Current status of implementation

The NIS directive has been implemented by the Legislative Decree no. 65/2018, published on the Official Gazette of the Italian Republic on 9 June 2018 and entered into force on 26 June 2018.

Implementation Act

The Legislative Decree no. 65/2018.

Determination of operators of essential services (Art. 5 NIS)

The Italian NIS Authorities identified 465 public and private entities as Operators of Essential Services, operating in the sectors of energy, transport, banking, financial market infrastructure, health, drinking water supply and distribution, and digital infrastructure. The name of these operators was not disclosed due to national security concerns. On 31 January 2019, the identified operators of essential services have been confidentially informed to be in the related list and to be subject to the NIS provisions, monitored by the NIS Authorities. 
Reporting obligations

Operators of essential services and digital service providers must immediately notify the Italian CSIRT and for information the competent NIS Authority of incidents which have a significant impact on the provision of the essential services.

Sanctions regime

In Italy, according to the scheme of the Legislative Decree, operators of essential services and digital service providers which will be non-compliant with the regulations will be subject to an administrative fine ranging from EUR 12,000 to a maximum of EUR 150,000.

Competent authorities

The Italian Prime Ministry is the subject in charge for the general policy of the government and of the Security Information System of the Republic for the purpose of protecting national security in the cyber space. 

Please find below other bodies for cybersecurity mentioned in the Directive for the cybersecurity protection and in the scheme of legislative decree: 

The DIS (the "Department of the Information for Security”) that has the function of coordinate the activities of informatics research finalized to enhance the cybersecurity protection and the national informational security;
The CISR (the Ministerial Committee for Security of the Republic) that has a consultancy function and provides practical activities in order to implement the National Plan for cybersecurity;
MISE, the Ministry of Economic Development; 
The Digital Agency for Italy;
Both the Ministries of Defence and the Interior. 
The Cybernetic Security Office, a body of DIS that supports and collaborates with the Prime Ministry and CISR for any cybernetic crisis (please see definition below). 
Ministry of Economic Development, Ministry of Infrastructure and Transport, Ministry of Economics, Ministry of Health and Ministry of Environment has been indicated as Competent NIS Authorities, each for the respective sector of the operators of essential services.

Jurisdictional applications

Operators of essential services are subject to Italian law if its principal place of operation is located in Italy.

The reporting obligations do not apply to providers of digital services that have their main establishment in another EU member state or have appointed a representative in another EU member state, in which they offer the digital services.


Remarks (if any)

Each Competent NIS Authority has issued specific guidelines for the policies to be implemented by the Operators of Essential Services of their respective sectors in order to be compliant with the NIS Directive. Accordingly, based on a proactive and strategic approach and despite the specific technology implementation of the Operator, 5 compliance steps have been identified to be included in a dedicated NIS policy in order to manage the cybersecurity risks. The 5 steps are: (i) to identify, (ii) to protect, (ii) to detect, (iii) to respond and (iv) to recover; the comprehensive NIS policy will have to provide for specific sub-policies to be created for each area, considering the type of business and the risk appetite of the specific Operator. 

Moreover, the Operators of Essential Services are required to be compliant with these guidelines relatively soon, i.e. by April / May 2020, reaching at least the first of three levels of compliance.

In fact, on the basis of the maturity and complexity of the measures implemented by each Operator, the guidelines provide for a 3 levels scale of compliance: M1 Responsibility and Risk Acknowledgment, M2 Basic Organization and M3 Completely Organized. 
All the relevant activities included in each of the above mentioned areas in relation to such levels have been described in detail in the guidelines.

In addition, 2 new positions are requested in the corporate structure of the Operator of Essential Services such as the NIS Referent, a contact point with the NIS Authority and the NIS Representative, responsible for the implementation and management of the new cybersecurity policies.

Last reviewed 01.01.2020