Appunti Information and technology law (parte 2)

Creation trusted

Cybersecurity providers

of

· ready

Reserve intervene

to

:

Mutual assistance States

Member

· among .

functions

CEM's

· :

Preparedness :

Conducte tests critical

stress vulnerability of

and infrastructures

assessments

· .

Response : (includes

Activates the during vetted

Cybersecurity Reserve private

incidents

· se

major

experts)

tor .

Solidarity :

Facilitates resources)

Le

support deployment

States

· expert

Member

requeste g.

among . ,

Why ?

it mattere

Helps the rapidly damage and

cyber reducing rectoring

react to

EU

. crisis services

i .

,

Builds by integrating

shield expertise

cyber private

public

ii and

common

a

. .

Incidents (IRM)

Mechanism

Review ?

What A

the post-incident incident

IRM cyber

evaluation

· after

is process masor

a

Led by ENISA

· European

The Commission or

. ,

How by

triggered

works

it

· : identifies vulnerabilities and

Member State

A im

s ,

,

future

proves responses

expected fully by mid

operational

Timeline to be

· 2026

: .

Legal

Existing Framework I

(Digital

Legislative Code)

Secree Administration

· &2 2005

legal

Art First data administration

action

· security public

51 in

. : on .

/Anti-terrorism)

Law

· 155 2005

Art Inte

protection infrastructures the

assigned to

of Ministry

Cyber critical of

Za :

.

rior . Legal

Existing Framework E

(Italian Agenda

Law Digital

· 2012

134

Establishes Digitale and

Agenzia With

l'Italia align agenda

to promote

· ICT EU

per

PM Decree

· 2401 2013

Coordinates cybersecurity bodies and intelligence

public

among .

National Strategic Framework Plan

· +

Provides and

for protection

· strategic

cyber of

national

structure crisis response as

sets .

Set Interventions

of

Leg Decree 65

· 2018

. high-level

Implements for

the NIS Directive

EU cybersecurity

· /Perimeter Decreel

DL 205/2019

· Defines ional perimeter

cybersecurity and operators

· essential

no .

DPCM

· 2020

131 essential

Identifies functions and services

·

DPCM 81/2021 Decree

Pres

DPCM DL82

54

· 2022

2020

131 2021

.

,

, ,

rules

Add for perimeter cybersecurity

and

management governance .

Legislative Decree 65 2018

Implements (Nis)

Directive

EU

i 1148

2016

. consistent

level standards

With

Ensures strong national

at

cybersecurity

ii. EU

, .

/Law 2019)

Law 133

2019

105

Sets IPSNC

National Perimeter

Cybersecurity

i up

. entities

private relevant to national

Covers security

all public

ii

. .

Ensures and

networks systems strict standards

security

iii. IT .

DPCM Details

2020

131

Essential functions

· Justice

defense

government

: economy .

,

, ,

Essential research

logistics

rights

· infrastructure

civil

services : .

, , ,

Scope failure

where

only systems national

to

applies networks risks security

· IT

: a .

DPCM 81 2021

Obligations

· :

Entities and

incidents respond

prevent to them

must .

Procedure

· :

Entities notified inclusion the cybersecurity

· perimeter

of in

are .

/updated I

networks

list systems

months

Within

· of yearly

IT

6 services

: ,

,

do

Must analysis planning

and mitigation

risk .

frameworks)

Apply NIST

(based

standards

security EU

on .

Incident notification

· :

types incidents classified

Two by

· severity

of ,

Severity different reporting deadlines

· = .

Must

> Italian CSIRT

notify high sanctions

Violations

· very

= .

Presidential Decree 2021

54

Communication to CVCN

· :

Must outsourced Valutazione

Centro di

report Certificazio

the

to

· good

ICT services e

any

.

Nazionale

ne checks national

supplies perimeter

the

these

· within

security of

CVCN .

Pre-acquisition to

notification

· CVCN :

Entities describe and of

security

must supply

risks ICT

use

purpose , ,

,

Process

· : .

(within

instructions days)

· CVCN issues 60

hardware by

done accredited

Tests software

· to CVCN

on

Final communicated

outcome and prescriptions

s security are

usage .

Decree Law 82 2021

Cybersecurity

· governance :

Presidente leads

del and

Consiglio national

cybersecurity policy strategy

i : .

. (Cybersecurity Authorityl technical body.

ACN

ii. .

(Interministerial Committee)

CiC advisory

body and

political role

oversight

iii : .

,

. (ACN)

Italian Cybersecurity Authority

Structure

· :

Independent regulatory

financial

admin autonomy

with

· agency .

,

,

Political but for

independence

with rights

control protection of

. .

, Presidente Consiglio

under

Operates del and oversight

· COPASIR .

Objectives

· :

Protect national and coordinate

· interests cybersecurity actions .

Develop national for prevention monitoring

capacity .

response

,

,

Note

s Defense

Ministry

prosecution of Interior

defense

crime

: = .

tasks

Main

· :

Drafts the national cybersecurity strategy

· .

Coordinates stakeholders

public private

· .

Develops prevention capabilities

and response . certifications

(including

Secures infrastructures

national digital

· Promotes cooperation

· international

EU .

Supports and training

scientific professional .

· PSNC perimeter

sanctions the

violations within

Monitors and .

Roles

· :

National contact

CSIRT-Italy authori

single certification

· of

point

authority

supervisory , ,

,

ty CVCN

,

Italian CSIRT

Functions

· :

Monitore national incidents

cybersecurity

· . isl.

Issues (e

alerts

pre-alerts and thre

advisories

public

· g. new

.

,

, to

Coordinates cyber incidents

· response .

Provides threat

· analysis

risk .

Enhances situational

· .

awarness

Cooperates ENISA

With CSIRTs

· EU via .

NIS2 Implementation

Legislative Decree 2024

138

· : (NIS2)

Directive

EU

Transposes 2555

> 2022 1148)

(Directive

NISI

Replaces 2016

Entity Identification

· : list

the

define "important"

"essential"

of April

ill and by

entities

ACN

· 2025

.

entities must

· All register platform

ACN's

via .

Security obligations

· : based

Defined by likeliked of

and

ACN impact

risk

· size

exposure

on : , ,

incidents .

Sanctions depend the type

· of violation

on :

I

Severe measures)

incident notification security

missing :

,

EE global

to

· turnover

%

E10M 2

: up or .

turnover

global

to

IE

· %

4

E7M 1

up

: or .

.

/no cooperation)

Formal lack of

registration :

,

to

EE of

% turnover

· 1

0

: up .

.

IE to %.

07

0

: up .

Additional sanctions :

suspend certifications authorizations

ACN

> ore

may .

Security Measures

Deadlines

· :

Important (Annex 2025)

Resolution by

entities ACN

adopt

· Oct

164179 2026 .

measures

: ,

Essential entities adopt Annex

in

· measures

:

Structure

· :

Based National Cybersecurity Framework

· on .

Organized function

by subcategory

category

· requirements

.

: ,

,

,

Each description requirements

· code to .

specific meet

measure = , ,

EU Cybersecurity Act

Regulation

IEU) entered facce

into April

· 882

2019 17 2019.

on

Establishes framework

ENISA's mandate and

permanent cybersecurity certification

· EU .

(EU)

Replaces Regulation

· 2013

526 .

Three Key goals

· :

Lead

' the global cybersecurity market

in .

legal

Fix by

· revealed recent attacks

gaps .

Politically

' and

to shifts

geopolitical

respond cybersecurity threats

growing .

Strengthening ENISA's Art

Role 3

.

tasks

Main

· :

Support States EU institutions cybersecurity

and

Member in improving .

advice

for

Act and

reference expertise

point

· as a .

fragmentation the internal

Help reduce market

in .

Implement rules

align

to national

· EU laws .

and

independently

Act duplicat