Add a bookmark to get started

29 November 202312 minute read

CyberItalia: The National Cyber Security Perimeter Decree and its implementing decrees in brief

In this fifth article in the CyberItalia column, we’ll explore another set of national cybersecurity regulations resulting from the adoption of the National Cybersecurity Perimeter Decree and its implementing decrees.

The National Cybersecurity Perimeter was established by Decree-Law 105/2019 (Perimeter Decree converted by Law 133/2019 to ensure a high level of security of networks, information systems and IT services of public administrations, public and private entities that are of strategic importance in the national landscape.” The Perimeter Decree thus complements the NIS Decree, to strengthen and complement the national information security framework.

 

When?

Published in the OJ on 21 September 2019, the decree is currently in force. The Perimeter Decree was followed by a series of implementing decrees providing specific guidance on the operation of the Security Perimeter.

 

Who is it addressed to?

The Perimeter Decree is addressed to:

  • operators, both public and private, who perform a service or function that’s essential to the interests of the state in certain strategic sectors. More specific provisions on the criteria for identifying the entities are contained in the implementing Prime Ministerial Decree 1 (see below).

Generally, entities that fall under the NIS Decree also fall within the Security Perimeter. The Security Perimeter has a broader scope and also includes public and private operators that might not fall under the NIS Decree.

 

What does it provide?

The Perimeter Decree specifies the modalities, procedures and deadlines for establishing the Security Perimeter and indicates its general operation, which is then specified and made operational by subsequent implementing decrees.

The Boundary Decree identifies the obligations to which the people covered by the Boundary are subject by imposing them:

 

  • preparing and updating, at least annually, of lists of the “strategic” ICT assets under their responsibility, indicating the networks, information systems and IT services that make them up and from whose malfunctioning, interruption or improper use national security may be jeopardised. These lists must be communicated to the Presidency of the Council (in the case of public entities) or to the Ministry of Enterprises and Made in Italy (MIMIT ) (in the case of private entities), so they can exercise powers of verification and inspection;
  • the obligation to notify security incidents impacting ICT assets (according to the criteria and modalities defined in DPCM 2) to the CSIRT;
  • the obligation to implement appropriate security measures (as further detailed in Prime Ministerial Decree 2);
  • the obligation to communicate the intention to acquire ICT goods, systems and services to be deployed on their strategic assets to specially established bodies (Assessment Centres (CVs) and the National Assessment and Certification Centre (CVCN)) to enable the necessary security and reliability checks (as specified by the implementing decrees DPCM 3).

The Perimeter Decree also extends the regulation of the intervention powers granted to the government (golden power) to safeguard national companies operating in strategic sectors in the presence of corporate transactions, in the field of broadband telecommunications networks and 5G technology.

Implementing Decrees: 1, 2 and 3 and Accreditation Decree – to be operational, the Perimeter Decree provided for the issuance of a series of implementing decrees introducing specific regulatory provisions:

  • Prime Ministerial Decree No. 131/2020 (Prime Ministerial Decree 1) – identifies the criteria for identifying public and private entities that perform essential functions for the state and so fall within the Perimeter. The operators are identified in sectors of particular strategic importance, such as space and aerospace, energy, telecommunications, transport, interior, defence, economy and finance, digital services, critical technologies, health and social security institutions.

The selection is carried out by the respective competent authorities, which inform the selected operators of their inclusion in the Security Perimeter by means of a notification.

The DPCM also specifies the criteria for preparing and updating the lists of ICT assets included in the Perimeter.

  • Prime Minister's Decree No. 81/2021 (Prime Minister's Decree 2) – the first part of the Prime Minister's Decree sets out the procedures and methods by which the entities included in the Perimeter are required to make notifications of incidents to the CSIRT.

As of 1 January 2022, the DPCM imposes an obligation to notify the CSIRT within strict deadlines:

    • six hours from knowledge in the case of a “less serious” accident;
    • one hour from knowledge, in case of a “more serious” accident, according to the classification described in Annex A of the DPCM. In the case of events not included in the classification, notification remains voluntary.

The second part of the Prime Minister's Decree is devoted to the security measures that entities within the Perimeter are required to implement to ensure high levels of security of their ICT assets. These measures are detailed in Annex B and Annex C (aimed specifically at protecting information) and must be adopted within the different timeframes set out in the DPCM.

  • Presidential Decree No. 54/2021 and the Prime Ministerial Decree of 15 June 2021 (Prime Ministerial Decree 3) – jointly identify the modalities and procedures relating to the operation of the National Assessment and Certification Centre (NCCC) and the Assessment Centres (VCs), as well as the categories of ICT goods, systems and services in relation to which the entities included in the Perimeter are required to notify the NCCC or the VCs.
  • Prime Ministerial Decree no. 92/2022 (Accreditation Prime Ministerial Decree) – establishes the procedures, requirements and terms for the accreditation of Accredited Testing Laboratories, which support the CVCN in verifying the technological safety of the subjects covered by the Perimeter.

 

ACN Decree

The ACN Decree (Law Decree no. 82/2021, converted with amendments by Law no. 109/2021) redefines the national institutional architecture on cybersecurity, establishing a specialised national agency (ie the National Cybersecurity Agency, ACN). The functions previously attributed to the President of the Council, the DIS (Department of Information for Security), MIMIT and the Digital Italy Agency are transferred and centralised within the Agency.

The ACN is now the single point of contact for network and information system security, for the purposes of the NIS legislative decree, and the authority in charge of issuing certifications as required by the Cybersecurity Act (to which a specific in-depth discussion will be devoted).

 

Determination of the Director General of the ACN

By its own Determination of 13 January 2023, the ACN further extended the incident notification obligations of the entities falling under the Perimeter, expanding the taxonomy of incidents for which notification to the CSIRT is required, in this case within 72 hours. Notification also becomes mandatory for incidents affecting networks, systems and information services that are not directly under the Perimeter itself.