27 Oct The first Italian regulation on the National Cybernetic Security Perimeter
Under Decree-Law no. 105 of 21 September 2019, converted with amendments by Law no. 133 of 18 November 2019 “Urgent provisions regarding the perimeter of national cybernetic security” (from now on “Perimeter”), as well as the Prime Ministerial Decree (from now on “D.P.C.M.”) no. 131 of 30 July 2020, the “Regulations regarding the National Cybernetic Security Perimeter” was published in the Official Gazette no. 261 of 21 October 2020 and will come into force from 5 November 2020.
From a legal point of view, this is a clear signal about the cybersecurity strategy adopted by the Italian Government. It is the prologue of a real Copernican revolution on the topic, the perimeter of national cybernetic security guarantees the security of the networks, information systems and information services of public administrations, public and private entities and operators with headquarters in the national territory, on which the exercise of an essential function of the State or the provision of an essential service for the maintenance of civil, social or economic activities fundamental to the interests of the State depends.
The first of the four Regulations has the ratio of identifying the companies that will be subject to the law, that have a vital function for Italy.
Criteria for the qualification of the companies included in the perimeter and priority sectors.
Art. 2 sets out the criteria by which the Ministries identify the companies who perform essential functions for the State. A list of 150 organisations, both public and private, will be drafted according to these criteria. These companies are considered qualified if their tasks are aimed at ensuring the continuity of the Government and Constitutional Bodies, internal and external security, international relations (…), reflexively referring to “public and private companies that carry out activities instrumental to the exercise of essential functions of the State”.
The secrecy of the list of the above-mentioned companies should not be underestimated, as provided for by Art. 10 of the Prime Ministerial Decree no. 131/2020, whose purpose is to preserve them through suitable methods to ensure security through appropriate organizational techniques.
Knowing the priority sectors to which the companies included in the perimeter belong is a plus for more effective protection, these are listed in Art. 3: Interior; Defence; Space and Aerospace; Energy; Telecommunications; Economy and Finance; Transportation; Digital Services; Critical Technologies; Social Security / Labour”. A comparative analysis with the NIS Directive (Network and Information Security Dir. EU 2016/1148 – Legislative Decree 65/2018, from now on “NISD”) has to be considered for those companies that are enlisted in the perimeter of cybernetic security.
Procedural approach and fulfillment
Cybersecurity cannot go beyond a purely procedural approach: what happens in the cases of cyber-attacks perpetrated against companies within the perimeter?
The first difference between NISD and Perimeter is that the latter mandates to notify, within six hours (whereas the NISD obliges to notify within 24 hours), the Computer Security Incident Response – Team Italia (CSIRT-Italia) within the Italian Department of Security Information of the Presidency of the Council of Ministers (DIS) – any security incident. Moreover, it is mandatory to notify the National Evaluation and Certification Center (CVCN) if it is intended to proceed with the procurement of ICT goods, systems and services to be applied on the networks, information systems and for the performance of IT services within the Cybersecurity Perimeter.
In the case of a serious violation, the involvement and activation of the Cybernetic Security Core (NSC) will be required.
The provisions contained in Art. 7 of the Prime Ministerial Decree consists in the preparation and updating, on an annual basis, of the list of ICT assets of respective relevance. The ICT asset inventory should include the networks, information systems and IT services.
Once the communication has been received, the companies included in the perimeter must carry out a risk analysis for each essential function or essential service. The companies included in the Perimeter will therefore have to identify all the ICT assets necessary to perform the essential function or service and carry out a risk analysis for each one (Risk Assessment) to assess (Art. 7, paragraph 2, letter a, period 1 and 2):
a) The impact of any incident on the ICT asset, both in terms of its impact limiting the operation of the asset itself, and of compromising the availability, integrity or confidentiality of the data and information processed by it to perform the essential function or service;
b) Dependencies with other networks, information systems, computer services or physical infrastructure belonging to other parties, including those used for maintenance and management purposes.
A final consideration concerns the adherence to the Perimeter that requires a certain speed of reaction, typical of highly organized structures with a model built on best practices based on the main international standards of corporate governance (for example, ISO/IEC 27001:2013 concerning Information Security Management Systems, from now on “ISO/IEC 27001”).
It would seem that the provision set forth by the Perimeter will be even stricter than those established by the European regulations on information security and personal data protection (NISD and Regulation (EU) 2016/679, also known as GDPR).
The adoption of an organizational model of integrated compliance that makes reference to these regulations (both Italian and European) but considers, for example, the principles and best practices provided by international standards like ISO/IEC 27001, would certainly result in a great advantage for businesses concerning information security and business continuity, since most of the provisions of these regulations, especially of the Perimeter, have as a direct as an indirect reference to such international standards.
A model that offers a multidisciplinary vision of information security would allow companies (and not only those involved in the Perimeter) a greater understanding of the virtual space in which they move and therefore the possibility of considered of all types of criminal activities that could harm and potentially affect their tangible and intangible assets.
In a dynamic world subject to regulatory and technological change, the adoption of such integrated compliance models achieves the dual objective of enabling compliance with multiple regulations while providing a competitive advantage.