Starting from 18 May 2018, through legislative decree n.65, Italy has implemented the NIS Directive (Directive 2016/1148 on the security of networks and information systems), which came into force the following June 2018.
This Directive represents a further tool for managing cyber security at a national level. In fact, it contains guidelines for risk management and the prevention, mitigation and notification of IT incidents.
The sectors that fall within the scope of application of the NIS decree coincide with those envisaged by the Directive: energy, transport, banking, financial markets, healthcare, supply and distribution of drinking water and digital infrastructures, search engines, cloud services and e-commerce platforms. It is classified as an operator of essential services (so-called OSE):
- a person who provides an essential service for the maintenance of economic/social activities;
- the provision of the service in question depends on the network and information systems;
- a cyber incident would imply a negative impact on the provision of the service.
The legislation requires these operators to adopt technical and organizational measures that are adequate:
- the management of risks related to the security of the network and the information systems used;
- to prevent and contain the impact of incidents that jeopardize the security of the network and information systems.
Consistent with the provisions of the Directive, the adoption of a national cyber security strategy was also envisaged. This strategy must establish the preparation, response and recovery measures of services following cyber incidents, the definition of a cyber risk assessment plan and training and awareness programs on cyber security, as well as a risk assessment and research and development plan on cybersecurity.
Regarding the authorities responsible for implementing and supervising the NIS legislation, five different ministries have been designated as competent authorities: economic development, economy and finance, health, environment, infrastructure and transport.
Instead, the DIS (Security Information Department), established in August 2007 for the coordination of the programming and operational activities of AISE (External Information and Security Agency) and AISI (Internal Security and Information Agency), acts as the single point of liaison and coordination with the EU and the competent authorities in relation to cybersecurity activities in the other Member States.
latest posts published
Lokky, the Italian data driven insurtech for professionals and SMEs
An ally for cyber security: Load Balancing
Business Trend 2023 for SMEs, professionals and commercial activities
Occupational risks for pastry shops
How to read a pay slip
What are the most common cyber risks and how to protect yourself
Clinical Risk: What it is and What are the consequences
Commercial activities most affected by theft
October is European Cyber Security Month
