Following the transposition of the NIS Directive (Legislative Decree no. 65 of May 18th, 2018), the Italian Government has recently taken a further step towards the implementation of a comprehensive national cyber-security framework through the adoption of the Law Decree n.105 of September 21st, 2019 (the “Decree”).
The Decree has brought along significant innovations in relation to the creation of a perimeter of national cyber security that will have a great impact on public administrations and both public and private national operators (collectively, the “Operators”) that:
(i) exercise an essential function of the State, or ensure the provision of an essential service for the maintenance of social, civil and economic activities that are fundamental for the interest of the State, and
(ii) provide such functions or services through information systems and information services whose malfunctioning, interruption or improper use could affect the national security (“Critical Systems”).
Although specific regulations and procedures for the functioning of the perimeter of national cyber security are to be issued in the coming months, the Decree already identifies a series of requirements and notification duties that Operators are bound to comply with. Such requirements include the obligation to: (i) notify to the Presidency of the Council of Ministers and to the Minister of Economic Development, and subsequently update, a list of Critical Systems used by the Operator; (ii) notify any incident having an impact on such Critical Systems to the Italian CSIRT (Section 9 NIS Directive) according to specific procedures; and (iii) comply with specific measures aimed at guaranteeing high standard of security of the Critical Systems.
In addition to the above, the Decree affects also suppliers of goods, ICT systems and services to be used on Critical Systems by stating that Operators which are planning to purchase such goods and services must notify the National Office for Assessment and Certification (Centro di valutazione e certificazione nazionale – CVCN), newly introduced by the Decree, for detailed evaluation on security implications1. Furthermore, the new legislation introduces a duty of collaboration of said suppliers with the CVCN, which may impose them specific conditions and request hardware and software testing on the ground of a risk assessment at their own costs; in such a case, the relevant contracts with the suppliers shall include a condition precedent or a termination clause connected to the outcome of the assessment carried out by the CVCN.
Failure to comply with the abovementioned requirements or to provide full cooperation with the public authorities may trigger administrative fines between 250.000,00 – 1.800.000,00 Euro for each breach, as well as criminal liabilities sanctioned with imprisonment from one to five year and fines up to 64.000,00€.
The Decree contains also provisions related to the exercise of the golden power in the context of 5G technology. Specifically, the Decree provides for that when a golden power notification is filed, the assessment of possible vulnerability factors which could compromise the integrity and security of 5G networks and data transmitted through them, is carried out by the CVCN through a preliminary investigation, which becomes part of the golden power procedure. The CVCN assessment may also affect the decisions taken by the Italian government before the entry into force of the Decree.
Article 4 of the Decree, subject to the issuing of an implementing regulation, extends the scope of application of the golden power regulation so to include also enterprises operating in the areas listed in Article 4(1) of the EU Regulation no. 2019/452 on foreign direct investment screening. Provisionally, notwithstanding the absence of implementing measures, the golden power regime, including the notification duties, applies immediately for the sectors listed in letters a) and b) of said Regulation (i.e. critical infrastructures and technologies, robotics, artificial intelligence, aerospace, defence, dual-use products, etc.).
Lastly, in case of a serious and imminent risk for national security or in cyber-crisis events, the Decree gives an immediate authority to the President of the Council of Ministers to partially or wholly de-activate, on a temporary basis, one or more equipment or product that are employed in networks or IT systems that are functional to the provision of the services delivered by the Operators.
Due to the legal features of the Law Decree under the Italian legal system, it remains in force for sixty days from the date of publication on the Official Journal (September 21st, 2019) and may be subject to modifications upon conversion into State Law.