the Government and certain public agencies about any incident affecting said networks, systems and IT services;
- adopt security measures that will be identified by the Inter-ministerial Committee for the Security of the Republic; and
- adopt specific measures and conditions that must apply when the Relevant Entity procures assets, systems and services from third parties, to be utilized within the Relevant Entities' networks and IT systems.
Non-compliance triggers significant administrative fines and, in certain cases, imprisonment and/or a ban from the management, administration and control of any legal entities for 3 years.
Law 133 is not yet fully implemented, as the Government must issue a number of decrees in the coming months to make the above obligations operational. All such implementing decrees will have to be adopted within the next 10 months.
Foreign Investment Changes
Law 133 also introduces significant amendments to the foreign investments rules in certain strategic sectors, also known as 'special powers' regulations.
'Special powers' essentially allow the Government to impose conditions on, or veto, certain transactions whenever the Government holds that these would result in a threat of serious harm to Italian public interests in the areas of national defense and homeland security and, in certain circumstances, in the telecommunications, energy and transportation industries, including critical hi-tech infrastructures and 5G technologies.
Since March 2019, broadband electronic communication services based on 5G technology had been listed among the strategic assets and subjected to the special powers. This means that industry players need to notify all 5G-related contracts to the Government, in order for the latter to assess whether to exercise veto powers or impose conditions thereon. These 5G-related contracts are those contracts that pertain to the purchase of assets or services concerning the design, realization, maintenance and management of 5G networks or the acquisition of high-tech components, which are instrumental to the realization or management of these infrastructures, whenever such contracts are entered into with a non-European Union entity.
The concept of non-European Union entity includes not only those whose registered office is outside the European Union (EU) or the European Economic Area (EEA), but also those entities that even if established within the EU or the EEA are nonetheless controlled ultimately by individuals or entities that are outside the EU or the EEA. Also, through a clearly anti-avoidance provision, the definition of non-EU entity also encompasses those entities which have established their registered office or operations within the EU or EEA, but only for the purpose of bypassing the application of the special powers regulations.
This regulatory framework essentially requires purchasers of 5G assets or services to check whether or not sellers are ultimately controlled by an EU/EEA entity. This check may be complex considering that the control at stake is not only the corporate control ensured through capital participation, but also the type of control which can be exercised through dominant influence resulting, for instance, from particular agreements between the seller and a third party entity.
Against this backdrop, Law 133:
- extends the term for the Government to exercise special powers (from 15 to 45 days);
- broadens the content of the information to be provided to the Government for the exercise of the special powers;
- specifies the criteria for the Government to assess whether a foreign investment is likely to affect national security or public order;
- allows the Government to amend or reverse decisions already adopted on previous 5G transactions within certain time limits;
- sanctions the failure to notify 5G-related contracts with an administrative fine equal to maximum 150% of the value of the transaction.
Companies operating in Italy in any sector involving the use of networks, information systems and IT services should assess the direct or indirect impact of these regulations on their operations. More specifically:
- Cross-sector provisions – Relevant Entities are State-owned entities and private companies operating in a number of different sectors and not only in the electronic communications and information technology sectors. Indeed, Law 133 is quite broad and structured so as to include any company that utilizes information systems and networks to perform an essential function of the State or services that are essential to ensure the maintenance of social or economic activities that are fundamental to the interests of the State;
- Tender and procurement provisions – Any player contracting with a Relevant Entity may experience indirect effects due to the obligations of the Relevant Entity itself. By way of example, the Relevant Entity may require suppliers to comply with specific security measures and/or to perform ad hoc tests on software and hardware in order to comply with the new rules;
- Amendments to the special powers/foreign investment rules – industry players should assess the new terms and conditions for the Government's special powers as these may be an important element to factor in when making decisions on foreign investments in strategic assets.
The recent changes in Italy's cybersecurity and foreign investment regulations are the result of increased geopolitical risks and of a growing attention towards the defense, reliability and security of networks, electronic communications architectures and high tech platforms. It remains to be seen whether protection of such strategic assets will unfold as a mechanism to shield critical infrastructures or will rather evolve towards a protectionist drift.