The Italian L. 28 June 2024, No. 90 introduced new provisions on strengthening national cybersecurity.
Among the various innovations, there are obligations for the structures responsible for ensuring the correct management of IT security profiles at private entities falling within the “cybernetic national security perimeter” and public administrations, concerning in particular software and tools based on encryption solutions.
These structures need to verify compliance of these technologies with the encryption guidelines, as well as the password retention guidelines adopted by Italian National Cyber Security Agency and the Data Protection Authority (“Garante Privacy”) and, in addition, any known vulnerabilities, such that encrypted data is made available and understandable to third parties.
Further developments include the reporting requirements for security incidents and the appointment of a “referente per la cybersicurezza” (i.e. a cybersecurity contact point), to be identified on the basis of specific and proven cybersecurity expertise and skills, within facilities to which specific cybersecurity expertise should be entrusted, including the development of information security policies and procedures, the production and updating of detection prior analysis systems and a plan for cyber risk management, the production and updating of a data security policy plan, administration systems and infrastructure and the planning and implementation of capacity building measures for it risk management.
