[Last reviewed: 15 December 2023]
☒ omnibus – all personal data
E.g., telecoms, public healthcare sector, financial sector
What are the key data privacy laws and regulations?[Last reviewed: 28 December 2022]
[Last updated date: 15 December 2023]
The NIS Directive (Directive 2016/1148 on the security of networks and information systems), has been transposed into Italian law through Legislative Decree No. 65 of 18 May 2018 ("NIS Legislative Decree"), in force since 24 June 2018. However, it is necessary to update the rules of the NIS Legislative Decree, as the European Parliament recently approved the NIS2 Directive, published in the Official Journal of the European Union on 27 December 2022.
The Decree introduces a series of security obligations for essential service operators and digital service providers in the adoption of security measures and notification of incidents.
The Decree establishes that operators of essential services must adopt technical and organizational measures that are adequate and proportionate to the management of the risks raised by network and information system security, in order to prevent and minimize the impact of incidents affecting the security of the network and of the information systems used for the provision of essential services.
Operators must notify the Computer Security Incident Response Team (CSIRT) and the NIS authority of incidents that have a significant impact on the continuity of the essential services provided. The CSIRT will then forward the notifications to the assigned Security Information Department. Notifications from operators must include information that allows the CSIRT to assess the cross-border impact of the incident, based on the number of users affected by the disruption to the essential service, the duration of the incident, and the geographic spread relative to the area affected by the incident.
Legislative Decree 65/2018 established the CSIRT, whose operation is governed by the DPCM 8 August 2019. The CSIRT, in addition to intervening in the event of cyber incidents and monitoring their frequency at the national level, promotes the adoption and use of common or standardized practices in the field of incident and risk management procedures and incident, risk and information classification systems.
The Italian legislation establishes, as the NIS competent authority, the competent authority in each sector and, as law enforcement authority, the central body of the Ministry of the Interior for security and regularity of telecommunication services (Ministero dell’interno per la sicurezza e per la regolarità dei servizi di telecomunicazione).
On 10 November 2022, the European Parliament approved the NIS2 Directive.
The new directive has been published in the Official Journal of the European Union on 27 December 2022 and will enter into force on the 20th day following the publication. From that date of entry into force, member states have 21 months to transpose the provisions of the NIS2 directive into national law.
The main change in the NIS2 Directive is its scope of application. In addition to being applicable to the sectors originally covered by the NIS1 Directive (e.g., the energy , telecommunications, transportation, banking and financial markets, healthcare, etc. ) the new provisions are also applicable to a range of companies not previously included, such as those providing, among others, digital services, e.g., cloud computing platforms, data centers, cntent delivery network providers, and electronic communication network services; healthcare services, such as pharmaceutical companies, medical device manufacturers, and healthcare providers; and even food production, processing, and distribution services, including large-scale retail companies.
The Directive provides a distinction between "essential" and "important" entities, with different supervisory and enforcement regimes. The new regulatory text also introduces guidelines regarding the size of the companies. Thus, companies in the above-mentioned sectors that are medium and large in size fall within the scope of the NIS2 Directive, but small companies could also be included if they operate in key sectors for society and, regardless of size, providers of, among others, electronic communication services and electronic communication networks.
In addition to defining the areas of activity to be regulated, the NIS2 Directive provides the list of minimum requirements:
The new directive has been aligned with other sector-specific regulations such as the Digital Operational Resilience Act for the financial sector and the Resilience of Critical Entities Directive to ensure legal clarity and consistency across directives.
The Digital Operational Resilience Act (DORA), which will be directly applicable in all member states as of 17 January 2025, establishes uniform obligations in relation to the security of IT and network systems that support the business processes of financial entities (banks, payment institutions, investment firms, insurance companies, etc.). These obligations include, among others, those applicable to financial entities on information and communication technology (ICT) risk management, reporting of serious ICT-related incidents and notification of significant cyber threats to the relevant authorities, digital operational resilience testing, data and information sharing in relation to cyber vulnerabilities and threats, and measures related to the management of cyber risks arising from third parties. The obligations introduced also cover contractual arrangements between third-party ICT service providers and financial entities, and standards are provided for the establishment and implementation of a surveillance framework for critical third-party ICT service providers.
On 3 August 2021, Parliament passed the bill converting Law Decree No. 82 of 14 June 2021, containing urgent provisions on cybersecurity, definition of the national cybersecurity architecture and establishment of the National Cybersecurity Agency.
The constitution of a nucleus for cybersecurity at the Agency is introduced (article 8). It is foreseen as a permanent support to the President of the Council of Ministers regarding cybersecurity issues, for aspects related to prevention and preparation for possible crisis situations and for the activation of alerting procedures.
The national cybersecurity perimeter was established pursuant to Article 1, paragraph 1, of Legislative Decree No. 105 of 21 September 2019, converted with amendments by Law No. 133 of 18 November 2019 (in Official Gazette No. 272 of 20 November 2019) in order to ensure a high level of security of the networks, information systems and IT services of public administrations, public and private entities and operators having an office in the national territory, on which the exercise of essential functions of the State depends. With the tool of the DPCM the government determines crucial factors such as the identification of the subjects included, the procedures for the acquisition of ICT assets and notification of IT incidents. Below the DPCM issued to this date:
Incidents impacting ICT assets are classified by category in Tables no. 1 (less serious) and no. 2 (more serious) of Annex A of the Regulations. As of 1 January 2022, the parties included in the Perimeter must notify the CSIRT of the event within six hours of becoming aware of it, if it is a "less serious" incident, or within one hour, if it is a "more serious" incident.
Failure to comply with the notification obligation is punished with a pecuniary administrative sanction ranging from EUR 250,000 to EUR 1,500,000.
The transmission of the notification is followed by a phase of dialogue with the CSIRT. The Regulations also allow parties included in the PSNC to notify, on a voluntary basis, other incidents that do not fall within the scope of the notification obligation, which will be dealt with by the CSIRT after the mandatory ones.
The annex to the DPCM determines the ICT assets included in the cyber perimeter and the reference macro categories (hardware and software components that perform telecommunications network functions and services (access, transport, switching); hardware and software components that perform functions for the security of telecommunications networks and the data they process; hardware and software components for data acquisition, monitoring, supervision, control, implementation and automation of telecommunications networks and industrial and infrastructure systems; software applications for the implementation of security mechanisms). However, Article 4 of the DPCM stipulates that "the categories identified by this decree are updated, by decree of the President of the Council of Ministers, at least once a year, with regard to technological innovation and changes in technical criteria".
Are new or material changes to those key data privacy and cybersecurity laws anticipated in the near future?