On Focus

Andrea D'Addazio

Intellectual Property and Information Technology

National Cybersecurity Perimeter and “5G” mobile networks: the Italian Government takes a primary role

With the passing of Law Decree n. 105 of 2019 into law, the Italian Government has strengthened its cybersecurity related powers. In particular, the Government went beyond the scope of the NIS Directive by imposing security duties to entities that would fall out of the scope of application of the NIS Directive but considered of comparable strategic relevance. As a matter of fact, the NIS Directive enumerates the qualifies “strategic” in consideration of the field of acidity (i.e. energy, transport, banking, financial market infrastructures, health sector, drinking water supply and distribution, digital infrastructure), while the new law just sets general criteria for the identification of the strategic quality of certain activities.

Law Decree no. 105 of 2019 pursues the goal of ensuring a high level of security in public and private networks and ICT infrastructures. It provides for the setting up of a “Cybersecurity Perimeter” (in Italian “Perimetro di Sicurezza Nazionale Cibernetica”, hereinafter the “Perimeter”), which encompasses all private and public operators and service providers with a legal seat in Italy, which are considered essential for the well-functioning and the interest of the State, whose disfunction, interruption or wrong use would compromise national security. These entities shall be specifically identified –and then regularly updated- by way of a decree of the Prime minister, on the basis of a risk-based analysis, whose principles are set out in article 1 of the law.

The Law creates a general cybersecurity framework, which shall be detailed by way of specific measures that will be set out in the same Prime Minister’s decree and that the entities comprised in the Perimeter will be obliged to adopt, in order to attain an adequate level of cybersecurity. Inter alia the security measures mandated by the law will concern the organizational structure of the security management, the mitigation of incidents and their prevention, the physical and logic protection of data, the network integrity, training and awareness of staff.

Further the last established the CVCN (which stands for Centro di Valutazione e Certificazione Nazionale and that can be translated as National Center for the Evaluation and Verification), which is a surpervisory body under the control of the Ministry of Economic Development.

All entities included in the Perimeter and all the Central Purchasing Bodies for Public Procurement with intention to purchase an ICT equipment must communicate to CVCN a list of all components and the software-architecture of the ICT structure, with the attachment of a risk analysis based on its intended use. Within 45 days from the communication, CVCN may authorize the purchase or impose preliminary verifications, binding conditions and tests considering the risks involved. In case of public procurement, the notice of invitation to tender must include specific clauses of either suspension or termination of the award on the ground of test failure.

Furthermore, the CVCN will elaborate cybersecurity certification’s schemes in accordance with ENISA standards. in the event that the actual ones are not sufficiently adequate to protect national security.

Inspections and verifications over the entities included in the Perimeter will be exercised by Prime Minister’s Cabinet on public entities and by Ministry of Economic Development on private entities, but without access to “personal and administrative data and metadata”. Both Authorities will have the power to impose specific prescriptions.

In case of non-compliance, entities included in the perimeter will be exposed to severe administrative monetary sanctions from 200,000 up to 1,800,000 Euros in case of infringement of the duties imposed by law and the CVCN’s and of the Government’s prescriptions. False communications to CVC during the purchase of ICT equipment or Government’s inspection it is considered a crime, which might be punished with imprisonment up to 3 years.

The law in question also sets forth new provisions concerning the “5G” mobile network, as it extends the so-called Government’s “Golden Power”. Beside the “veto” power on any possible acquisition of providers operating in Italy, the Government will impose technical checks and verifications on possible vulnerability factors on actual concessionaires and possible buyers. These verifications, which will be carried out by the CVCN, may also impose "the replacement of equipment or products where essential in order to resolve the vulnerabilities found" pursuant art. 3 of the Law. Furthermore, in case the buyer is an entity with its legal seat outside of the European Union, the Prime Minister’s Cabinet shall consider several factors, such as its direct or indirect control by a third county’s government, its involvement in activities affecting public security or public order and its possible influence on security.