On August 5, 2021, Law no. 109/2021 containing urgent provisions on cybersecurity (hereinafter, the “Cybersecurity Law”) went into effect. The Cybersecurity Law, which converts Law Decree no. 82/2021 into law, outlines the institutional architecture on cybersecurity and is the final piece in a multi-part statutory and regulatory framework for IT system security.
Firstly, the Cybersecurity Law gives the President of the Council of Ministers the last word on and ultimate responsibility for cybersecurity policies. As such, the President of the Council of Ministers is responsible for adopting a national strategy for cybersecurity and has the power to issue relevant guidelines.
The President of the Council of Ministers is supported by the Inter-Ministerial Committee on Cybersecurity, which advises, proposes, and oversees cybersecurity policies.
Secondly, the Cybersecurity Law establishes the National Cybersecurity Agency (Agenzia per la cybersicurezza nazionale).
The National Cybersecurity Agency is legally formed under public law and has regulatory, administrative, asset, organizational, accounting, and financial autonomy. The National Cybersecurity Agency will function as the sole national contact point for public and private entities regarding security measures and inspection activities related to the security of networks, information systems, and electronic communication networks. Among other things, the National Cybersecurity Agency dictates the national cybersecurity strategy, is the national cybersecurity certification authority pursuant to article 58 Regulation (EU) 2019/881, and is responsible for the qualification of cloud services for public administration.
More generally, the National Cybersecurity Agency is vested with all cybersecurity-related powers previously attributed to the Ministry of Economic Development, the Presidency of the Council of Ministers, the Department of Information Security, and the Italian Digital Agency.
In addition, the National Cybersecurity Agency promotes development of the national ability to prevent, monitor, and mitigate cyber incidents and attacks, with the aim of enhancing the security of the ITC systems of the entities included within the national cyber security perimeter (meaning entities running, through networks, information systems and IT services, essential functions of the state, or essential services for the maintenance of strategic civil, social, or economic activities).
The National Cybersecurity Agency is also designated as the national coordinating center. Consequently, it will interact with the European Competence Center for Cybersecurity, established with Regulation (EU) 2021/887 with the aim of strengthening and guaranteeing the security of digital infrastructure, networks, and information systems in crucial sectors.
The Cybersecurity Law creates the Department for Cybersecurity (Nucleo per la cybersicurezza) within the National Cybersecurity Agency. The department is designed to support the President of the Council of Ministers in crisis prevention and the activation of alert procedures. Among other things, the Department for Cybersecurity will receive notifications of breaches of network security and will coordinate the public administrations involved at a higher level.
Establishment of the National Cybersecurity Agency, following implementation at the local level of the NIS Directive[1] and legislation on the National Cyber Security Perimeter,[2] completes the national cyber-resilience strategy and marks another step on the path toward strengthening national cybersecurity architecture.
[1] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the European Union.
[2] The National Cyber Security Perimeter was created by Law Decree no. 105/2019 (as converted into law by Law no. 133/2019) and the relevant implementing decrees, including Decrees of the President of Council of Ministers no. 131/2020 and no. 81/2021, Decree of the President of Council of Ministers of June 15, 2021, and Decree of the President of the Republic no. 54/2021.
