Cybersecurity: applicable legal framework in Italy to protect companies and consumers
Cyberattacks and significant cyber incidents are being reported on a weekly, if not daily, basis with consequences both in the private as well as in the public sector. In light of the increase of cyber risks, it comes as no surprise that worldwide legislators have taken action. With this regard EU first adopted the NIS Directive in 2013, with the goal to set common legal measures and requirements to boost the overall level of cybersecurity in the EU, ensuring better protection for critical infrastructures and the Cybersecurity Act in 2019, enhancing ENISA's role and powers. Within this framework, entities operating both in public and private sectors are therefore asked to implement adequate plans on cybersecurity, also making sure that internal policies and procedures are appropriate even from a data protection perspective.
The European Union Agency for Cybersecurity (ENISA) and the European Commission recognized October as the European cybersecurity month. The goal of the campaign is to raise awareness among EU citizens about cybersecurity, which is the practice of protecting systems, networks, and programs from digital attacks. But why is cybersecurity in the eye of the storm both at EU and national level?
Cyberattacks and significant cyber incidents are being reported on a weekly (if not daily) basis with consequences both in the private as well as in the public sector. In fact, during 2018, the Italian Information Security Association (CLUSIT – Associazione Italiana per la Sicurezza Informatica) reported an increase of critical attacks equal to 37,7% compared to the previous year, with an average of 129 critical attacks per month (Clusit, Report 2019 sulla sicurezza ICT in Italia). The same is also happening in other jurisdictions, which have reported a considerable increase in cybersecurity incidents in all fields.
In light of the increase of cyber risks, it comes as no surprise that worldwide legislators have taken action. With this regard, the European Union well understood the issue from its very beginning. In fact, the EU founded ENISA (the European Union Agency for Network and Information Security) back in 2004 with the goal to raise "awareness of network and information security and to develop and promote a culture of network and information security in society for the benefit of citizens, consumers, enterprises and public sector organisations in the Union” (See article 1 of ENISA's Regulation (EU) 526/2013).
EU mission on cybersecurity was then strengthened in 2013 when the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, published a cybersecurity strategy representing the UE vision on how to prevent and respond to cyber disruptions and attacks in the coming years.
Based on such an approach, on July 6, 2016, the EU Commission adopted the first piece of EU-wide cybersecurity legislation, the EU Network and Information Security directive (directive (EU) 2016/1148, the "NIS Directive").
Member states responded positively to the NIS Directive, transposing the legislation into national law within June of 2018 (Italy, in particular, adopted the NIS Directive through Legislative Decree No. 65/2018 which implemented the EU legislation into national law with no substantial change) (nowadays only 3 EU member states have not yet implemented the NIS Directive, See https://ec.europa.eu/digital-single-market/en/state-play-transposition-nis-directive).
The goal of the NIS Directive is to set common legal measures and requirements to boost the overall level of cybersecurity in the EU, in particular, ensuring better protection for critical infrastructures.
The EU recognizes that the functioning of specific private IT infrastructure and services is essential to guarantee the public welfare. With this objective the NIS Directive imposes obligations on both operators of essential services (which lists have been identified by each EU member state in specific sectors) as well as digital service providers (including search engines, cloud computing services and online marketplaces), which are required to adopt appropriate technical and organizational measures able to prevent the risks posed to the security of the network and IT system they use, minimizing the risks deriving by cyberattacks. Also, the NIS Directive imposes stringent obligations as per notification of severe incidents to national authorities.
In this context, however, EU legislation needed an enhanced cyber resilience system equipped with a comprehensive set of measures to growth cybersecurity in the EU. With this goal EU Parliament adopted Regulation No. 881/2019, better known as the Cybersecurity Act.
The Cybersecurity Act, which is directly applicable in all EU member states, is complementary to the NIS Directive, and it focuses mainly on two aspects. Firstly, it enhances ENISA's role and powers, recognizing to the agency a key role in ensuring a high level of network and information security and in assisting EU member states in implementing an efficient national security policy. Secondly, it introduces provisions for the establishment and maintenance of a cybersecurity certification framework at the EU level in order to increase strengthen trust in the digital internal market by guaranteeing transparency of information system products, services, and processes.
In light of the above, it is clear that a lot has been done to guarantee the security of the cyber world – both at EU and national level - but still, a lot has to be done in terms of compliance of entities operating both in the public and private sectors.
It is crucial for entities worldwide to carry out a comprehensive cybersecurity risk assessment, also reviewing policies and procedures aimed at verifying whether intrusion detection, prevention, event management, and log analysis are in line with best practices. At the same time, companies are required to review and implement incident response plans (also ensuring that such programs are aligned with NIS Directive reporting requirements) back-up and recovery plans as well as business continuity and disaster recovery plans. Finally, entities shall make sure that the staff is appropriately trained and have the necessary skills to carry out their daily activities.
The above obligations are for specific instances, similar to the requirements imposed by data protection laws. Although the NIS Directive does not take into consideration data protection provisions and the Cybersecurity Act only rapidly recalls the EU Regulation No. 679/2016 on the processing of personal data (the "GDPR"), there is no doubt that the cybersecurity legislation and the GDPR are closely related. This also because digital service providers and operators of essential services process large amounts of personal data daily.
Relevant entities are therefore asked to verify whether the security measures undertaken to meet requirements of the NIS Directive and Cybersecurity Act as well, as the internal policies and plan are adequate also from a data protection perspective.