Cyber-security: Decree published in the Official Gazette

Decree-Law no.  82/2021 (the “Decree“) was published in the Official Gazette on 14 June, containing “urgent provisions on cyber-security – definition of the national cyber-security architecture and establishment of the National Cyber-security Agency” .

The term “Cyber-security” means “activities necessary to protect networks, information systems, computer services and electronic communications from cyber threats, ensuring their availability, confidentiality, integrity and resilience” (Art. 1, paragraph 1, letter a).

The Interministerial Committee on cyber-security

The Decree, which consists of 19 articles, institutionalises the “Interministerial Committee for cyber-security” (“CIC“). CIC performs advisory, proposal and supervisory functions in the field of cyber-security policies, including the protection of national security in cyberspace. In addition, CIC has the following tasks:

• advising the Prime Minister on general national cyber-security policies guidelines;
• supervising national cyber-security strategy;
• promoting the adoption of the necessary initiatives to (i) foster effective national and international cooperation, between institutional and private stakeholders in cyber-security, sharing information and (ii) adopting best practices and measures aimed at cyber-security and industrial, technological and scientific development in the cyber-security field;
• providing an opinion on the national cyber-security Agency’s budget and balance sheet.

National Cyber Security Agency

Among the Decree’s main features is the establishment of the “National Cyber-security Agency” (“NCA” or “Agency“). The Decree specifies its functions by clarifying its composition and organisation. A special regulation, to be approved within 120 days from the entry into force of the Decree, shall define the Agency’s functioning, which is composed of eight general management level offices and thirty non-general management level offices within the available resources (art. 12 paragraph 1).

The Agency is the main body in the cyber-security field, acting as a national authority and centralising the various expertise hitherto attributed to other bodies, including those of the Ministry of Economic Development. Its tasks include:

• protecting national interests and essential state functions from cyber threats;
• developing national prevention, monitoring, detection and mitigation capabilities to deal with cyber-security incidents and cyber-attacks;
• enhancing the security of Information and Communications Technology (“ICT”) systems of entities included in the national cyber security perimeter, public administrations, essential service operators and digital service providers;
• supporting the development of industrial, technological and scientific skills, promoting projects for innovation and development, while stimulating the growth of a solid national workforce in the cyber-security field aiming at national strategic autonomy;
• providing a single national stakeholder for public and private entities in the field of security measures and inspection activities in the national cyber-security perimeter, security of networks, information systems, and electronic communication networks.

Cyber-security Unit

The Agency is supported by the “Cyber-security unit“, which supports the Prime Minister, for aspects relating to the prevention and preparation for possible crises and the activation of warning procedures. The main tasks entrusted to this body include:

• formulating initiatives concerning the country’s cyber-security;
• promoting, programming and operational planning of the response to cyber crisis situations by administrations and private operators;
• conducting inter-ministerial exercises, i.e. national participation in international exercises involving the simulation of cyber events to increase the country’s resilience and involvement in cyber-security crises.

◊◊◊◊

By 30 April of each year, the Prime Minister must report to Parliament on the Agency’s activity in the previous year. As an Italian National Coordination Centre, the Agency will interface with the “European Cyber-security Industrial, Technology and Research Competence Centre“, contributing to increasing the European strategic autonomy in the sector.

Other related insights:

• Home working and Data Protection
• Data Breach: The European Data Protection Authority Guidelines for handling data breaches