Threat detection and reportingPolicies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
As per article 14 of NIS Directive Italian Decree, digital service providers shall identify and take appropriate technical and organisational measures to manage the risks related to network security and the information systems they use.
To protect personal data, instead, controllers and processors shall comply with EU regulation, in particular with provisions set forth under article 32 GDPR and in accordance with the principles of privacy by design, by default and accountability.
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
In cases in which cyberthreats or attacks involve personal data, data breaches also occur: therefore, articles 33 and 34 GDPR shall apply, the first providing for the notification procedure of the data breach to the national supervisory authority, the other regarding the communication of the breach to the data subject, in case the latter is likely to result in a high risk to the rights and freedoms of natural persons.
In accordance with the accountability principle, article 33.5 also provides that the controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken, to allow the supervisory authority to verify compliance with said disposition.
Digital services suppliers have also to adopt - notwithstanding the processing of personal data - the security measures set forth under article 14 of NIS Directive Italian Decree, and must document their compliance with this disposition as set forth under article 13.2 and 15.2 of the Decree, which might also include a record of the cyberthreats or attacks occurred.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
The Cybersecurity Decree of 17 February 2017 introduced stronger reporting and information-sharing obligations for the private and the public sector, with particular regard to operators of critical infrastructures and providers of essential services.
Furthermore, NIS Directive Italian Decree of 18 May 2018 has innovated the scenario having established the Italian CSIRT with the functions of the national CERT and CERT-PA. Article 12 of the Decree provided that essential services providers shall notify to the Italian CSIRT and, for information, the competent NIS authority, without unjustified delay, incidents having a significant impact on the continuity of the essential services provided.
Notwithstanding the above, while waiting for the government to define the organisation and functioning of the CSIRT, the functions of the latter shall be carried out by the national CERT together with CERT-PA in collaboration with each other.
These obligations foresee the duty to communicate cyberthreats or incidents to competent regulatory authorities, ranging from intelligence to government officials, by means of protected channels and without undue delay (the relevant time frame is not mentioned by the decree; however, this issue may be addressed by future best practices published by CSIRTs or other competent institutions). In addition to this, private operators should also allow access to their security operations centres and archives to regulatory authorities in the case that it is necessary for facing cyberthreats or improving cyber resilience. This may also happen with regard to the provisions of Law No. 124/2007 on ‘Information system for the security of the Republic and new regulation of secrecy’. Finally, the obligations above do not exclude the duty of public and private operators to also report possible breaches to competent police, judicial and administrative authorities (ie, the Italian Data Protection Authority), as the case may be.Timeframes
What is the timeline for reporting to the authorities?
As previously mentioned, apart from cases governed by the provisions of the EU Regulation on data protection under which possible data breaches must be reported to the Italian Data Protection Authority within a certain time (ie, 72 hours after having become aware of the breach), there is no such timeline in the Cybersecurity Decree, NIS Directive Italian Decree or other relevant sources.
In fact, this may well be subject to future modifications and amendments by means of guidelines and best practice that will be adopted and implemented at a national level by Italian CSIRT and other competent authorities.Reporting
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
Pursuant to article 12 of NIS Directive Italian Decree, the competent NIS Authority, in accordance with the Italian CSIRT, after consultation with the essential services provider notifying the breach, may inform the public about single incidents, if awareness is needed to avoid an accident or to handle an ongoing accident. Other than this provision and the obligations of reporting breaches prescribed by the GDPR on personal data breach notifications to the general public and the National Authority (ie, the Italian Data Protection Authority), there are no particular rules regarding an obligation to report threats or cybersecurity breaches to other members of the same sector.
However, this requirement may be included in industry codes of conduct, operational guidelines or best practices. It is not uncommon for companies to draft their own data breach and cybersecurity policies and attach them to commercial agreements, to make them binding sources and prevent future negative scenarios by attributing liabilities prior to start performing the obligations of a contract. This may well reduce the risk of IT incidents and force outsourcers to comply with non-negotiable cybersecurity standards and clauses. In addition to this, should outsourcers operate as data processors, such non-negotiable clauses should be reflected in the relevant data processing agreement, in accordance with article 28 GDPR. Moreover, in such cases, specific duties of cooperation with the data controller also fall on the data processor with regard to data breach notifications.