Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

At present, business and private sector operators may refer to industry best practices. However, public administrations usually rely on national CERTs’ indications (ie, with particular reference to those coming from CERT-PA), the AgID’s sector-specific set of guidelines or other similar soft law tools aimed at reducing risks for computers and networks, in compliance with applicable statutes on cybersecurity. It has been noted that the NIS Directive Italian Decree has established the Italian CSIRT to replace the national CERT and CERT-PA, whose functions are described by the Decrees of the President of the Council of Ministers of 8 August 2019 and shall be further clarified by a forthcoming government decree in accordance with article 1 of Law Decree No. 105/2019.

In spite of this, it can be said that the Italian legal system is not aware of any particular additional cybersecurity protection that goes beyond what is mandatorily prescribed by the laws and regulations in force.

How does the government incentivise organisations to improve their cybersecurity?

For the operating expenses of the Italian CSIRT, the NIS Directive Italian Decree has authorised expenditure of €2.7 million for 2018, of which €2 million for investment expenses, and €700,000 annually from 2019.

The Cybersecurity Decree only foresaw generic provisions on incentivising and funding cybersecurity in the private and public sectors or by means of private–public partnerships. Current spending on cybersecurity is quite likely to remain unchanged unless future and more specific provisions are adopted by the government or in light of possible European initiatives (eg, statutes on defence spending, research and development funding).

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

Industry codes of practice and standards may vary greatly from sector to sector; however, as at the time of writing, none have been updated to meet the evolving legal scenario. This notwithstanding, it is likely that the forthcoming decrees to be adopted by the government in accordance with Law Decree No. 105/2019 will have a significant impact on current and future industry standards promoting cybersecurity and cyber resilience at a national level.

Within 10 months of the entry into force of the Law of Conversion of Decree No. 105/2019, the government shall define specific measures and security standards to be adopted to ensure high levels of security of networks, information systems and IT services.

Furthermore, the CVCN may process and adopt cyber certification schemes if, for national security reasons, the existing schemes of certification are not considered to be adequate for the needs of protection of the Perimeter.

Are there generally recommended best practices and procedures for responding to breaches?

Post-breach response strategies may vary greatly. They may depend on the degree of cybersecurity awareness that legal entities of both the public and the private sectors have. As a general remark, it could be said that intervention of third-party forensic firms is not uncommon, although often within the sole framework of the performance of defensive and preventive investigations.

In all cases involving personal data, the Italian Data Protection Authority’s jurisprudence (with particular regard to its Guidelines, which apply to the use of emails and the internet in the context of employment) also provide some useful indications on notice to employees and the adoption of ad hoc internal policies on data security and cyber resilience. In the case of breaches or cyber incidents, evidence of the adoption and implementation of such policies may be relevant from a burden of proof perspective (ie, either from a civil, criminal or administrative standpoint).

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Article 18 of the NIS Directive Italian Decree provides that entities that have not been identified as operators of essential services and are not digital service providers may notify, on a voluntary basis, incidents having a significant impact on the continuity of the services that they provide (likewise, article 20 of NIS Directive provision). Furthermore, the Cybersecurity Decree of 17 February 2017 provides for mandatory mechanisms of constant update and communication between private operators, CSIRTs, CERTs, intelligence services and the government (ie, article 11).

These mechanisms do not foresee the details of the practices or the procedures for communicating cyber incidents or cyberthreats, although the Decree states that this can happen by means of competent ministerial institutions (ie, through the offices of the Ministry of Defence and the Ministry of Economic Development). In addition, a lack of communication may also lead to sanctions of an administrative, civil or criminal nature.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The NIS Directive Italian Decree has appointed the DIS as the ‘single point of contact’ under article 8 of the NIS Directive, which represents the liaison between member state authorities and the Italian competent authorities (ie, the ministries listed in article 7 of the NIS Directive Italian Decree) to ensure cross-border cooperation on the security of network and information systems. The NIS Directive Italian Decree has also established the Italian CSIRT to replace the national CERT and CERT-PA, whose functions and organisation are described by the Decrees of the President of the Council of Ministers of 8 August 2019 and shall be further clarified by a forthcoming government decree in accordance with article 1 of the Law Decree No. 105/2019.

CERT, which operates on the basis of a public–private cooperative model, supporting citizens and businesses through actions to raise awareness, prevention and coordination of the responses to large-scale cyber events, has presented a significant example of how government and the private sector can cooperate in the field of cybersecurity, especially with respect to the cyber resilience of critical infrastructure and essential services. However, there is no particular way in which private and public partnerships or collaborations are meant to be developed.

To this extent, the Cybersecurity Decree of 17 February 2017 has also improved collaboration by strengthening the link between CSIRTs, the government and internal intelligence agencies in the management of cyber incidents and the drafting of best practices and procedures, which is also applicable to the private sector.


Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Cyber insurance is a fast-growing sector in Italy, and it is offered by all the major insurers operating at a national level. Despite great availability and choice, such products are far from common among all kinds of operators of both the public and the private sectors. Existing cyber risk insurances usually cover first- and third-party liability for negligence, accidents or faults. Furthermore, they have variable costs depending on the extension of the coverage and the kind of informational, data or ICT assets they are linked to.

Law Stated Date

Correct On

Give the date on which the information above is accurate.

December 5th, 2019