By Helga Zanotti and Nicolò Ghibellini
On Sept. 4, 2022, came into effect the Legislative Decree No. 123 of Aug. 3, 2022, the national standard facilitating the adaptation to the European cybersecurity certification framework, introduced through the provisions of Title III of EU Regulation No. 881 of 2019, known as the Cyber Act.
Cybersecurity is now embedded in a complex and layered regulatory framework, both because it affects different subjects and sectors, some of which are of competence of the European legislature, and also because of its technical complexity. Among the national sources of primary rank, some of the most relevant are the Legislative Decree No. 65 of May 18, 2018, implementing Directive 2016/1148 (the so-called NIS Directive), on measures for a high common level of security of networks and information systems, as well as the Legislative Decree No. 105 of September 21, 2019, establishing the perimeter of national cyber security, which extends the exercise of the so-called golden powers, i.e., the special powers of the President of the Council, to the area under consideration.
EU Regulation No. 881 of 2019 elaborates a set of cybersecurity certifications; consequently, Legislative Decree No. 123 of August 3, 2022 aims at the adaptation of Italian legislation to the certification framework of ENISA, the European Union Cybersecurity Agency, and the cybersecurity certification for information and communication technologies.
With regard to the processing of personal data, Article 1 of Legislative Decree No. 123 of 2022 specifies that personal data resulting from the application of the standard will be processed in compliance with the provisions of the GDPR and Legislative Decree No. 196 of June 30, 2003. This clarifies that the area of application of the cybersecurity regulation does not conflict with that of the GDPR.
The aforementioned regulations fit, in their own right, into a new generation of risk-focused EU regulations, such as the aforementioned GDPR and the proposed Artificial Intelligence Regulation of April 21, 2021.
In particular, Legislative Decree No. 123 of 2022 contemplates three levels of reliability assessed on the basis of the degree of compliance:
1.basic: where the function of the certificate is to ensure that ICT (information and communication technology, ed.) products, services and processes have been assessed as sufficient to reduce cyber risk, resulting from a cyber attack or incident of a known type;
2.substantive: where the function of the certificate is to ensure that ICT products, services and processes have higher standards, extended to security features and limiting the known risk of cyber attacks caused by individuals with limited skills and resources. Where there is substantial reliability, a review should be conducted to prove the continued absence of publicly known vulnerabilities through increased assessment activities;
3. high: where the function of the certificate is to ensure that ICT products, services and processes meet security requirements and have been assessed to minimize risks from cyber attacks. In this case, it will be necessary to schedule the review that proves the absence of publicly known vulnerabilities, as well as a specific test to demonstrate that ICT products and services properly put in place the necessary security features at the most advanced state of technology, together with an examination of their resistance to attacks carried out by qualified parties through penetration testing.
Article 7 of the Legislative Decree No. 123 of 2022, written as a function of Article 54 of the regulation is critical to the assessment of the level of trustworthiness. It also reiterates the function of the self-assessment mechanism, which burdens the ICT manufacturer or service or process. The National Cybersecurity Authority is the body responsible for receiving and analyzing the documents necessary to assess the conformity of the self-declaration. It is emphasized that both certification and declaration are voluntary in nature. It is possible to say, that the European Union leaves it up to individual member countries to provide for mandatory certification, with appropriate provision of law.
Article 10 of the Legislative Decree 123 of 2022 outlines the penalty framework, which is characterized by both pecuniary and accessory penalties. Again, the provision recalls the sanctioning system of the GDPR, in which the Privacy Guarantor can invite amicably to comply, subject to sanctions in case of protracted non-compliance, as happened in the case of companies using Google Analytics.
In conclusion, companies are in a new phase characterized by living with the risk and the constant obligation to monitor in order to mitigate the consequences.
Contact Information
h.zanotti@bmvinternational.com
n.ghibellini@bmvinternational.com