[Newsflash n. 34]

 

With publication on the Official Gazette of May 31th 2017, the Italian Government approved the new National Plan for Cyber Protection and Digital Security that defines new operational guidelines and objectives for the implementation of the National Strategic Framework for Cyber Security (NSF). The new plan has been developed in line with the guidelines for cyber protection and digital security recommended by the Prime Minister as responsible of National Cyber Architecture.

The action plan is built around substantial measures which strengthen the National Cyber Architecture taking into account that sensitive data for national security purposes are not exclusively held and managed by the public sector, but are integrated with sensitive data held by private enterprises in strategic sectors. Therefore the new action and crisis management plan widen up the perimeter of the enterprises operating in areas identified as critical for national security (utilities providers and digital services providers), which will be subject to new notification obligations upon the occurrence of security incidents which are identified as threats to national security based upon certain parameters and thresholds. The sanctions in case of failure are pretty substantial.

Pending the implementation through national legislative measures of the EU Network and Information Systems Directive (NIS), the regulatory framework adopted in 2013 has been optimized in line with the following objectives:

  1. Simplification of the ordinary and extraordinary procedures for the management and maintenance of the national security architecture;
  2. Restructuring of the regulatory bodies taking part in the National Cyber Protection;
  3. Overall reduction of the “control chain” for the crisis management, in order to accelerate the effectiveness of the response and remediation action by the competent bodies.

The priorities of the national architecture intervention are outlined as follows:

  • Identification and update of minimum security measures to be implemented on Public Administration and critical infrastructure networks and systems;
  • Adoption of reference standards, best practices and minimum requirements for networks and systems security;
  • Construction of a validation and (internal and external) auditing system for the bodies responsible for the digital certificates issue, for authentication and other digital securities certificates.

The promoted operational trend includes:

  1. Strengthening of the coordination and cooperation at national level between public and private operators;
  2. Promotion of a digital security culture among the wider public audience, including private citizens, corporate employees and the Public Administration;
  3. Strengthening of bilateral and multilateral cooperation (NATO – EU);
  4. Review and rationalization of digital security legislation at national level;
  5. Implementation of a national cyber risk management system in line with the NIS Directive.

It will be interesting to investigate what other changes in the legislative framework the adoption of the Network and Information Systems Directive will bring.

Please do not hesitate to contact us should you need any clarification on the above.

 

Contacts:

Marina Mirabella
Senior Partner

Vito Vittore
Senior Partner

Luigi Bonifacio
Associate

 

The Italian version of this Newsflash is available here.