INFORMATION TECHNOLOGY
Legislative Decree No. 138/2024, transposing Directive (EU) 2022/2555 NIS 2 on a common level of cybersecurity in the EU, will enter into force on 16 October.
Legislative Decree No. 138 of 4 September 2024 on the ‘Transposition of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity in the Union, amending Regulation (EU) No. 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148’ was published in Official Gazette No. 230/2024.
Legislative Decree No. 138/2024, which will enter into force on 16 October 2024, establishes measures to ensure a high level of cybersecurity in the national sphere, contributing to increasing the common level of security in the EU so as to improve the functioning of the internal market.
The Decree, consisting of 44 articles, specifically provides for:
(a) the National Cybersecurity Strategy, containing forecasts aimed at ensuring a high level of cybersecurity;
b) the integration of the cyber crisis management framework, in the context of the national organisation for the management of crises involving aspects of cybersecurity;
(c) the confirmation of the National Cybersecurity Agency as:
1) National NIS Competent Authority, regulating its powers inherent to the implementation and enforcement of the Decree;
2) NIS Single Point of Contact, ensuring national and cross-border liaison;
3) National Information Security Incident Response Team (CSIRT Italy);
d) the designation of the National Cybersecurity Agency, acting as coordinator pursuant to Article 9(2) of Directive (EU) 2022/2555, and the Ministry of Defence, each for the areas of competence indicated in Article 2, c. 1(g), as National Large-Scale Cyber Crisis Management Authorities, ensuring consistency with the existing national framework for general cyber crisis management, without prejudice to the tasks of the Cyber Security Unit referred to in Article 9 of Decree-Law No. 82/2021;
e) the identification of NIS Sector Authorities that cooperate with the National Cybersecurity Agency, supporting its functions as NIS Competent National Authority and NIS Single Point of Contact;
f) the indication of the criteria for the identification of the entities to which this Decree applies and the definition of the relevant obligations with regard to cybersecurity risk management measures and incident reporting;
(g) the adoption of cooperation and information sharing measures for the purposes of applying the decree, in particular, through national participation in
1) to the NIS Cooperation Group between NIS competent authorities and between single points of contact of EU Member States, with a view to increasing trust and cooperation at EU level;
(2) to the Cyber Crisis Liaison Organisations Network (EU-CyCLONe) in order to support the coordinated management of large-scale cyber incidents and crises at operational level and to ensure the regular exchange of relevant information between Member States and EU institutions, bodies, offices and agencies
(3) the network of national CSIRTs with a view to ensuring rapid and effective technical cooperation.
Legislative Decree No. 138/2024, which will enter into force on 16 October 2024, establishes measures to ensure a high level of cybersecurity in the national sphere, contributing to increasing the common level of security in the EU so as to improve the functioning of the internal market.
The Decree, consisting of 44 articles, specifically provides for:
(a) the National Cybersecurity Strategy, containing forecasts aimed at ensuring a high level of cybersecurity;
b) the integration of the cyber crisis management framework, in the context of the national organisation for the management of crises involving aspects of cybersecurity;
(c) the confirmation of the National Cybersecurity Agency as:
1) National NIS Competent Authority, regulating its powers inherent to the implementation and enforcement of the Decree;
2) NIS Single Point of Contact, ensuring national and cross-border liaison;
3) National Information Security Incident Response Team (CSIRT Italy);
d) the designation of the National Cybersecurity Agency, acting as coordinator pursuant to Article 9(2) of Directive (EU) 2022/2555, and the Ministry of Defence, each for the areas of competence indicated in Article 2, c. 1(g), as National Large-Scale Cyber Crisis Management Authorities, ensuring consistency with the existing national framework for general cyber crisis management, without prejudice to the tasks of the Cyber Security Unit referred to in Article 9 of Decree-Law No. 82/2021;
e) the identification of NIS Sector Authorities that cooperate with the National Cybersecurity Agency, supporting its functions as NIS Competent National Authority and NIS Single Point of Contact;
f) the indication of the criteria for the identification of the entities to which this Decree applies and the definition of the relevant obligations with regard to cybersecurity risk management measures and incident reporting;
(g) the adoption of cooperation and information sharing measures for the purposes of applying the decree, in particular, through national participation in
1) to the NIS Cooperation Group between NIS competent authorities and between single points of contact of EU Member States, with a view to increasing trust and cooperation at EU level;
(2) to the Cyber Crisis Liaison Organisations Network (EU-CyCLONe) in order to support the coordinated management of large-scale cyber incidents and crises at operational level and to ensure the regular exchange of relevant information between Member States and EU institutions, bodies, offices and agencies
(3) the network of national CSIRTs with a view to ensuring rapid and effective technical cooperation.
