CyberItalia: The NIS Decree – Italy's first cybersecurity law in a nutshell

The CyberItalia column continues with this third article about the NIS Decree. It’s the first Italian law completely dedicated to cybersecurity, adopted to transpose the European cybersecurity requirements established by the NIS 1 Directive.

In Italy, the NIS 1 Directive has been implemented by the NIS Decree (d.lgs. 65/2018). It transposes at national level the general principles and specific cybersecurity obligations addressed to operators of essential services (ESO) and providers of essential services (ESP).

 

When?

Published on 18 May 2018, the decree is still in force pending the transposition in Italy of the NIS 2 Directive, by October 2024.

 

Who is it addressed to?

The NIS Decree applies to:

• Essential Service Operators (ESO)
• Digital Service Providers (DSPs), as defined in the NIS Directive and further specified at the national level in Annex II of the NIS Decree

The Ministry of Economic Development (now the Ministry of Enterprise and Made in Italy – MIM) has issued a list of ESOs that the Ministries have identified in their respective areas of competence. To date, 465 companies and entities have been identified as ESOs and have to comply with the NIS regulations. But the list has not been made public for reasons of national security.

Compared to NIS 1 Directive, the NIS Decree did not provide for any specification or expansion in relation to the category of ESPs, which include: e-commerce operators, search engines and cloud computing.

 

What does it provide for?

The approach of the NIS Decree is high-level – in line with the broad purpose of the NIS 1 Directive.

The Decree essentially incorporates, without introducing any particular specifications, the general obligations of the NIS 1 Directive with respect to:

• adopting security measures to prevent, manage and contain accidents;
• the obligation for ESO and ESP to notify, without undue delay, security incidents “having a significant impact on the provision of the services” to the CSIRT and the NIS authorities.

The latter were initially identified by the Decree as five different Ministries (Economic Development, Infrastructure and Transport, Economy, Health and Environment), each responsible for one or more sectors within their areas of competence. The Department of Security Intelligence is instead indicated as the single point of contact for European coordination roles.

Finally, the NIS Decree provides for the adoption of a “national cybersecurity strategy” and establishes the Italian CSIRT (Computer Security Incident Response Team) with tasks of a technical nature related to prevention, response and monitoring of cyber incidents, in cooperation with the European CSIRTs.

On the subject of cybersecurity, see also CyberItalia: The NIS 1 Directive and the NIS 2 Directive in a nutshell.