Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

As per article 14 of the NIS Directive Italian Decree, digital service providers shall identify and take appropriate technical and organisational measures to manage the risks related to network security and the information systems they use.

To protect personal data, instead, controllers and processors shall comply with EU regulation, in particular with the provisions set forth under article 32 of the GDPR and in accordance with the principles of privacy by design, by default and accountability.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

In cases in which cyberthreats or attacks involve personal data, data breaches also occur. In such cases, in accordance with the accountability principle, article 33.5 of the GDPR provides that the controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken, to allow the supervisory authority to verify compliance with said disposition.

Digital services suppliers also have to adopt – notwithstanding the processing of personal data – the security measures set forth under article 14 of the NIS Directive Italian Decree, and must document their compliance with this disposition as set forth under article 13.2 and 15.2 of the Decree, which might also include a record of the cyberthreats or attacks occurred.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

The Cybersecurity Decree of 17 February 2017 introduced stronger reporting and information-sharing obligations for the private and the public sectors, with particular regard to operators of critical infrastructures and providers of essential services.

Furthermore, the NIS Directive Italian Decree of 18 May 2018 has innovated the scenario, having established the Italian CSIRT with the functions of the national CERT and CERT-PA. Article 12 of the Decree provided that essential services providers shall notify to the Italian CSIRT and, for information, the competent NIS authority, without unjustified delay, of incidents that have a significant impact on the continuity of the essential services provided by them.

These obligations foresee the duty to communicate cyberthreats or incidents to competent regulatory authorities, ranging from intelligence to government officials, by means of protected channels and without undue delay (the relevant time frame is not mentioned by the decree; however, this issue may be addressed by future best practices published by CSIRTs or other competent institutions). In addition to this, private operators should also allow access to their security operations centres and archives to regulatory authorities where it is necessary for facing cyberthreats or improving cyber resilience. This may also happen with regard to the provisions of Law No. 124/2007 on ‘Information system for the security of the Republic and new regulation of secrecy’. Finally, the obligations above do not exclude the duty of public and private operators to also report possible breaches to competent police, judicial and administrative authorities (ie, the Italian Data Protection Authority), as the case may be.

Time frames

What is the timeline for reporting to the authorities?

Apart from cases governed by the provisions of the EU Regulation on data protection under which possible data breaches must be reported to the Italian Data Protection Authority within a certain time (ie, within 72 hours of becoming aware of the breach), there is no such timeline in the Cybersecurity Decree, the NIS Directive Italian Decree or other relevant sources.

This may be subject to future modifications and amendments by means of guidelines and best practices that will be adopted and implemented at a national level by the Italian CSIRT and other competent authorities.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Pursuant to article 12 of the NIS Directive Italian Decree, the competent NIS Authority, in accordance with the Italian CSIRT, may, after consultation with the essential services provider notifying the breach, inform the public about single incidents if awareness is needed to avoid an accident or to handle an ongoing accident. Other than this provision and the obligations of reporting breaches prescribed by the GDPR on personal data breach notifications to the general public and the National Authority (ie, the Italian Data Protection Authority), there are no particular rules regarding an obligation to report threats or cybersecurity breaches to other members of the same sector.

However, this requirement may be included in industry codes of conduct, operational guidelines or best practices. It is not uncommon for companies to draft their own data breach and cybersecurity policies and attach them to commercial agreements, to make them binding sources and prevent future negative scenarios by attributing liabilities prior to the start of performing the obligations of a contract. This may well reduce the risk of IT incidents and force outsourcers to comply with non-negotiable cybersecurity standards and clauses. In addition to this, should outsourcers operate as data processors, such non-negotiable clauses should be reflected in the relevant data processing agreement, in accordance with article 28 of the GDPR. Moreover, in such cases, specific duties of cooperation with the data controller also fall on the data processor with regard to data breach notifications.

Law Stated Date

Correct On

Give the date on which the information above is accurate.

December 5th, 2019