June 8, 2015
The 65 / 2018 decree implements the directive by setting the application methods for Italy. The following are the main decisions made for our country.
- By 9 November 2018 (as per the directive but in fact with a slight delay) the OSEs have been identified, whose national list has been filed with the Ministry of Economic Development and with a review planned at least every two years.
- The competent authorities responsible for implementing the decree. In particular
- il Ministry of Economic Development for the energy sector, sub-sectors of electricity, gas and oil and for the digital infrastructure sector, subsectors IXP, DNS, TLD, as well as for digital services;
- il Ministry of Infrastructure and Transport for the transport sector, air, rail, water and road sub-sectors;
- il Ministry of Economy and Finance for the banking sector and for the financial market infrastructure sector;
- il Ministry of Health for health care activities;
- il Ministry of the Environment and Protection of the Territory and the Sea concerning the drinking water supply and distribution sector.
- It was established at the Presidency of the Council of Ministers, the Italian CSIRT (https://www.csirt-ita.it). It performs the tasks and functions of the national CERT (Computer Emergency Response Team) and the CERT-PA. Their tasks are transferred to the CSIRT.
- It was established at the Presidency of the Council of Ministers, the DIS (Security Information Department - https://www.sicurezzanazionale.gov.it) as a point of single national contact on the security of networks and information systems. This participates in the activities of the cooperation group composed of representatives of the Member States, the European Commission and ENISA.
- Both for OSEs and FSDs, the criteria for notifying accidents on services provided have been defined, without undue delay and having a significant impact on the continuity of the essential services provided. Notifications must be sent to the national CSIRT and for information to the competent authority. The CSIRT determines the relevance of any transboundary impacts for the consequent actions.
- The implementation and control criteria are defined by the competent authorities, as well as the inspection powers.
- Administrative sanctions are defined for OSEs and FSDs for
- failure to adopt adequate and proportionate technical measures for risk management for network and information system security
- failure to notify the Italian CSIRT of incidents having a significant impact on the continuity of the essential services provided
- lack of cooperation in providing the information needed to assess the security of their networks and information systems
- the amounts of the penalties, depending on the case, can vary from € 12.000 to € 125.000, with the possibility that they will be tripled in case of repetition of the violations.
- The financial provisions in support of the law are defined.