The digital age and the daily use of technological tools in almost every sphere of our existence have undoubtedly given rise to many problems concerning cyber security and the need to defend virtual space (to both protect personal rights on the Net and ensure the continuity of essential services).

The World Economic Forum – a foundation that convenes every year important meetings with leading personalities in both politics and international economy – has recently placed IT risks among the three main issues of 2018, together with war and natural disasters caused by global warming.

On July 6^th, 2016, in the aim of dealing with Member States shared issue of cybercrime, the European Union adopted Directive 2016/1148/EU – better known as the Network and Information Security (NIS) Directive –establishing specific measures for the implementation of a common high level of security of network and information systems across the Union. This is the first initiative taken to face the challenges of cyber security, thus revolutionising the European resilience and cooperation system.

Although Italy should have implemented this Directive by May 9^th, 2018, the Italian Government has definitively approved the implementing Decree (Legislative Decree 65/2018) only on May 16^th, 2018, with one week of delay. This Decree officially entered into force on June 24^th, 2018.

The NIS Directive 2016/1148/EU, which develops its action plan around three main pivotal points (improvement of the single States capabilities in matter of cyber security, growth of European cooperation and obligation to manage risks as well as to report security incidents of a certain calibre), imposes to each Member State the burden of adopting a national cyber security strategy aimed at defining appropriate security policies and awareness-raising measures.

The recent Italian implementing legislation, as stated in the Government Press Release, is precisely aimed at implementing the aforementioned objectives. The Decree encourages risk management activities and the reporting of security incidents among the main economic players and wishes to improve the single national capabilities in terms of cyber security, as well as to strengthen cooperation both a national and EU-level.

Firstly, besides providing for the adoption of technical-organisational measures designed to achieve a high national level of network security and information systems (thus, contributing also to the strengthening of the common level of security across the Union), the Decree also implements the obligation to report IT incidents and those with a significant impact on the provision of essential and digital services.

At the same time, the Decree also identifies the “NIS” competent Authorities and their respective tasks, which have to be carried out in cooperation with the Authorities of the other Member States and with the national Computer Security Incident Response Team (CSIRT) – that will replace, by merging them, the national CERT and the CERT-PA –, which in turn cooperates with the other European CSIRTs.

In relation to the scope of the decree, although the NIS Directive allows the single Member States to extend the scope of their provisions also to sectors not explicitly listed in the Directive, the Italian Government decided not to make us of this opportunity, even if, according to several opinions, an extension to the Public Administration sector – which deals with a massive amount of data – would have been necessary. Hence, all the sectors falling within the scope of the implementation Decree coincide with those listed in the Directive, i.e. energy, transport, banking, financial market infrastructures, health sector, drinking water supply and distribution and digital infrastructure, as well as online search engines, cloud computing services and online marketplaces.

Nevertheless, Public Administrations who are identified as operators of essential services in the above-mentioned sectors will in any case be subject to the NIS regulation.

It is also worth noting that, Public Administrations may remain subject to the AgID Circular n. 2 of 2017 concerning ICT minimum security requirements for Public Administrations.

As far as the national cyber security strategy is concerned, it will need to provide in a specific and detailed way – updating, where necessary, the National Strategic Framework for Cybernetic Space Security of 2013 and the subsequent National Cybernetic Protection and Cyber Security Plan of 2017 – measures relating to the preparedness, response and recovery of the services following IT incidents, as well as it will need to define an IT risk assessment plan and some training and awareness-raising programs concerning IT security.

With regard to the national Authorities responsible for the implementation of the NIS regulation and the supervision of its compliance, the Italian decentralised model envisages the designation of five Ministries, any of which is responsible for one or more sectors in its area of competence (economic development, infrastructure and transport, economy and finance, health, environment and land protection).

The DIS (Department of Security Information) has on the other hand important connection and coordination functions with the competent Authorities in the other Member States.  

The implementing Decree repeats then the same generic safety requirements laid down by the NIS Directive and requires operators of essential services and digital service providers to adopt appropriate technical-organisational measures for the management of risks and the prevention of IT incidents.

All elements that will have to be taken into account for the purposes of the management of risks are detailed in the EU Regulation n. 2018/151 of the Commission, which also specifies in a detailed way, the sector-specific criteria for determining the significance of the impact of an incident. Competent Authorities may as well impose additional obligations.

However, in the event of an incident, the implementing Decree specifies that the above-mentioned subjects shall, without undue delay, report it to the CSIRT (and, for information, to the NIS competent Authority on the specific sector) and specify its impact on the services provided.

Finally, with regard to sanctions, Italy decided to follow the same line of some other Member States that have already implemented the Directive. To be more specific, the competent Authorities, in case of breach of the obligations set out in the Decree by the operators of essential services and digital service providers, may apply administrative fines of up to € 150.000.

Before concluding, it should be emphasised that the recent publication of the Decree will not complete the Italian NIS Directive’s implementation process. In fact, further works are needed in order to make the provisions effectiv and to proceed with the adoption of a decree that will regulate the organisation of the new CSIRT.

In addition, the new Government will also need to update the National Cybernetic Protection and Cyber Security Plan of 2017 and adopt a national cyber security strategy in compliance with all the requirements under Article 7 of the NIS Directive.