Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
Dedicated cybersecurity laws are a relatively recent phenomenon in the Italian legal system. Before the boom of the internet and computer technology throughout the 1980s and the 1990s, there were no specific provisions. To fill this gap, the Italian government adopted a series of laws and regulations, both sectoral and general in scope. The most relevant are listed chronologically below.
- Law No. 547/1993, amending the provisions of the Criminal Code and Code of Criminal Procedure with regard to cyber and computer crimes, introduced new categories of crimes and punishments in order to provide more effective enforcement tools to police and judicial authorities.
- Law No. 675/1996, implementing Directive 95/46/EC, introduced provisions on data privacy and security also relevant to cyber resilience, and created the Italian Data Protection Authority. This was then followed by Law No. 269/1998, instituting a police force tasked with the mission of fighting cybercrime, internet fraud and online child pornography (the Postal Police).
- Government Directive of 16 January 2002 on information and telecommunications security for public administrations underlined for the first time the strategic value of data assets and the need to adequately protect them in public IT networks.
- The provisions of Law No. 675/1996 were subsequently abrogated by Legislative Decree No. 196/2003 - the current Data Protection Code - as well as by its Annex B on Minimum Security Measures (the Annex B) regarding the security of the processing of personal data by private and public bodies. Currently, the Data Protection Code and its Annex B represent two of the main sources of cybersecurity obligations in the Italian legal system.
- Legislative Decree No. 259/2003 (the Electronic Communications Code) introduced the computer emergency response teams network (CERTs). CERTs are composed of institutional and private entities charged with the task of technical assistance and cooperation in the field of cybersecurity and cyber resilience of critical infrastructures and essential services (eg, telecommunications, healthcare, banking, finance, energy and transport).
- Legislative Decree No. 82/2005 (the Digital Administration Code) strengthened provisions on cyber and data security obligations to be implemented by public administrations, in light of a greater wave of digitalisation of the public sectors, also with the introduction of the Computer Emergency Response Team of the Public Administration (CERT-PA). In the same year, Law No. 255/2005 created the national strategic centre for cyberthreats at the Ministry of the Interior and placed it under the direction, control and coordination of the Postal Police, which was then granted more enforcement powers.
- In 2007, to face the social-national and political-international changes and the new economic, cyber and energy challenges, the entire national intelligence apparatus underwent a profound reform process under Law No. 124 of 3 August 2007, which established the Information System for the security of the Republic. Within it, under the general supervision of the President of the Council of Ministers, responsible for the appointment of directors and deputy directors of each agency, and with the coordination of the Department of Information for Security (DIS), several different institutions operate, such as the Information and External Security Agency and the Information and Internal Security Agency, as well as the Interministerial Committee for the Security of the Republic (CISR). Article 5 of Law No. 124/2007 regulates the functions of CISR to which are assigned tasks of advice, proposal and deliberation on the guidelines and general objectives of the information policy for security, as well as the elaboration of general guidelines and fundamental objectives to be pursued in the framework of the information policy for security.
- In light of the growing concerns surrounding cybersecurity and cyberthreats at an international level, Law No. 48/2008 ratified the 2001 Budapest Convention on Cybercrime and updated both the Data Protection Code and Legislative Decree No. 231/2001 on corporate criminal liability, by introducing specific references to cyber and computer crimes. This marked a turning point for cybersecurity legislation in Italy; many more provisions, ministerial decrees and soft law tools have been adopted since then in order to raise cybersecurity awareness in both the private and public sector.
- The most recent developments saw the adoption of Legislative Decree No. 83/2012, establishing Italian Digital Agency’s (AgID) and of Law No. 133/2012, which modified Law 124/2007 granting extended powers over national critical infrastructures to cyber intelligence bodies (eg, the power of the President of the Council of Ministers, having heard the CISR, to adopt specific directives to strengthen information activities for the protection of critical material and immaterial infrastructures), with particular regard to cybernetic protection and national cybersecurity; the government therefore adopted several national cybersecurity plans, aimed at exponentially developing nationally integrated computer incident response capabilities - also on the basis of the European Union Agency for Network and Information Security Agency’s recommendations. Furthermore, Decree No. 174 of 30 October 2015 converted, with modifications, by Law of 11 December 2015, No. 198, and in particular article 7-bis, paragraph 5, attributed to the CISR, convened by the President of the Council of Ministers in case of crisis involving aspects of national security, tasks of consulting, proposal and resolution.
- Pending the implementation, by 9 May 2018, of the Directive No. 2016/1148/EU, on network and information security (the NIS Directive), on 17 February 2017 the President of the Council of Ministers Decree (the Cybersecurity Decree) was adopted, setting out ‘Strategic Guidelines for the National Cyberspace Protection and ICT security’, updating the existing regulatory framework to replace the former Decree of the President of the Council of Ministers of 24 January 2013. Through this act, the government has deeply innovated and strengthened the national cybersecurity strategy.
- In March 2017, the Presidency of the Council of Ministers adopted the National Plan for cyberspace protection and ICT security, which identified the operational guidelines, the goals to pursue and the lines of action to be carried out in order to give full implementation to the National Strategic Framework for Cyberspace Security, in line with what was set forth under the previous plan referring to the years 2014-2015 and outlined by the Prime Minister’s Decree of 17 February 2017 setting out ‘Strategic Guidelines for the National Cyberspace Protection and ICT Security’. With this additional document, Italy adopted an integrated strategy to activate the involvement of both the private and public stakeholders identified in the National Strategic Framework as well as of all those who, on a daily basis, make use of modern ICT technologies, starting with every citizen.
- Finally, having received the necessary delegation from Parliament on 25 October 2017 (Law No. 163/2017), the government adopted, on 18 May 2018, Legislative Decree No. 2018/65 for the implementation of the NIS Directive (the NIS Directive Italian Decree), aligning the Italian legal system with the most recent legislative developments on cyber resilience taking place at European level. In particular, the NIS Directive Italian Decree has established the Italian competent authorities or the computer security incident response teams (CSIRT) with the functions of the national CERT and CERT-PA. The CSIRT will be assisted by the DIS, appointed by the NIS Directive Italian Decree as the ‘single points of contact’ under article 8 of the NIS Directive, which represents the liaison between member state authorities and the Italian competent authorities (ie, the ministries listed in article 7 of NIS Directive Italian Decree) to ensure cross-border cooperation on the security of network and information systems.
- While waiting for the government to define the organisation and functioning of the CSIRT, the national CERT and CERT-PA shall enhance their respective activities to cooperate to carry out jointly the functions and the role of the CSIRT.
The Italian legislative framework on cybersecurity is built on general provisions applicable to both the public and the private sector (eg, the Data Protection Code as amended by Legislative Decree No. 101/2018, which has repealed its Annex B on minimum security measures for data processing), as well as secondary legislation and soft law tools used at industry level (eg, banking, marketing, big data and insurance). These may be adopted or revised by competent independent regulators (ie, AgCom for telecommunications, IVASS for insurance, the Italian Central Bank for banking). Furthermore, Regulation No. 679/2016/EU (the General Data Protection Regulation (GDPR)) brought important innovations in the cybersecurity field for both private and public entities as of 25 May 2018.
Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
According to recent reports, cybersecurity threats most often involve healthcare, banking, finance, telecommunications and critical infrastructures. This trend has grown exponentially in recent decades, as it was complemented by the need to face more sophisticated cyberattacks to both individuals and legal entities.
As reported by the White Paper entitled ‘The future of Cybersecurity in Italy: Strategic focus areas’ published on May 2018 by Cyber Security National Laboratory of the National Interuniversity Consortium for Informatics (CINI), the Bank of Italy estimated that between September 2015 and September 2016, 45 per cent of national companies were hit by some type of attack. The riskiest subjects are large companies, exporters and operators working in a sector with high-end technological intensity.
Has your jurisdiction adopted any international standards related to cybersecurity?
The Italian Standards and Certification Institute (UNI), which is the Italian member of the European Committee for Standardization and the International Organization for Standardization (ISO), has adopted all the relevant international standards related to cybersecurity, most notably ISO/IEC 27001:2013 (currently, UNI CEI EN ISO/IEC 27001:2017 in Italy) and ISO/IEC 27032:2012, which provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, and covering the baseline security practices for stakeholders in cyberspace. Even if not specifically related to cybersecurity, the GDPR also encourages the drawing up of codes of conduct (article 40 GDPR) and the establishment of data protection certification mechanisms (article 42 GDPR) that will contribute to the proper application of EU regulation and allow controllers and processors to demonstrate the compliance of their processing operations with the GDPR. It is not out of the question that further certification and standards relevant to data and cybersecurity obligations will be adopted or published. In fact, the Italian Data Protection Authority and the Italian government are currently working on mechanisms aimed at facilitating this process in a consistent and uniform way for both the private and public sector.
In addition to those measures, the Research Centre of Cyber Intelligence and Information Security of Sapienza University of Rome (CIS Sapienza), in collaboration with CINI, introduced in Italy in 2016 the National Cyber Security Framework (the Framework). The Framework, which derives much from the Framework for Improving Critical Infrastructure Cybersecurity adopted by the US National Institute of Standards and Technology, is not a security standard and can be adopted on a voluntary basis, but it appears particularly relevant in the Italian national system, since it proposes a list of cybersecurity essential controls that can be adopted and implemented by medium, small or micro enterprises to reduce the number of vulnerabilities present in their systems and to increase the awareness of internal staff, to resist to the most common attacks.
What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
Those responsible for securing cybersecurity compliance within private and public organisations must always implement measures adequate to the risk of the activities performed by the legal entity they operate for and the information they process (eg, cybersecurity obligations for legal entities processing health-related data or personal sensitive data are generally stricter under Italian law). This is a general rule shared by the letter of the Data Protection Code (ie, articles 31 and the following), the provisions of the Criminal Code and those of Legislative Decree No. 231/2001.
From a data protection perspective, although provisions regarding security measures have been repealed from the Italian Data Protection Code, the GDPR has introduced the principle of accountability under which the controller shall be responsible for, and be able to demonstrate compliance with data protection regulations. Another relevant principle set forth by the GDPR is the one of integrity and confidentiality, under which data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Moreover, in accordance with privacy by design and by default principles, the data controller shall implement appropriate technical and organisational measure designed to implement data-protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the EU Regulation and protect the rights of data subjects.
As provided by article 32.4 GDPR, controllers and processors shall take steps to ensure that any natural person acting under their authority who has access to personal data does not process them except on their specific instructions, unless their processing is required by European Union or member state law.
Therefore, responsible personnel and directors who do not prove to have implemented adequate cybersecurity compliance may face either criminal or civil liability, including the sanctions set forth under GDPR for unlawful data processing. In addition, the organisation they work for can also exercise its right of regress on them in the case of administrative sanctions being issued against it by an independent authority (ie, the Italian Data Protection Authority or others).
How does your jurisdiction define cybersecurity and cybercrime?
There had been no definition of cybersecurity and cybercrime in the Italian legal system, neither in statute nor in case law, until the introduction of the President of the Council of Ministers Decree of 24 January 2013, replaced in 2017 by the Cybersecurity Decree. Such notions were widely interpreted by means of reference to different laws, regulations, secondary legislation and soft law provisions issued throughout years by both the Italian legislature and authorities such as the Italian Data Protection Authority. In any case, given that Italy ratified the Budapest Convention on Cybercrime by means of Law No. 48/2008, the terms for identifying illicit conduct relevant to computer crimes thereby used were widely considered the same under Italian law.
After the adoption of the aforementioned Prime Minister’s Decrees, this scenario has changed. A definition of security of network and information systems has been introduced (ie, cybersecurity): article 2, paragraph 1, letter i) of the Cybersecurity Decree states that cybersecurity is the condition in which cyberspace is protected by means of the adoption of ad hoc physical, logistic and procedural security measures, with respect to events, either deliberate or accidental, consisting in the access, transfer, modification, destruction, illicit control, damaging or blocking of the regular functioning of networks and information systems and their essential elements. Although the Decree does not define cybercrime, it also provides a definition of cyberthreat and cyber incident (ie, article 2, paragraph 2, letters l and m). With particular regard to the former, the legislator refers to conduct performed by individuals or groups with the aim of violating private or public cyberspace and damaging the security of networks and information systems.
Furthermore, the NIS Directive Italian Decree defines the ‘security of network and information systems’ in accordance with the definition given by the NIS Directive, as the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems.
In addition to this, with reference to data protection, article 32 GDPR provides that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (including, inter alia, the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in good time in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing). In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Said disposition is therefore significant because it entails a concept of cybersecurity being strictly interconnected to data privacy requirements and the governance of data flows within private and public networks. Despite the fact that the GDPR and the Data Protection Code only applies to personal data, their provisions recognise the importance of securing information assets of all kinds with sole regard to their vulnerability and level of sensitivity. Therefore, the mentioned principles of data protection on security processes can be considered a cybersecurity standard.
As a final remark, with regard to information system security and cybercrime enforcement, it could be said that the distinction between them is both of a technical and a legal nature under Italian law. On the one hand, the former refers to those IT requirements that shall be implemented in accordance with applicable cyber laws and regulations (eg, provisions and principles of the GDPR); on the other, cybercrime enforcement is delegated to competent regulatory, police and judicial authorities case by case (ie, depending on whether civil, criminal or administrative liability arises).
What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
Security requirements relevant to different categories of data are not uncommon under Italian data protection and cybersecurity laws. However, one of the most relevant distinctions to bear in mind is that between personal and non-personal information. In the first case, specific and more robust data and cyber protection shall always be applied; while, in the second, requirements may vary depending on the type or value of the information involved (eg, intellectual property rights-related, relevant to strategic infrastructures). This notwithsanding, as per article 14 of NIS Directive Italian Decree, digital service providers shall identify and take appropriate technical and organisational measures to manage the risks related to network security and the information systems they use, as indicated in the relevant Decree.
With reference to personal data, instead, the GDPR does not indicate minimum security measures to be adopted by controllers or processors (in accordance with the accountability principle), but generically prescribes, under article 32 GDPR, that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (including, inter alia, the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing).
In assessing the appropriate level of security, the GDPR underlines that account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Therefore, cybersecurity measures shall be ‘adequate’ to the risks inherent to the processing; however, responsibility to self-assess and guarantee their effectiveness will only rely on data controllers, at their own peril.
To align national data protection provisions with the GDPR, Legislative Decree No. 101/2018 has modified the Italian Data Protection Code by repealing different dispositions incompatible with the EU Regulations, included Annex B to the Data Protection Code which foresaw a series of specific measures (ie, minimum) relevant to data security and aimed at protecting data and information assets on a general basis.
The GDPR has therefore produced a shift of paradigm on security: from external regulation and control (as provided by former Italian Data Protection Code), to a risk-based approach solely based on accountability - balanced with the possibility of higher administrative fines.
Notwithstanding this lack of normative prescription on minimum security measures concerning cybersecurity, one should mention soft law tools aimed at reducing risks in both the private and public sector.
With reference to the private sector, in 2016 CIS Sapienza, in collaboration with CINI, adopted the National Cyber Security Framework, providing a list of cybersecurity essential controls that can be adopted and implemented by medium, small or micro enterprises. The listed measures include, among others the following:
- data, personnel, devices, systems and facilities that enable the organisation to achieve business purposes are identified to manage this resources in accordance with their relative importance to business objectives and the organisation’s risk strategy;
- services granted by third parties are minimised in order to limit them at those strictly necessary;
- policies, procedures and processes are adopted to manage and monitor the organisation’s regulatory, legal, risk, environmental and operational requirements;
- employees are selected and appointed in accordance with their respective roles on IT systems and risk management;
- the legal framework on cybersecurity applicable to the company is identified, and it is constantly monitored to see that all relevant instructions are fulfilled;
- all devices and systems offered in use to the employees have tools and software for security and data protection constantly and automatically updated;
- each individual shall access only to the information need to execute the relevant role in the company, in accordance with specific authorisations;
- basic staff training on cybersecurity risks is performed according to an established plan and schedule and with the aid of appropriate training techniques and tools (eg, e-learning, classroom training, tutorial material) in line with the specific characteristics of each organisation (eg, staff territorial distribution, prevailing use of external supplier);
- a secure setup of systems is carried out by the IT responsible staff (if applicable) or by external designated companies;
- backup and restoration of data is performed and regularly tested through the use of specific technology solutions that automate the main activities required (planning of savings, monitoring of results, etc);
- users use robust passwords, possibly implemented through setup mechanisms and automatic controls, and frequently updated;
- perimeter protection of networks is obtained through appropriate hardware and software solutions; and
- the response to cybersecurity events takes place at least through the establishment of a company procedure, written accordingly to the applicable regulations and communicated to all involved parties (eg, employees, consultants, third parties).
With regard to the public sector, AgID’s Circular dated 18 April 2017, No. 2/2017 contains ‘Minimum ICT security measures for public administrations’. AgID has therefore identified the minimum ICT security measures that public administrations must implement (eg, technological, organisational and procedural controls) to combat the most frequent cyber threats arising in the Italian public administration.
Scope and jurisdiction
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?
As a general remark, cyberthreats to intellectual property and industrial secrets are addressed by the provisions of both the Criminal Code and the Civil Code, as well as by the letter of Legislative Decree No. 30/2005 (the Intellectual Property Code). These sources regulate and provide for several means for protecting intellectual property in both the online and offline environment. For example:
- key provisions of the Criminal Code (ie, articles 473, 474 and 517-ter) punish counterfeiting, illicit use of trademarks and national commercialisation of fakes - either of a digital or a material nature;
- article 623 of the Criminal Code also punishes the revelation of trade secrets or scientific inventions known because of the relevant profession;
- the Civil Code also contains some general provisions on intellectual property rights that may extend to the cybersphere (ie, articles 2569 to 2594), whose enforcement is delegated to the Civil Procedure Code; and
- finally, the Intellectual Property Code provides for sanctions against intellectual property infringement in general (ie, articles 117 to 143) and more specific provisions on anti-piracy, which often extend also to cyberthreat prevention (ie, articles 144 to 146).
In addition to the above, Legislative Decree No. 70/2003 and AgCom’s Regulation on online intellectual property protection of 31 March 2014 also introduced legal tools aimed at preventing cyberthreats to intellectual property by means of notice and takedown procedures and other judicial and non-judicial remedies.
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
The NIS Directive, which has been implemented in the Italian legal system by means of the NIS Directive Italian Decree, has set up the basis for the coming years’ national cybersecurity strategy. This act aligns Italian laws with the most recent legislative developments on cybersecurity taking place at a European level. The Decree addresses cyberthreat prevention for a wide range of industries, critical infrastructure and provider of essential services operating in the economic, digital and public sector. The content of the Decree is substantially aligned with that of the NIS Directive and reflects its principles and structure with the aim of strengthening national cybersecurity resilience and foster private-public partnerships to that extent.
Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?
Restriction of information sharing concerning cyberthreats is not addressed by any particular law or regulation under Italian legislation. Although cybercrime is always punished under the current legal regime (eg, articles 615-quater and quinquies of the Criminal Code), reverse engineering of cyber weapons to pursue cyber attackers may also lead to sanctions. In such cases (although paradoxically), the victim reacting to a cyberthreat may risk committing the crime of digital trespassing (ie, article 615-ter of the Criminal Code) and, therefore, be subject to punishment alongside the perpetrators.
In addition, information-sharing practices should be subject to particular cautions. This is especially with regard to possible data privacy claims or civil proceedings concerning the protection of private communications (ie, a fundamental right under article 21 of the Italian Constitution). Authorities can request privileged access to such information for investigation purposes. In such cases, prescriptions on the processing of personal data for police or judicial purposes may apply with the relevant limitations (eg, those set forth under the Italian Criminal Procedure Code and in other sources).
Without prejudice to the GDPR provisions, exceptions to such limitations introduced for the purpose of facing cyberthreats can be found in the jurisprudence of the Italian Data Protection Authority. For example, access to private communications is governed by the Italian Data Protection Authority’s Guidelines applying to the use of emails and the internet in the employment context of 1 March 2007. This source foresees that data controllers can only access employees’ electronic communications where there is a risk of serious and concrete violations or breaches of their information assets (ie, thus including possible cyberthreats). However, this can happen only where:
- explicit consent for access of the same employee involved has been provided;
- an external counsel (ie, usually a lawyer) has been appointed for the purpose of carrying out defence investigations (also preventive) on behalf of the data controller; and
- the search is limited to the specific objects or items the employer is looking for (ie, search by means of specific key words or hashtags to discover a competitor’s name or alias, external senders and unauthorised email exchanges).
Metadata are subject to access requirements similar to the above. In particular, the Italian Data Protection Authority’s Guidelines foresee that they may only be accessed by the data controller in light of the principle of gradualness of security and defensive controls (eg, ranging from a general warning to all employees to singling out the individual cyber infringer).
What are the principal cyberactivities that are criminalised by the law of your jurisdiction?
Cybercrimes that are relevant to organisations can be tracked in two particular pieces of legislation: Legislative Decree No. 231/2001 on corporate criminal liability; and the Data Protection Code. The former includes specific provisions on cyber and computer crimes performed by organisations their representatives, or subject under the authority of the latter, as well as the relevant sanctions regime (article 24-bis). In particular, the general principle applicable to organisations for crimes and cybercrimes they have committed, directly or indirectly, is that criminal liability is always personal (ie, held by employees, directors or managers), whereas corporate liability has an administrative character impacting the organisation as a whole by means of fines or sanctions, and shall be recognised only if the entity’s personnel have committed the crime in the interest or for the advantage of the company. The following are some examples of the most frequent cybercrimes disciplined by the Italian Criminal Code:
- unlawful access to an information system (article 615-ter);
- detention and dissemination of access codes to computer or telematics systems (article 615-quater);
- dissemination of equipment, devices or computer programs aimed at damaging or interrupting an IT or telematic system (article 615-quinques);
- unlawful surveillance by means of information system (617-quater); and
- damaging of software, information, data, IT programs, telematics systems (article 635-bis to quinquies).
With regard to the Data Protection Code, aside from applicability of the same general principle above, the conduct subject to sanctions has recently been updated as per Legislative Decree No. 101/2018. Consequently, the Data Protection Code provides criminal sanctions in cases of
- unlawful processing of personal data (article 167);
- illicit communication and dissemination of personal data processed on a large scale (article 167-bis);
- fraudulent acquisition of personal data being processed on a large scale (article 167-ter);
- falsity in declarations to the Data Protection Authority and interruption of the execution of the tasks or exercise of the powers of the Data Protection Authority (article 168); and
- failure to comply with the provisions of the Data Protection Authority (article 170).
As a consequence of the repealing of Annex B to the Data Protection Code on minimum security measures and the introduction of the accountability principle under GDPR, the provision of the Data Protection Authority that criminalised failure to adopt mandatory security measures (former article 169) has been repealed.
Finally, article 20 of NIS Directive Italian Decree provides administrative fines for the operators of essential services acting in violation of the dispositions of the Decree.
How has your jurisdiction addressed information security challenges associated with cloud computing?
The NIS Directive Italian Decree defines cloud computing, in accordance with the NIS Directive, as a digital service that enables access to a scalable and elastic pool of shareable computing resources. The Italian Ministries listed in article 7 of NIS Directive Italian Decree shall put into effect, and supervise, the application of the relevant dispositions of the Decree, also with specific reference to cloud computing. With reference to soft law guideline referring to cloud computing, the framework adopted by CIS Sapienza and CINI for the private sector, as well as AgID Circular No. 2/2017 for the public sector, make direct reference to the cloud system, underlining the need for backup activities also in those infrastructures for cybersecurity reasons.
Apart from those references, as at the time of writing, no particular act, secondary legislation, guideline, decree, general order or any other provision has been issued by competent institutions with specific regard to cybersecurity in cloud computing. However, that does not mean that the issue does not find indirect recognition in other complementary sources, such as data protection, criminal, consumer and civil law statutes, whose obligations can still be considered applicable to cloud computing. Further, the provisions of the Cybersecurity Decree can be included among such sources. As a general remark, businesses and public administrations usually take extra care in assessing the risks resulting from a shift of their activities to cloud-based services, irrespective of the categories of data they process or the sector in which they operate.
In any case, there are some issues relevant to cloud-based services to which particular attention should be given, both from a regulatory and a cybersecurity point of view. In particular, these are:
- the regime of allocation of responsibilities and the contractual obligations with cloud providers;
- data and information security compliance, with specific regard to sensitive personal data;
- considering who should be responsible for the implementation of specific cybersecurity defences; and
- extra-European Economic Area transfers and the governance of international data flows.
How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?
Obligations applicable to foreign organisations are the same as applicable to domestic ones; in particular, this has also been clarified by the scope of the NIS Directive, which applies to all operators providing essential or digital services (ie, thus including online search, cloud computing and e-commerce) within the European Union, irrespective of their country of establishment. To this extent, the NIS Directive Italian Decree fully aligned Italian applicable provisions on cybersecurity to such extraterritorial scope of application.
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
As of today, business and private sector operators may refer to industry best practices. However, public administrations usually rely on national CERTs’ indications (ie, with particular reference to those coming from CERT-PA), the Italian Digital Agency’s (AgID) sector-specific set of guidelines or other similar soft law tools aimed at reducing risks for computer and networks, in compliance with applicable statutes on cybersecurity. It has been noted that NIS Directive Italian Decree has established the Italian CSIRT to replace the national CERT and CERT-PA, whose functions and organisation will be described by a forthcoming government decree.
In spite of this, it can be said that the Italian legal system is not aware of any particular additional cybersecurity protection that goes beyond what is mandatorily prescribed by the laws and regulations in force.
How does the government incentivise organisations to improve their cybersecurity?
For the operating expenses of the Italian CSIRT, the NIS Directive Italian Decree has authorised expenditure of €2.7 million for 2018, of which €2 million for investment expenses, and €700,000 annually from 2019.
The Cybersecurity Decree only foresaw generic provisions on incentivising and funding cybersecurity in the private and the public sector or by means of private-public partnerships. Current spending on cybersecurity is quite likely to remain unchanged unless future and more specific provisions are adopted by the government or in light of possible European initiatives (eg, statutes on defence spending, research and development funding).
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
Industry codes of practice and standards may greatly vary from sector to sector; however, as at the time of writing, none have been updated to meet the evolving legal scenario. This notwithstanding, it is likely that the forthcoming government decree on the functions and organisation of the Italian CSIRT will have a significant impact on current and future industry standards promoting cybersecurity and cyber resilience at a national level.
Are there generally recommended best practices and procedures for responding to breaches?
Post-breach response strategies may vary greatly. They may depend on the degree of cybersecurity awareness that legal entities of both the public and the private sector have. As a general remark, it could be said that intervention of third-party forensic firms is not uncommon, although often within the sole framework of the performance of defensive and preventive investigations.
In all cases involving personal data, apart from the general rules set forth under articles 33 and 34 GDPR (the first providing for the notification procedure of the data breach to the national supervisory authority, the other regarding the communication of the breach to the data subject, in case the latter is likely to result in a high risk to the rights and freedoms of natural persons), the Italian Data Protection Authority’s jurisprudence (with particular regard to its Guidelines, which apply to the use of emails and the internet in the context of employment) also provide some useful indications on notice to employees and the adoption of ad hoc internal policies on data security and cyber resilience. In the case of breaches or cyber incidents, evidence of the adoption and implementation of such policies may be relevant from a burden of proof perspective (ie, either from a civil, criminal or administrative standpoint).
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
Article 18 of NIS Directive Italian Decree provides that entities that have not been identified as operators of essential services and are not digital service providers may notify, on a voluntary basis, incidents having a significant impact on the continuity of the services that they provide (likewise article 20 of NIS Directive provision). Furthermore, the Cybersecurity Decree of 17 February 2017 provides for mandatory mechanisms of constant update and communication between private operators, CSIRTs, CERTs, intelligence services and the government (ie, article 11).
Such mechanisms do not foresee the details of the practices or the procedures for communicating cyber incidents or cyberthreats; although the decree states that this can also happen by means of competent ministerial institutions (ie, through the offices of the Ministry of Defence and the Ministry of Economic Development). In addition, a lack of communication may also lead to sanctions of an administrative, civil or criminal nature.
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
The NIS Directive Italian Decree has appointed the DIS as the ‘single point of contact’ under article 8 of NIS Directive, which represents the liaison between member state authorities and the Italian competent authorities (ie, the ministries listed in article 7 of NIS Directive Italian Decree) to ensure cross-border cooperation on the security of network and information systems. The NIS Directive Italian Decree has also established the Italian CSIRT to replace the national CERT and CERT-PA, whose functions and organisation will be described by a forthcoming government decree.
While waiting for the government to define the organisation and functioning of the CSIRT, the national CERT and CERT-PA shall enhance their respective activities to cooperate to carry out jointly the functions and the role of the CSIRT.
CERT, operating on the basis of a public-private cooperative model, supporting citizens and businesses through actions to raise awareness, prevention and coordination of the responses to large-scale cyber events, has presented a significant example of how government and the private sector can cooperate in the field of cybersecurity, especially with respect to the cyber resilience of critical infrastructure and essential services. However, there is no particular way in which private and public partnerships or collaborations are meant to be developed.
To this extent, the Cybersecurity Decree of 17 February 2017 has also improved such collaboration by strengthening the link between CSIRTs, the government and internal intelligence agencies in the management of cyber incidents and the drafting of best practices and procedures, also applicable to the private sector.
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Cyber insurance is a fast-growing sector in Italy and it is offered by all the major insurers operating at a national level. Despite great availability and choice, such products are far from common among all kind of operators of both the public and the private sector. Existing cyber risk insurances usually cover first- and third-party liability for negligence, accidents or faults. Furthermore, they have variable costs depending on the extension of the coverage and the kind of informational, data or ICT assets they are linked to.
Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?
The competent NIS authorities (ie, the Ministries listed in article 7 of NIS Directive Italian Decree) are responsible for the implementation of NIS Directive Italian Decree with regard to the sectors referred to in Annex II and to the services listed in Annex III of the Decree, and supervise the application of the Decree at national level, also exercising the related powers of investigation and imposing administrative sanctions. Therefore, the monitoring of compliance with information security standards from a regulatory point of view is allocated to several public intelligence bodies operating in different fields and networking together for to increase cyber resilience and data security at national level.
Authorities competent for prosecuting relevant cybercrimes are instead usually identified as judicial and police bodies, such as the above-mentioned Postal Police or competent territorial criminal and civil tribunals. Their enforcement, decision-making and investigative powers can be either sought upon request or activated ex officio (eg, in the case of serious cyberattacks, data breaches or extended frauds to individuals or legal entities).
From a data protection perspective, the Italian Data Protection Authority can enforce the provisions of the GDPR and the Italian Privacy Code imposing the relevant sanctions.
Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.
The Italian Data Protection Authority can act with broad powers to request information or demand the disclosure of specific documents relevant to possible cybersecurity accidents. Such powers can also extend to monitor compliance, conduct investigations and prosecute infringements. Aside from the Italian Data Protection Authority’s regulatory enforcement action, other institutions may also be competent in cases of possible cybersecurity incidents. In particular, judicial, intelligence and police authorities can investigate the link between such incidents and the commission of computer crimes and cyberattacks or commence proceedings and adopt countermeasures, as the case may be.
What are the most common enforcement issues and how have regulators and the private sector addressed them?
Most common enforcement issues concerning both regulators and the private sector may vary greatly. In particular, they may depend on a wide range of factors, such as:
- the type of cyber defences adopted;
- the categories and the amount of data being processed (either personal or non-personal);
- the likeliness of possible cyberattacks and the measures in place to prevent them;
- the adoption of disaster recovery tools and software; and
- technological evolution in general.
From a regulatory point of view, the Italian Data Protection Authority dedicates significant focus to cybersecurity issues in its annual report, which provides important insights on the Authority’s past and future activity in different sectors, and features specific notes and chapters on data security, cybersecurity and enforcement. 2017’s Annual Report, the most recent annual report, refers to the 39th International Conference of Data Protection Authorities, held in Hong Kong on 25-29 September 2017: during the course of the works, which were attended by a representative of the Italian Data Protection Authority, crucial issues were addressed, linked to the hyper-connected world, such as artificial intelligence and cybersecurity. In 2016’s Annual Report, the Authority presented the healthcare sector as a major concern for the Italian Data Protection Authority. In particular, in said report, the Authority underlined the vastness of non-compliant data processing practices carried out, both in the public and in the private sector, because of a general lack of adequate IT, storage, encryption and delivery procedures. Also, the Italian Data Protection Authority shed light on excessive retention periods and the failure to adopt minimum appropriately calibrated security measures on health-related data (ie, including cyber defences and disaster recovery procedures), even after the global outbreak of the WannaCry ransomware.
The private sector has also been reacting to cybersecurity issues in various ways, for example, by adopting industry best practices, codes of conduct or ad hoc information security certifications (eg, ISO 270001 and the like). This approach is quite common in ‘cyber-sensitive’ sectors such as healthcare, banking, insurance, energy, telecommunications and digital services. However, it is also spreading fast in other industries, from retail to professional services, and transport to entertainment.
With regard to the aforementioned sectors, operators have complied with regulatory enforcement. In particular, banking and healthcare face the most challenging scenarios. This is because the combination between new technologies and fast-growing business opportunities poses unprecedented cyber risks to their traditional cyber defences (eg, the blockchain, mobile payments, the internet of things, personal medicine, artificial intelligence applied to finance and investments, and so on).
What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?
Penalties are generally identified with administrative fines and may vary depending on the type of breach occurred. Article 20 of the NIS Directive Italian Decree provides administrative fines for the operators of essential services acting in violation of the dispositions of the decree.
Fines can be lighter in the case of cyber incidents resulting in a breach of non-personal data. On the contrary, penalties for failure to comply with cybersecurity requirements involving personal data may be more severe. In these latter cases, the Italian Data Protection Authority would be the competent authority in charge of issuing administrative fines in accordance with the letter of the GDPR (article 83) and the Data Protection Code. Such fines may also focus on entities operating specific industries of the public or the private sector (eg, electronic communications services). In addition to the above, cybersecurity failures can also set the premise for judicial compensation for non-contractual liability; however, the institution of punitive damages neither exists under Italian law, nor is it allowed by the jurisprudence of the Italian Court of Cassation.
As a final remark, criminal penalties may also arise in the case of serious cybersecurity failures amounting to criminal offences, such as in the case of abuse of access to information systems or similar events. In these cases, although the principle of personal criminal liability would still apply, the responsible legal entity in the interest of the advantage of which the crime was committed may also be subject to sanctions, mainly of an administrative nature (such as fines or asset seizure) pursuant to Legislative Decree 231/2001.
What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?
Once again, the importance of the penalties may vary depending on the seriousness of the failure, as well as on the extension of the threats or breaches involved. Furthermore, they may be of a civil, administrative or criminal nature and be applied jointly.
How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?
Businesses, individuals or interested third parties may seek redress for unauthorised cyberactivity or failure to adequately protect their IT systems or data against either legal or natural persons by means of reporting to the competent administrative authorities or start proceedings in court. Both remedies can be activated at the same time without particular exceptions. Additionally, compensation may be sought in front of civil tribunals once concrete proof of damage has been provided by the alleged damaged party.
Threat detection and reporting
Policies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
As per article 14 of NIS Directive Italian Decree, digital service providers shall identify and take appropriate technical and organisational measures to manage the risks related to network security and the information systems they use.
To protect personal data, instead, controllers and processors shall comply with EU regulation, in particular with provisions set forth under article 32 GDPR and in accordance with the principles of privacy by design, by default and accountability.
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
In cases in which cyberthreats or attacks involve personal data, data breaches also occur: therefore, articles 33 and 34 GDPR shall apply, the first providing for the notification procedure of the data breach to the national supervisory authority, the other regarding the communication of the breach to the data subject, in case the latter is likely to result in a high risk to the rights and freedoms of natural persons.
In accordance with the accountability principle, article 33.5 also provides that the controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken, to allow the supervisory authority to verify compliance with said disposition.
Digital services suppliers have also to adopt - notwithstanding the processing of personal data - the security measures set forth under article 14 of NIS Directive Italian Decree, and must document their compliance with this disposition as set forth under article 13.2 and 15.2 of the Decree, which might also include a record of the cyberthreats or attacks occurred.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
The Cybersecurity Decree of 17 February 2017 introduced stronger reporting and information-sharing obligations for the private and the public sector, with particular regard to operators of critical infrastructures and providers of essential services.
Furthermore, NIS Directive Italian Decree of 18 May 2018 has innovated the scenario having established the Italian CSIRT with the functions of the national CERT and CERT-PA. Article 12 of the Decree provided that essential services providers shall notify to the Italian CSIRT and, for information, the competent NIS authority, without unjustified delay, incidents having a significant impact on the continuity of the essential services provided.
Notwithstanding the above, while waiting for the government to define the organisation and functioning of the CSIRT, the functions of the latter shall be carried out by the national CERT together with CERT-PA in collaboration with each other.
These obligations foresee the duty to communicate cyberthreats or incidents to competent regulatory authorities, ranging from intelligence to government officials, by means of protected channels and without undue delay (the relevant time frame is not mentioned by the decree; however, this issue may be addressed by future best practices published by CSIRTs or other competent institutions). In addition to this, private operators should also allow access to their security operations centres and archives to regulatory authorities in the case that it is necessary for facing cyberthreats or improving cyber resilience. This may also happen with regard to the provisions of Law No. 124/2007 on ‘Information system for the security of the Republic and new regulation of secrecy’. Finally, the obligations above do not exclude the duty of public and private operators to also report possible breaches to competent police, judicial and administrative authorities (ie, the Italian Data Protection Authority), as the case may be.
What is the timeline for reporting to the authorities?
As previously mentioned, apart from cases governed by the provisions of the EU Regulation on data protection under which possible data breaches must be reported to the Italian Data Protection Authority within a certain time (ie, 72 hours after having become aware of the breach), there is no such timeline in the Cybersecurity Decree, NIS Directive Italian Decree or other relevant sources.
In fact, this may well be subject to future modifications and amendments by means of guidelines and best practice that will be adopted and implemented at a national level by Italian CSIRT and other competent authorities.
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
Pursuant to article 12 of NIS Directive Italian Decree, the competent NIS Authority, in accordance with the Italian CSIRT, after consultation with the essential services provider notifying the breach, may inform the public about single incidents, if awareness is needed to avoid an accident or to handle an ongoing accident. Other than this provision and the obligations of reporting breaches prescribed by the GDPR on personal data breach notifications to the general public and the National Authority (ie, the Italian Data Protection Authority), there are no particular rules regarding an obligation to report threats or cybersecurity breaches to other members of the same sector.
However, this requirement may be included in industry codes of conduct, operational guidelines or best practices. It is not uncommon for companies to draft their own data breach and cybersecurity policies and attach them to commercial agreements, to make them binding sources and prevent future negative scenarios by attributing liabilities prior to start performing the obligations of a contract. This may well reduce the risk of IT incidents and force outsourcers to comply with non-negotiable cybersecurity standards and clauses. In addition to this, should outsourcers operate as data processors, such non-negotiable clauses should be reflected in the relevant data processing agreement, in accordance with article 28 GDPR. Moreover, in such cases, specific duties of cooperation with the data controller also fall on the data processor with regard to data breach notifications.