From the European Union to the Digital European Union
By Helga Zanotti and Nicolò Ghibellini
On 4 September 2022, Legislative Decree No. 123 of 3 August 2022 entered into force. The decree facilitates Italy’s alignment with the European cybersecurity certification framework introduced under Title III of Regulation (EU) 2019/881, commonly known as the Cybersecurity Act.
Cybersecurity operates within a complex and layered regulatory framework, both because it affects multiple sectors — some falling within the competence of the European legislator — and because of its inherent technical complexity.
Among the main Italian sources of primary law are Legislative Decree No. 65 of 18 May 2018, implementing Directive (EU) 2016/1148, known as the NIS Directive, and Decree-Law No. 105 of 21 September 2019, which established the national cybersecurity perimeter and extended the use of special government powers, or golden powers, to this area.
Regulation (EU) 2019/881 introduced a cybersecurity certification framework. Legislative Decree No. 123/2022 therefore aims to adapt Italian law to the certification framework concerning ENISA, the European Union Agency for Cybersecurity, and the cybersecurity certification of information and communication technologies.
With regard to personal data processing, Article 1 of Legislative Decree No. 123/2022 clarifies that personal data resulting from the application of the decree must be processed in compliance with the GDPR and Legislative Decree No. 196 of 30 June 2003. This confirms that the cybersecurity regulatory framework does not conflict with the scope of the GDPR.
These provisions form part of a new generation of EU regulations centred on risk, alongside the GDPR and the proposed Artificial Intelligence Regulation of 21 April 2021.
In particular, Legislative Decree No. 123/2022 provides for three assurance levels based on the degree of conformity:
- Basic: certification confirms that ICT products, services and processes have been assessed as sufficient to reduce cybersecurity risks arising from known cyberattacks or incidents;
- Substantial: certification confirms that ICT products, services and processes meet higher security standards, including security functionalities and risk reduction against known cyberattacks carried out by actors with limited skills and resources;
- High: certification confirms that ICT products, services and processes meet advanced security requirements and have been assessed to minimise risks arising from cyberattacks, including through penetration testing and resistance assessments against attacks carried out by skilled actors.
Article 7 of Legislative Decree No. 123/2022, drafted in relation to Article 54 of the Regulation, also confirms the role of self-assessment mechanisms. These mechanisms, carried out by the producer or provider of ICT products, services or processes, are fundamental for assessing the applicable assurance level.
The National Cybersecurity Agency is responsible for receiving and analysing the documents required to assess the conformity of self-declarations. Both certification and self-declaration are voluntary, although Member States may introduce mandatory certification through specific legislation.
Article 10 of Legislative Decree No. 123/2022 sets out the sanctions framework, which includes both financial and ancillary penalties. Here too, the decree recalls the GDPR model, under which the supervisory authority may initially invite compliance before imposing sanctions in cases of continued non-compliance.
Companies are therefore entering a new phase characterised by coexistence with risk and by the constant need for monitoring in order to limit its consequences.
Contact Information