The NIS directive has been implemented by the Legislative Decree no. 65/2018, published on the Official Gazette of the Italian Republic on 9 June 2018 and entered into force on 26 June 2018.
The Legislative Decree no. 65/2018.
Operators of essential services and digital service providers must immediately notify the Italian CSIRT and for information the competent NIS Authority of incidents which have a significant impact on the provision of the essential services.
In Italy, according to the scheme of the Legislative Decree, operators of essential services and digital service providers which will be non-compliant with the regulations will be subject to an administrative fine ranging from EUR 12,000 to a maximum of EUR 150,000.
The Italian Prime Ministry is the subject in charge for the general policy of the government and of the Security Information System of the Republic for the purpose of protecting national security in the cyber space.
Please find below other bodies for cybersecurity mentioned in the Directive for the cybersecurity protection and in the scheme of legislative decree:
• The DIS (the "Department of the Information for Security”) that has the function of coordinate the activities of informatics research finalized to enhance the cybersecurity protection and the national informational security;
• The CISR (the Ministerial Committee for Security of the Republic) that has a consultancy function and provides practical activities in order to implement the National Plan for cybersecurity;
• MISE, the Ministry of Economic Development;
• The Digital Agency for Italy;
• Both the Ministries of Defence and the Interior.
• The Cybernetic Security Office, a body of DIS that supports and collaborates with the Prime Ministry and CISR for any cybernetic crisis (please see definition below).
• Ministry of Economic Development, Ministry of Infrastructure and Transport, Ministry of Economics, Ministry of Health and Ministry of Environment has been indicated as Competent NIS Authorities, each for the respective sector of the operators of essential services.
Operators of essential services are subject to Italian law if its principal place of operation is located in Italy.
The reporting obligations do not apply to providers of digital services that have their main establishment in another EU member state or have appointed a representative in another EU member state, in which they offer the digital services.
Each Competent NIS Authority has issued specific guidelines for the policies to be implemented by the Operators of Essential Services of their respective sectors in order to be compliant with the NIS Directive. Accordingly, based on a proactive and strategic approach and despite the specific technology implementation of the Operator, 5 compliance steps have been identified to be included in a dedicated NIS policy in order to manage the cybersecurity risks. The 5 steps are: (i) to identify, (ii) to protect, (ii) to detect, (iii) to respond and (iv) to recover; the comprehensive NIS policy will have to provide for specific sub-policies to be created for each area, considering the type of business and the risk appetite of the specific Operator.
Moreover, the Operators of Essential Services are required to be compliant with these guidelines relatively soon, i.e. by April / May 2020, reaching at least the first of three levels of compliance.
In fact, on the basis of the maturity and complexity of the measures implemented by each Operator, the guidelines provide for a 3 levels scale of compliance: M1 Responsibility and Risk Acknowledgment, M2 Basic Organization and M3 Completely Organized.
All the relevant activities included in each of the above mentioned areas in relation to such levels have been described in detail in the guidelines.
In addition, 2 new positions are requested in the corporate structure of the Operator of Essential Services such as the NIS Referent, a contact point with the NIS Authority and the NIS Representative, responsible for the implementation and management of the new cybersecurity policies.
Last reviewed 01.01.2020
NIS Directive and the energy sector: a patchwork of national implementations
Cyber security: the regulators bare their teeth
D Day for NISD as the EU's Network and Information Systems Directive (NISD) is implemented on May 9, 2018
What is NISR and who is impacted?
What exactly is a Digital Service Provider in the context of NIS Directive? Could you be a DSP and not know it?
NISR: Key deadline ahead as UK DSPs must register by November 1, 2018
NISD: First key deadline as Essential Operators required to register by August 10, 2018
As the implementation date of the NIS Directive approaches we ask: are Digital Service Providers (DSPs) aware of their compliance obligations?
Last month, we launched our 5th Global Women’s Development Programme with 20 associates from across the firm. The p… https://t.co/Z99ScgyKzW
We are now only a week away from our Annual TechLaw Event where we will discuss practical tips and some of the lega… https://t.co/4s8t7pAkza
The EC is proposing to regulate digital operational resilience for the #financialsector which could impact ICT serv… https://t.co/QVt1h6aqZc