On June 15, 2021, Decree Law No. 82 of 2021 on Urgent Provisions on Cybersecurity, Definition of the National Cybersecurity Architecture and Establishment of the National Cybersecurity Agency (D.L. No. 82) entered into effect in Italy.
Definition of Cybersecurity
The legislation defines cybersecurity as “the set of activities necessary to protect networks, information systems, IT services, and electronic communications from cyber threats, ensuring their availability, confidentiality, and integrity, as well as guaranteeing their resilience.” (D.L. No. 82, art. 1(1).)
Management by the President of the Council of Ministers
The president of the Council of Ministers has exclusive powers to, among other things, direct the higher management of the national cybersecurity policy, including (a) protecting national security in cyberspace, (b) adopting the national cybersecurity strategy, and (c) executing the power to hire and fire staff. (Art. 1(1)(a)–(c).)
Interministerial Committee for Cybersecurity
The law creates the Interministerial Cybersecurity Committee under the Presidency of the Council of Ministers, granting it consultation powers and the functions of proposing and overseeing cybersecurity policies and activities concerning cyberspace national security. (Art. 4(1).)
Agency for National Cybersecurity
The legislation also creates the Agency for National Cybersecurity to protect national interests in the field of cybersecurity. The agency is to be headquartered in Rome. (Art. 5(1).) For the performance of its functions, the agency may request the collaboration of other government bodies, according to their competence. (Art. 5(5).) The agency is also the national competent authority on the security of information networks and systems, and performs the necessary functions to support the Nucleus for Cybersecurity (“the Nucleus”). (Art. 7(1)(c) & (d).)
The Nucleus for Cybersecurity
The Nucleus is an administrative organ created at the Agency for National Cybersecurity with the mission to prevent and repair eventual crisis situations and activate alert procedures. (Art. 8(1).) The Nucleus proposes initiatives concerning the country’s cybersecurity, promotes the programs and operational plans of responses to cyber crises by concerned public agencies and private operators, elaborates the necessary procedures for interministerial coordination in cybersecurity matters, coordinates events related to the simulation of cybersecurity events in order to raise the country’s resilience, and promotes procedures for the sharing of information with public and private entities. (Art. 9(1)(a)–(d).)