Here is the draft of the decree law on cyber with the establishment of the National Cybersecurity Agency (Acn)
The establishment of the National Cybersecurity Agency (Acn) is ready after the Draghi government destroyed the project of the former premier Giuseppe Conte of the internal Dis agency which was designed by the former number one of Dis, Gennaro Vecchione, torpedoed by the Draghi government who appointed Elisabetta Belloni.
Here are all the details on the cyber decree-law scheme with the establishment of the National Cybersecurity Agency (Acn).
The government accelerates on the National Cybersecurity Agency (Acn), a public body with regulatory, administrative, patrimonial, organizational autonomy, envisaged in the draft of 19 articles, incomplete and subject to change, of the Cybersecurity law decree that should arrive in the Council of ministers.
Given “the vulnerability of the networks, information systems, IT services and electronic communications of public and private entities that can be exploited in order to cause total or partial malfunction or interruption of essential functions of the State and services essential for the maintenance of civil, social or economic activities fundamental to the interests of the State “, the government wants to redefine the Italian cybersecurity architecture also providing for the establishment of a special agency to” adapt it to technological evolution, to the context of threat coming from the cyber space, as well as to the European regulatory framework, and of having to link, also to protect the legal unity of the system, the provisions on the security of networks, information systems,of IT services and electronic communications “.
In addition to the Acn, the decree establishes, at Palazzo Chigi, an interministerial committee for cybersecurity (Cics) “with the functions of consulting, proposing and deliberating on cybersecurity policies, also for the purposes of protecting national security in the cyber space”.
The provision also provides for the hiring of ad hoc personnel, even those not coming from the public administration. The nucleus for cybersecurity, set up at the ACN, a sort of front line that in case of crisis ensures support for the premier, and composed of the prime minister’s military adviser, a representative, respectively, of the Dis, the Aise, the Aisi and each of the ministries represented in the inter-ministerial committee for the security of the republic (Cisr), as well as a representative of the University ministry, the minister delegated for technological innovation and digital transition, and a representative of the civil protection department of Palazzo Chigi.
The President of the Council of Ministers is exclusively attributed: top management and general responsibility for cybersecurity policies, also for the purposes of protecting national security in the cyber space; the adoption of the national cybersecurity strategy, after consulting the inter-ministerial committee for cybersecurity (Cics); the appointment and dismissal of the Director General and Deputy Director General of the National Cybersecurity Agency.
The President of the Council of Ministers, having consulted the Cics, issues the directives for cybersecurity and issues all provisions necessary for the organization and functioning of the National Cybersecurity Agency. The proposal of the Cybersecurity Agency was delivered in the past few hours to Copasir, called to express an opinion on the text.
+++
DECREE-LAW SCHEME CONTAINING URGENT PROVISIONS IN THE FIELD OF CYBER SECURITY, DEFINITION OF THE NATIONAL CYBER SECURITY ARCHITECTURE AND ESTABLISHMENT OF THE NATIONAL CYBER SECURITY AGENCY.
THE PRESIDENT OF THE REPUBLIC
GIVEN Articles 77 and 87 of the Constitution;
GIVEN the law of 23 August 1988, n. 400, laying down the discipline of government activity and the order of the Presidency of the Council of Ministers;
CONSIDERING that the vulnerabilities of the networks, information systems, IT services and electronic communications of public and private entities can be exploited in order to cause the total or partial malfunction or interruption of essential functions of the State and essential services for the maintenance of civil, social or economic activities essential for the interests of the State, as well as public utility services, with potentially serious repercussions on citizens, businesses and public administrations, up to the point of causing prejudice to national security;
CONSIDERING the extraordinary need and urgency, in the current regulatory framework and in the face of the ongoing implementation of important and strategic technological infrastructures, also in relation to recent attacks on the networks of European countries and important international partners capable of determining effects, including of a systemic nature and which further underline how the cyber domain constitutes an area of ​​confrontation with repercussions on national security, of rationalizing skills in this area, of ensuring more effective coordination, of implementing measures aimed at making the country more secure and resilient also in the digital domain,to have the most suitable tools for immediate intervention that allow any emergency situations involving cybersecurity profiles to be dealt with with the utmost effectiveness and timeliness;
CONSIDERING also the need and urgency to implement the National Recovery and Resilience Plan, approved by the Council of Ministers at the meeting of 29 April 2021, which provides for specific projects in the field of cybersecurity, in particular for the establishment of a national cybersecurity, as a necessary factor to ensure the development and growth of the national economy and industry, placing cybersecurity at the foundation of the digital transformation;
CONSIDERING therefore that it is necessary to intervene urgently in order to redefine the Italian cybersecurity architecture, also providing for the establishment of a specific National Cybersecurity Agency, to adapt it to technological evolution, to the context of threats coming from cyber space, as well as to the European regulatory framework, and to have to link, also, also to protect the legal unity of the legal system, the provisions on the security of networks, information systems, IT services and electronic communications;
GIVEN the resolution of the Council of Ministers, adopted at the meeting of ……. 2021; On the proposal of the President of the Council of Ministers;
ISSUES the following decree-law:
Art. I (Definitions)
1. For the purposes of this decree, the following definitions apply:
a) cybersecurity, the set of activities necessary to protect and ensure the availability, confidentiality and integrity of networks; information systems, IT services and electronic communications from cyber threats, also guaranteeing their resilience;
b) perimeter decree-law, the decree-law 21 September 2019, n. 105, converted, with amendments, by law 18 November 2019, n. 133, containing urgent provisions regarding the perimeter of national cyber security and the regulation of special powers in sectors of strategic importance;
c) legislative decree NlS, the legislative decree 18 May 2018, n. 65, implementing Directive (EU) 2016/1148 of the European Parliament and of the Council, of 6 July 2016, concerning measures for a high common level of security of networks and information systems in the Union;
d) CISR, the Interministerial Committee for the Security of the Republic referred to in Article 5 of Law no. 124;
e) DIS, the Security Information Department referred to in Article 4 of Law no. 124 of 2007;
j) AlSE, the external information and security agency referred to in article 6 of law no. 124 of 2007; g) AISI, the information and internal security agency referred to in article 7 of law no. 124 of 2007; h) COPASIR, the Parliamentary Committee for the security of the Republic referred to in Article 30 of Law no. 124 of 2007; i) national cybersecurity strategy, the strategy referred to in article 6 of the NJS legislative decree.
Art. 2 (Powers of the President of the Council of Ministers)
1. The President of the Council of Ministers is exclusively attributed:
a) top management and general responsibility for cybersecurity policies, also for the purposes of protecting national security in the cyber space;
b) the adoption of the national cybersecurity strategy, after consulting the Interministerial Committee for Cybersecurity (CICS) referred to in Article 4;
c) the appointment and dismissal of the Director General and Deputy Director General of the National Cybersecurity Agency referred to in Article 5.
2. For the purpose of exercising the competences referred to in letter a) and implementing the strategy national cybersecurity, the President of the Council of Ministers, having consulted the CICS, issues the directives for cybersecurity and issues all provisions necessary for the organization and functioning of the National Cybersecurity Agency.
Art. 3 (Delegated authority)
1. The President of the Council of Ministers, where he deems it appropriate, may delegate to the delegated authority referred to in article 3 of law no. 124 of 2007, where established, the functions referred to in this decree that are not exclusively attributed to it.
2. The President of the Council of Ministers is constantly informed by the delegated authority on the procedures for exercising the functions delegated pursuant to this decree and, without prejudice to the power of directive, may at any time invoke the exercise of all or some of they.
3. The Delegated Authority, in relation to the functions delegated pursuant to this decree, participates in the meetings of the Interministerial Committee for the digital transition referred to in article 8 of the decree-law 1 March 2021, n. 22, converted, with modifications, by law 22 April 2021, n. 55. 2 draft 08/06/2021
Art. 4 (Interministerial Committee for Cybersecurity)
1. The Interministerial Committee for Cybersecurity (CICS) has been set up at the Presidency of the Council of Ministers (CICS), with advisory, proposal and deliberation functions on the matter of cybersecurity policies, also for the purpose of protecting national security in the cyber space.
2. The Committee:
a) proposes to the President of the Council of Ministers the general guidelines to be pursued within the framework of national cybersecurity policies;
b) carries out high surveillance on the implementation of the national cybersecurity strategy;
c) promotes the adoption of the necessary initiatives to foster effective collaboration, at national and international level, between institutional subjects and private operators interested in cybersecurity, as well as for the sharing of information and for the adoption of best practices and measures aimed at the goal of cybersecurity and industrial, technological and scientific development in the field of cybersecurity;
d) deliberates and expresses opinion on the budget and final balance sheets of the National Cybersecurity Agency.
3. The Committee is chaired by the President of the Council of Ministers and is composed of the delegated authority, where established, the Minister of Foreign Affairs and International Cooperation, the Minister of the Interior, the Minister of Justice, the Minister of Defense, the Minister of Economy and Finance, the Minister of Economic Development, the Minister of Ecological Transition, the Minister of University and Research and the Minister Delegate for Technological Innovation and Digital Transition
4. The Director General of the Agency carries out the functions of secretary of the Committee.
5. The President of the Council of Ministers may call other members of the Council of Ministers, the director general of the DIS, the director of the AISE, the director of of the AISI, as well as other civil and military authorities whose presence is deemed necessary from time to time in relation to the issues to be dealt with.
6. The Committee also performs the functions already attributed to the CISR by the perimeter decree-law and the related implementing measures, with the exception of those envisaged by article 5 of the same perimeter decree-law.
Art. 5 (National Cybersecurity Agency)
1. To protect national interests in the field of cybersecurity, also for the purposes of protecting national security in the cyber space, the National Cybersecurity Agency (ACN), named for the purposes of this decree “Agency”, is established, with headquarters in Rome.
2. The Agency has a legal personality under public law and is endowed with regulatory, administrative, patrimonial, organizational, accounting and financial autonomy, within the limits of the provisions of this decree. The regulations envisaged by this decree may also contain provisions in derogation from the regulations in force, in relation to the performance of the functions of protection of national security in the cyber space attributed to the Agency itself and taking into account the activities carried out in connection with the Information System for the security of the Republic referred to in law no. 124 of 2007.
3. The President of the Council of Ministers and the Delegated Authority, where established, make use of the Agency for the exercise of the powers referred to in this decree.
4. The general management of the Agency is entrusted to a senior manager of the State administration or equivalent, identified among persons of particular and proven professional qualification in the field of cybersecurity and in possession of documented high-level experience in the management of innovation processes. The offices of the general manager and deputy general manager have a maximum duration of four years and are renewable, with subsequent measures, for a maximum total duration of a further four years. For the provisions of this decree, the Director General of the Agency is the direct contact person of the President of the Council of Ministers and of the Delegated Authority, where established, and is hierarchically and functionally superordinate to the staff of the Agency.
5. The activity of the Agency is regulated by this decree and by the provisions whose adoption is foreseen by the same.
6. The Agency may request, also on the basis of specific agreements and in compliance with the areas of its main competence, the collaboration of other State bodies, other administrations, police forces or public bodies for the performance of its institutional tasks.
Art. 6 (Organization of the National Cybersecurity Agency)
1. The organization and functioning of the Agency are defined by a specific regulation which provides, in particular, for its division into offices of general management level, as well as non-general management level.
2. The Director General and the Board of Auditors are the bodies of the Agency. The regulation referred to in paragraph 1 also governs:
a) the functions of the general manager and deputy general manager of the Agency;
b) the composition and functioning of the Board of Auditors;
c) the establishment of any secondary offices.
3. The regulation referred to in paragraph 1 is adopted, within one hundred and twenty days from the date of entry into force of the law converting this decree, by decree of the President of the Council of Ministers, also in derogation from article 17 of the law of 23 August 1988 , no. 400, after consulting COPASIR, after consulting CICS.
Art. 7 (Functions of the National Cybersecurity Agency)
1. The Agency:
a) and National Cybersecurity Authority and, in relation to this role, ensures, in compliance with the competences attributed by the current legislation to other administrations, coordination between the public entities involved in the field of cybersecurity at national level and promotes the implementation of actions municipalities aimed at ensuring cyber security and resilience for the development of the digitization of the country, the production system and public administrations, as well as for the achievement of autonomy, national and European, with regard to IT products and processes of strategic importance to protection of national interests in the sector. For networks, the information systems and IT services relating to the management of classified information remain without prejudice to the provisions of the regulation adopted pursuant to article 4, paragraph 3, letter I), of law no. 124 of 2007, as well as the responsibilities of the Central Office for secrecy referred to in Article 9 of Law no. 124 of 2007;
b) prepares the national cybersecurity strategy;
c) carries out all necessary support activities for the functioning of the Cybersecurity Unit, referred to in Article 8 of this decree;
d) is a competent national authority and single point of contact for the security of networks and information systems, for the purposes referred to in the legislative decree NIS, to protect the legal unity of the system, and is competent to ascertain violations and to the imposition of the administrative sanctions provided for by the same decree;
e) and National Cybersecurity Certification Authority pursuant to Article 58 of Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019, and assumes all the tasks relating to cyber security certification already assigned to the Ministry of Economic Development under the law in force, including those relating to the ascertainment of violations and the imposition of sanctions;
f) assumes all cybersecurity tasks already assigned by the provisions in force to the Ministry of Economic Development, including those relating to:
1) the perimeter of national cyber security, referred to in the perimeter decree-law and related implementing measures, including the functions attributed to the National Assessment and Certification Center pursuant to the perimeter decree-law, the inspection and verification activities referred to Article 1, paragraph 6, letter e), of the perimeter decree-law and those relating to the ascertainment of violations and the imposition of administrative sanctions provided for by the same decree, without prejudice to those referred to in Article 3 of the regulation adopted with decree of the President of the Council of Ministers n. 131 of 2020;
2) the security and integrity of electronic communications, as per articles 16-bis and 16-ter of the legislative decree 1 August 2003, n. 259, and related implementing provisions;
3) the security of networks and information systems, as per the legislative decree NlS;
g) participates, for the areas of competence, in the coordination group established pursuant to the regulations referred to in article 1, paragraph 8, of the decree-law of 15 March 2012, n. 21, converted, with modifications, by the law 11 May 2012, n. 56;
h) assumes all the tasks already assigned to the Presidency of the Council of Ministers regarding the national cyber security perimeter, as per the perimeter decree-law and the related implementing measures, including the inspection and verification activities referred to in Article 1 , paragraph 6, letter e), of the perimeter decree-law and those relating to the ascertainment of violations and the imposition of administrative sanctions provided for by the same decree, without prejudice to those referred to in Article 3 of the regulation adopted by decree of the President of Council of Ministers n. 131 of 2020;
i) assumes all the tasks already assigned to the DIS by the perimeter decree-law and the related implementing measures and supports the President of the Council of Ministers for the purposes of article 1, paragraph 19-bis, of the perimeter decree law;
l) on the basis of the activities falling within the competence of the Cybersecurity Unit referred to in Article 8 of this decree, provide for the activities necessary for the implementation and control of the execution of the measures taken by the President of the Council of Ministers pursuant to ‘article 5 of the perimeter decree-law;
m) assumes all cybersecurity tasks already assigned to the Agency for Digital Italy by the current provisions and, in particular, those referred to in Article 51 of Legislative Decree no. 82, as well as on the adoption of guidelines containing technical rules of cybersecurity pursuant to article 71 of the same legislative decree. The Agency also assumes the tasks referred to in article 33-septies, paragraph 4, of the decree-law no. 179, converted, with amendments, by law 17 December 2012, n. 221, already attributed to the Agency for Digital Italy;
n) develops national capabilities for prevention, monitoring, detection, analysis and response, to prevent and manage IT security incidents and IT attacks, also through the CSJRT Italy referred to in Article 8 of the NlS legislative decree;
o) participate in national and international exercises that concern the simulation of cybernetic events in order to increase the resilience of the country;
p) takes care of and promotes the definition and maintenance of an updated and coherent national legal framework in the domain of cybersecurity, also taking into account the guidelines and developments in the international arena. To this end, the Agency expresses non-binding opinions on legislative or regulatory initiatives concerning cybersecurity;
q) coordinates, in conjunction with the Ministry of Foreign Affairs and International Cooperation, international cooperation in the field of cybersecurity. Within the European Union and internationally, the Agency handles relations with the competent bodies, institutions, and entities, as well as follows cybersecurity issues in the competent institutional offices, except for the areas in which the law assigns specific competences to other administrations. In such cases, the link with the Agency is in any case ensured in order to guarantee uniform national positions consistent with the cybersecurity policies defined by the President of the Council of Ministers;
r) pursuing objectives of excellence, it supports the development of industrial, technological and scientific skills and abilities in the areas of competence, through the involvement of academia, research and the national production system. For these purposes, the Agency may promote, develop and finance specific projects and initiatives, also aimed at promoting the technological transfer of research results in the sector. The Agency ensures the appropriate synergies with the other administrations to which the law attributes competences in the field of cybersecurity; s) stipulates bilateral and multilateral agreements, also through the involvement of the private and industrial sector, with institutions, bodies and organizations of other countries for Italy’s participation in cybersecurity programs,
t) promotes, supports and coordinates Italian participation in European Union and international projects and initiatives, also through the involvement of national public and private entities, in the field of cybersecurity and related application services. The Agency ensures the appropriate synergies with the other administrations to which the law attributes competences in the field of cybersecurity;
u) carries out communication and awareness-raising activities in the field of cybersecurity, in order to contribute to the development of a national culture on the subject;
v) promotes training, technical-professional growth and the qualification of human resources in the field of cybersecurity, also through the assignment of scholarships, doctorates and research grants, on the basis of specific agreements with public and private entities;
z) for the purposes referred to in this article, may establish and participate in public-private partnerships on the national territory, as well as, subject to the authorization of the President of the Council of Ministers, in consortia, foundations or companies with public and private, Italian and foreign entities .
aa) and designated as the National Coordination Center pursuant to Article 6 of Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021, establishing the European Center of Competence for Cybersecurity in the Industrial, Technological and research and the network of national coordination centers.
2. Within the framework of the Agency, the national representative and his / her deputy are appointed by decree of the President of the Council of Ministers to the Governing Council of the European Center of Competence for Cybersecurity in the Industrial, Technological and research, pursuant to Article 12 of Regulation (EU) 2021/887.
3. The Italian CSIRT referred to in Article 8 of the NIS legislative decree and transferred to the Agency and takes the name of: “CSIRT Italy”
4. The National Assessment and Certification Center, established at the Ministry of Economic Development, and transferred to the Agency.
5. In compliance with the competences of the Guarantor for the protection of personal data, the Agency, for the purposes referred to in this decree, consults the Guarantor and collaborates with him, also in relation to accidents involving violations of personal data. The Agency and the Guarantor can stipulate specific protocols of intent which also define the modalities of their collaboration.
Art. 8 (Core for cybersecurity)
1. The Cybersecurity Nucleus is permanently established at the Agency to support the President of the Council of Ministers in the field of cybersecurity, for the aspects relating to the prevention and preparation for any crisis situations and for the activation alert procedures.
2. The Cybersecurity Nucleus is chaired by the Director General of the Agency or by the Deputy Director General designated by him and is composed of the Military Advisor of the President of the Council of Ministers, by a representative, respectively, of DIS, AISE, ‘AISI, of each of the Ministries represented in the Committee referred to in Article 5 of Law no. 124 of 2007, of the Ministry of University and Research, of the Minister delegated for technological innovation and digital transition, of the Department of Civil Protection of the Presidency of the Council of Ministers. For aspects relating to the handling of classified information, the Core is supplemented by a representative of the Central Office for secrecy referred to in Article 9 of Law no. 124 of 2007.
3. The members may be attended at the meetings by other representatives of their respective administrations in relation to the matters being discussed. On the basis of the topics of the meetings, representatives of other administrations, universities or research bodies and institutes, as well as private operators interested in the subject of cybersecurity, may also be called to participate.
4. The Nucleus can be convened in a restricted composition with the participation of the representatives of the administrations and interested parties only, also in relation to the crisis management tasks referred to in Article 10.
Art. 9 (Tasks of the Cybersecurity Unit)
1. For the purposes referred to in Article 8, the Cybersecurity Unit carries out the following tasks:
a) may formulate proposals for initiatives in the field of cybersecurity of the country, also within the framework of the international context on the matter;
b) promotes, on the basis of the directives referred to in Article 2, paragraph 2, the programming and operational planning of the response to cyber crisis situations by the administrations and private operators concerned and the development of the necessary inter-ministerial coordination procedures , in connection with civil defense and civil protection plans, also within the framework of the provisions of article 7-bis, paragraph 5, of decree-law no. 174 of 2015, converted, with amendments, by law n.198 of 2015;
c) promotes and coordinates the conduct of inter-ministerial exercises, or the national participation in international exercises concerning the simulation of cybernetic events in order to increase the resilience of the country;
d) evaluates and promotes, in conjunction with the administrations competent for specific cybersecurity profiles, information sharing procedures, including with interested private operators, for the purpose of disseminating alerts relating to cyber events and for crisis management;
e) receives, through the CSIRT Italy, communications about cases of violations or attempts to breach security or loss of integrity that are significant for the purposes of the correct functioning of the networks and services, from DIS, AISE and from ‘AISI, by the police forces and, in particular, by the organ of the Ministry of the Interior referred to in article 7-bis of decree-law no. 144 of 2005, converted, with amendments, by law no. 155 of 7 draft 08/06/2021 2005, by the structures of the Ministry of Defense, as well as by the other administrations that make up the Unit and by the CERTs established in accordance with current legislation; j) receives accident notifications from CSIRT Italy in accordance with the provisions in force;
g) evaluates whether the events referred to in letters e) and j) assume such dimensions, intensity or nature that they cannot be dealt with by the individual competent administrations in the ordinary way, but require the taking of coordinated decisions in the inter-ministerial seat, providing in this case to promptly inform the President of the Council of Ministers, or the Delegated Authority, where established, on the current situation and on the performance of the connection and coordination activities referred to in Article 10, in the composition envisaged therein.
Art.10 (Crisis management involving cybersecurity aspects)
1. In crisis situations involving aspects of cybersecurity, in cases in which the President of the Council of Ministers calls the CISR on the management of the aforementioned crisis situations, the Minister delegated for innovation is called to participate in the meetings of the Committee technology and digital transition and the Director General of the Agency.
2. The Unit ensures support for the CISR and the President of the Council of Ministers, in the matter of cybersecurity, for the aspects relating to the management of crisis situations pursuant to paragraph 1, as well as for the exercise of the powers attributed to the President of the Council ministers, including the preliminary activities and the necessary activation procedures, pursuant to article 5 of the perimeter decree-law.
3. In situations of cyber crises, the Nucleus is integrated, as needed, with a representative, respectively, of the Ministry of Health, the Ministry of Sustainable Infrastructure and Mobility, the Department of Firefighters, Public Rescue and of the civil defense, also representing the Interministerial Technical Commission of Civil Defense, authorized to take decisions that bind their administration. At the meetings, the members can be accompanied by other officials of their administration. Representatives of other administrations, including local ones, and entities, also authorized to take decisions, and of other public or private subjects that may be interested may be called to participate in the same meetings.
4. It is the task of the Nucleus, in the composition for crisis management, referred to in paragraph 3, to ensure that the reaction and stabilization activities under the responsibility of the various administrations and entities with respect to cyber crisis situations are carried out in a coordinated manner. in accordance with the provisions of article 9, paragraph I, letter b).
5. The Unit, for the performance of its functions and without prejudice to the provisions of article 7-bis, paragraph 5, of decree-law no. 174 of 2015, converted, with amendments, by law no. 198 of 2015:
a) keeps the President of the Council of Ministers, or the Delegated Authority, where established, constantly informed on the current crisis, preparing updated points of the situation;
b) ensures coordination for the implementation at inter-ministerial level of the decisions of the President of the Council of Ministers for overcoming the crisis;
c) collects all data relating to the crisis;
d) prepares reports and provides information on the crisis and transmits them to the public and private subjects concerned;
e) participates in the European mechanisms for managing cyber crises, also ensuring the links aimed at managing the crisis with the counterparts of other states, NATO, the EU or international organizations of which Italy is a member.
Art.11 (Accounting rules and financial provisions)
1. The President of the Council of Ministers is exclusively assigned the determination of the annual requirement of the Agency’s financial resources, which he communicates to COPASIR. In the estimate of the expenditure of the Ministry of Economy and Finance the annual allocation of financial resources for the Agency is assigned.
2. The revenues of the Agency consist of:
a) financial endowments and ordinary contributions as per article 18 of this decree;
b) fees for services provided to public or private entities;
c) proceeds from the exploitation of industrial property, intellectual property and inventions of the Agency;
d) other capital and operating income;
e) contributions from the European Union or international organizations, also following participation in specific calls, projects and collaboration programs;
f) proceeds from sanctions pursuant to the provisions of article 18, paragraph 3;
g) any other possible income.
3. The accounting regulation of the Agency, which ensures its managerial and accounting autonomy, is adopted by decree of the President of the Council of Ministers, upon proposal by the Director General of the Agency, within one hundred and twenty days from the date of entry into force of the conversion law of this decree, also in derogation from the general accounting rules of the State, also in derogation from article 17 of the law 23 August 1988, n. 400, subject to the opinion of COPASIR and consulted the CICS, subject to verification of accounting regularity by the Board of Auditors and in compliance with the fundamental principles established by them, as well as the following provisions:
a) the budget and the final budget adopted by the Director General of the Agency are approved by decree of the President of the Council of Ministers, following a resolution of the CICS;
b) the budget and final balance are sent to the Court of Auditors for the control of the legality and regularity of the management. The Court of Auditors is competent to check the legitimacy of documents, pursuant to article 3, paragraph 4, of law no. 20;
c) the final balance of financial management and sent, together with the report of the Court of Auditors, to COPASIR.
4. By regulation adopted by decree of the President of the Council of Ministers, on the proposal of the Director General of the Agency, within one hundred and twenty days from the date of entry into force of the law converting this decree, also in derogation of article 17 of law 23 August 1988, n. 400, following the opinion of COPASIR and after hearing the CICS, the procedures for the stipulation of contracts for works contracts and the supply of goods and services for the activities of the Agency aimed at protecting national security in the cyber space and for those carried out in connection with the Information System for the security of the Republic referred to in Law no. 124 of 2007, without prejudice to the discipline in compliance with the provisions of article 162 of the code of public contracts relating to works, services and supplies, referred to in Legislative Decree 18 April 2016, n. 50.
Art.12 (Personnel)
1. With specific regulations and dictated, in compliance with the criteria set out in this decree, the discipline of the contingent of personnel assigned to the Agency. The regulation defines the organization and recruitment of personnel, and the related economic and social security treatment, providing, in particular, for the staff of the Agency an economic treatment equal to that enjoyed by the employees of the Bank of Italy, on the based on the equivalence of the functions performed and the level of responsibility held.
2. The regulation determines, within the limits of the available financial resources, in particular:
a) the establishment of a staff role and the general regulation of the employment relationship employed by the Agency;
b) the possibility of proceeding, in addition to permanent hires through competitive procedures, to fixed-term hires, with private law contracts, of subjects in possession of high and particular specialization duly documented, identified through adequate selective methods, for the carrying out activities absolutely necessary for the Agency’s operations or for specific projects to be completed within a set period of time;
c) the possibility of making use of a contingent of experts, not exceeding fifty units, made up of personnel in a position of out of office, command or other similar position, provided for by the legal systems to which they belong, coming from ministries, from other public administrations, or from personnel not belonging to the public administration, in possession of specific and high competence in the field of cybersecurity and innovative digital technologies, in the development and management of complex processes of technological transformation and related communication and dissemination initiatives, as well as significant experience in digital transformation, including the development of large-scale digital programs and platforms. the regulation, for these purposes,
d) the determination of the maximum percentage of employees that it will be possible to hire [the letter and the limit of no. 50 units];
e) the possibility of employing personnel from the Ministry of Defense, according to terms and methods to be defined with a specific decree of the President of the Council of Ministers of a non-regulatory nature;
f) the hypothesis of incompatibility;
g) career development procedures within the Agency;
h) the discipline and procedure for the definition of the legal aspects and, limited to any accessory remuneration, economic of the employment relationship of the personnel subject to negotiation with the personnel representatives;
i) the methods of application of the provisions of Legislative Decree 10 February 2005, n. 30, bearing the Code of industrial property, intellectual property and inventions of the employees of the Agency;
l) cases of termination of service of staff hired for an indefinite period and cases of early termination of fixed-term relationships.
3. If the recruitments referred to in paragraph 2, letter b) concern permanent university professors or confirmed university researchers, the provisions of article 12 of the decree of the President of the Republic of 11 July 1980, n. 382, also as regards the placement on leave.
4. In the first application of the provisions referred to in this decree, the number of places foreseen by the staff plan of the Agency is identified in the overall measure of three hundred units. The regulation identifies which of the provisions contained therein may be subject to revision as a result of the negotiation with the staff representatives.
5. With successive decrees of the President of the Council of Ministers, the organic endowment is redetermined in four hundred and fifty units in 2024, in six hundred units in 2025, in seven hundred units in 2026 and in eight hundred units in 2027.
6. The hiring carried out in violation of the prohibitions provided for by this decree or by the regulation are void, without prejudice to the personal, property and disciplinary responsibility of the person who ordered them.
7. Without prejudice to the provisions of article 42 of law no. 124 of 2007, the personnel who, in any case, work in the employ of or in favor of the Agency and are required, even after the cessation of such activity, to respect the secrecy of what they have become aware of in the exercise or due to their own functions.
8. The regulation referred to in this article is adopted, within one hundred and twenty days from the date of conversion into law of this decree, by decree of the President of the Council of Ministers, also by way of derogation from article 17 of law no. 400, after consulting COPASIR and after consulting CICS.
Art.13 (Treatment of personal data)
1. The processing of personal data carried out for national security purposes in application of this decree and carried out pursuant to article 58, paragraphs 2 and 3, of legislative decree no. 196.
Art. 14 (Annual reports)
1. By 30 April of each year, the President of the Council of Ministers sends the Parliament a report on the activity carried out by the Agency in the previous year, in the field of national cybersecurity.
2. By June 30 of each year, the President of the Council of Ministers sends COPASIR a report on the activities carried out in the previous year by the Agency in connection with the Information System for the security of the Republic referred to in Law no. 124 of 2007, as well as in relation to the areas of activity of the Agency subject to the control of the Committee pursuant to this decree.
Art. 15 (Amendments to the NIS legislative decree)
1. The following amendments are made to the NIS legislative decree:
a) to article 3, letter a), the words from: “NIS competent authority” to: “by sector,” are replaced by the following: “competent national authority NIS, the single, competent national authority”;
b) in article 3, after letter a), the following is inserted: “a-bis) sector authority, the authorities referred to in article 7, paragraph 1, letters a) to e)”;
c) in article 4, paragraph 6 is replaced by the following: “6. The list of essential service operators identified pursuant to paragraph 1 and reviewed and, if necessary, updated on a regular basis, and at least every two years after 9 May 2018, in the following ways: a) the sector authorities, in relation to the areas of competence, propose changes to the list of operators of essential services to the competent national authority NIS, according to the criteria referred to in paragraphs 2 and 3; b) the proposals are evaluated by the competent national authority NIS which, with its own provisions, changes the list of operators of essential services, notifying the sector authorities in relation to the areas of competence. “;
d) in Article 6, in the heading, the words: “cyber security” are replaced by the following: “cybersecurity”; in paragraphs 1, 2 and 3, the words: “cyber security” are replaced by the following: “and cybersecurity”; in paragraph 4, the words: “The Presidency of the Council of Ministers” are replaced by the following: “The Cybersecurity Agency” and the words: “cyber security” are replaced by the following: “cybersecurity”;
e) Article 7 is replaced by the following:
“Art. 7 (National competent authority and single point of contact)
1. The National Cybersecurity Agency is designated as the NIS competent national authority for the sectors and subsectors listed in Annex II and for the services listed in Annex III. The following are designated as sector authorities:
a) the Ministry of Economic Development, for the digital infrastructure sector, subsectors IXP, DNS, TLD, as well as for digital services;
b) the Ministry of Sustainable Infrastructure and Mobility, for the transport sector, air, rail, water and road subsectors;
c) the Ministry of Economy and Finance, for the banking sector and for the infrastructure sector of the financial markets, in collaboration with the supervisory authorities of the sector, the Bank of Italy and Consob, according to the methods of collaboration and exchange of information established by decree of the Minister of Economy and Finance;
d) the Ministry of Health, for health care activities, as defined by article 3, paragraph 1, letter a), of legislative decree no. 38, provided by operators employed or appointed by the same Ministry or affiliated with it, and the Regions and autonomous Provinces of Trento and Bolzano, directly or through the territorially competent health authorities, for the health assistance activities provided by the operators authorized and accredited by the Regions or autonomous Provinces in the territorial areas of their respective competence;
e) the Ministry of Ecological Transition for the energy sector, electricity, gas and oil subsectors;
f) the Ministry of Ecological Transition and the Regions and Autonomous Provinces of Trento and Bolzano, directly or through the territorially competent Authorities, with regard to the supply and distribution of drinking water.
2. The competent national authority NIS is responsible for the implementation of this decree with regard to the sectors referred to in Annex II and the services referred to in Annex III and supervises the application of this decree at national level, also exercising the related inspection and sanctioning powers.
3. The National Cybersecurity Agency is designated as the single point of contact for the security of networks and information systems.
4. The single point of contact shall perform a liaison function to ensure cross-border cooperation of the national competent authority NIS with the competent authorities of other Member States, as well as with the cooperation group referred to in Article 10 and the network of CSIRTs of referred to in Article 11.
5. The single point of contact collaborates in the cooperation group in an effective, efficient and secure manner with the representatives designated by the other States.
6. The competent national authority NIS and the single contact point consult, in accordance with current legislation, the law enforcement authority and the Guarantor for the protection of personal data and collaborate with them.
7. The Presidency of the Council of Ministers promptly communicates to the European Commission the designation of the single contact point and that of the competent national authority NIS, the relative tasks and any further changes. Appropriate forms of advertising are ensured for the designations.
8. The charges deriving from this article equal to 1,300,000 euros starting from 2018, will be provided pursuant to article 22. “;
f) in Article 8, paragraph I, the words from: “the Presidency” to: “security” are replaced by: “the National Cybersecurity Agency”;
g) Article 9, paragraph I, is replaced by the following
1. The sector authorities collaborate with the competent national authority NIS for the fulfillment of the obligations referred to in this decree. To this end, a technical liaison committee has been set up at the National Cybersecurity Agency. The Committee is chaired by the competent national authority NIS and is composed of the representatives of the state administrations identified as sector authorities and of representatives of the Regions and Autonomous Provinces in a number not exceeding two, designated by the Regions and Autonomous Provinces in the Permanent Conference for relations between the state, the regions and the autonomous provinces of Trento and Bolzano. The organization of the Committee is defined by decree of the President of the Council of Ministers, of a non-regulatory nature, after consultation with the Unified Conference.
h) in article 12, paragraph 5, the words from: “and, for information,” to: “NIS,” are deleted;
i) in article 14, paragraph 4, the words from: “and, for information,” to: “NIS,” are deleted;
l) in article 19, paragraph 1, the words: “by the competent NIS authorities” are replaced by the following: “by the competent national authority NIS”;
m) in article 19, paragraph 2 is deleted;
n) in Article 20, paragraph 1, the words from: “The competent NIS authorities” to: “are competent” are replaced by: “The competent national NIS and competent authority”;
o) in Annex I:
1) in point 1, after letter d), the following is added: “e) CSIRT Italy conforms its services and activities to internationally recognized best practices in the field of prevention, management and response to cybernetic events” ;
2) in point 2, letter e), after the word: “standardized” the following is inserted: “, according to internationally recognized best practices,”.
2. In the NIS legislative decree:
a) any reference to the Ministry of Economic Development, wherever it occurs, must be understood as referring to the National Cybersecurity Agency, except for the provisions referred to in Article 7, paragraph 1, letter a), of the same legislative decree;
b) any reference to the DIS, wherever it occurs, must be understood as referring to the National Cybersecurity Agency;
c) any reference to the competent NIS authorities, wherever it occurs, must be understood as referring to the competent NIS national authority, except for the provisions referred to in Article 5, paragraph 1, of the same legislative decree;
d) in Article 5, paragraph 1, subsection, the words: “the competent NIS authorities” are replaced by the following: “the competent national NIS authority and the sector authorities”;
e) in Articles 6 and 12, the words: “Interministerial Committee for the Security of the Republic (CISR)” are replaced by the following: “Interministerial Committee for Cybersecurity (CICS)”.
Art. 16 (Other amendments)
1. In article 3, paragraph I-bis, of law no. 124 of 2007, after the words: “of this law” the following are added: “and in the matter of cybersecurity”.
2. In article 38 of law no. 124 of 2007, paragraph I-bis is repealed.
3. The name: “CSIRT Italia” replaces, for all purposes and wherever present in legislative and regulatory provisions, the name: “CSIRT Italiano”.
4. In the perimeter decree-law, the words: “Interministerial Committee for the Security of the Republic (CISR)” and “CISR”, wherever they occur, are respectively replaced by the following: “Interministerial Committee for Cybersecurity (CICS)” and “CICS” , except for the provisions of article 5 of the same decree-law.
5. In the perimeter decree-law, any reference to the Security Information Department, or to the DIS, wherever it occurs, and to be understood as referring to the National Cybersecurity Agency.
6. In the perimeter decree-law, all references to the Ministry of Economic Development and the Presidency of the Council of Ministers, wherever it occurs, and to be understood as referring to the National Cybersecurity Agency.
7. In the provisions of a regulatory and administrative nature whose adoption is provided for by article 1 of the perimeter decree-law, any reference to the CJSR and the DIS must be understood as referring respectively to the CICS and the National Cybersecurity Agency.
8. In the provisions of a regulatory and administrative nature the adoption of which is provided for by article 1 of the perimeter decree-law, any reference to the Ministry of Economic Development and to the structure of the Presidency of the Council of Ministers competent for technological innovation and digitization, wherever recurs, must be understood as referring to the National Cybersecurity Agency, with the exception of the provisions referred to in Articles 3 of the Prime Minister’s Decree no. 131 of 2020.
9. The following amendments are made to the perimeter decree-law: a) to article 1, paragraph 6, letter a), after the words “also in relation to the area of ​​use” and the following sentence is added: “The obligation of communication referred to in this letter and effective from the thirtieth day following the publication in the Official Journal of the Italian Republic of the decree of the President of the Council of Ministers which, after consulting the National Cybersecurity Agency, certifies the operation of the CVCN and in any case from 30 June 2022. “;
b) in article 3, paragraph 2 is repealed;
c) from the date on which the disclosure obligation governed by letter a) above becomes effective, in article 3:
1) paragraph I is replaced by the following: “1. The subjects who intend to proceed with the acquisition, for any reason, of goods, services and components referred to in article i-bis, paragraph 2, of the decree-law of 15 March 2012, n. 21, converted, with modifications, by the law 11 May 2012, n. 56, are obliged to make the communication referred to in Article 1, paragraph 6, letter a), for the performance of the security checks by the CVCN on the basis of the procedures, methods and terms provided for by the implementation regulation. Article 1, paragraph 6, letter b) applies to the suppliers of the aforementioned goods, services and components. “;
2) paragraph 3 is repealed;
10. Starting from the date on which the communication obligation governed by paragraph 9, letter a), of the decree-law of 15 March 2012, n. 21, converted, with modifications, by the law 11 May 2012, n. 56, paragraph 3-bis of article 1-bis and replaced by the following: “Within ten days of the conclusion of a contract or agreement referred to in paragraph 2, the company that has acquired, for any reason, the goods or services referred to in the same paragraph, it notifies the Presidency of the Council of Ministers a complete report, also containing the communication from the National Assessment and Certification Center (CVCN), regarding the outcome of the assessment and any requirements, in order to allow any exercise of the power of veto or the imposition of specific prescriptions or conditions. If the contract was stipulated prior to the conclusion of the tests imposed by the CVCN, the term referred to in the first period starts from the communication of the positive outcome of the evaluation carried out by the CVCN Within 30 days of notification, the President of the Council of Ministers communicates any veto or the imposition of specific prescriptions or conditions. Special powers are exercised in the form of the imposition of specific prescriptions or conditions whenever this is sufficient to ensure the protection of the essential interests of defense and national security. Once the aforementioned terms have elapsed, the special powers are intended not to be exercised. If it is necessary to request information from the purchaser, this term is suspended, for one time only, until the requested information is received, which are returned within ten days. If it becomes necessary to formulate preliminary inquiries to third parties, the aforementioned term of thirty days is suspended, for one time only, until the requested information is received, which is made within the term of twenty days. Requests for information and inquiries to third parties subsequent to the first do not suspend the terms. In case of incompleteness of the notification, the thirty-day term provided for in this paragraph starts from the receipt of the information or the elements that integrate it. Without prejudice to the provisions on sanctions in this paragraph, in the event that the notifying company has begun the execution of the contract or agreement subject to the notification before the deadline for the exercise of special powers has expired, or has performed the contract or agreement in violation of the decree for the exercise of special powers, the Government may order the company to restore the previous situation at its own expense. Unless the fact constitutes a crime, anyone who fails to observe the notification obligations referred to in this article or the provisions contained in the provision for the exercise of special powers is subject to a pecuniary administrative sanction up to 150 percent of the value of the transaction and in any case not less 25 percent of the same value. In cases of violation of the notification obligations referred to in this article, even in the absence of notification, the Presidency of the Council of Ministers may initiate the procedure for the purpose of the possible exercise of special powers. For this purpose, the terms and procedural rules provided for in this paragraph apply. The term of thirty days referred to in this paragraph starts from the conclusion of the procedure for ascertaining the violation of the obligation to notify “.
11. In article 135 of the legislative decree 2 July 2010, n. 104, after letter h), and the following is added: “h-bis) disputes concerning the provisions of the National Cybersecurity Agency;”.
12. To the law of 22 April 2021, n. 53, the following changes are made:
a) to article 4, paragraph 1, letter b), after the words: “Ministry of Economic Development” the following are added: “and the National Cybersecurity Agency”;
b) in Article 18, any reference to the Ministry of Economic Development, wherever it occurs, must be understood as referring to the National Cybersecurity Agency.
13. In article 33-septies, paragraph 4, of the decree-law no. 179, converted, with amendments, by law 17 December 2012, n. 221, the words: “The AgID” are replaced by the following: “The National Cybersecurity Agency”.
14. To the legislative decree of 1 August 2003, n. 259, the following amendments are made:
a) to articles 16-bis and 16-ter, any reference to the Ministry of Economic Development, wherever it occurs, must be understood as referring to the National Cybersecurity Agency;
b) in article 16-ter, paragraph 1, the words: “Minister of Economic Development” are replaced by the following: “President of the Council of Ministers”;
c) in article 16-ter, paragraph 2, letter b), the words: “in collaboration with the territorial inspectorates of the Ministry of Economic Development,” are deleted.
Art. 17 (Transitional and final provisions)
1. To carry out the inspection functions, ascertain violations and impose sanctions, referred to in Article 7, the Agency may provide, in addition to its own staff, with the help from the central body of the Ministry of the Interior for security and for the regularity of telecommunication services referred to in article 7-bis of the decree-law of 27 July 2005, n. 144, converted, with modifications, by law 31 July 2005, n. 155.
2. For the performance of the functions relating to the implementation and control of the execution of the measures taken by the President of the Council of Ministers pursuant to article 5 of the perimeter decree-law, the Agency shall proceed with the assistance of central body of the Ministry of the Interior for security and for the regularity of telecommunication services referred to in article 7-bis of the decree-law of 27 July 2005, n. 144, converted, with modifications, by law 31 July 2005, n. 155.
3. The staff of the Agency, in carrying out the inspection functions, ascertaining violations and imposing sanctions, referred to in Article 7, as well as the functions relating to the implementation and control of the execution of the measures taken by the President of the Council of Ministers pursuant to article 5 of the perimeter decree-law, holds the position of public official.
4. The staff of the Agency assigned to CSIRT Italy, in carrying out their duties, holds the qualification of public official. The transmission of accident notifications received by CSIRT Italy to the central body of the Ministry of the Interior for security and for the regularity of telecommunication services referred to in article 7-bis of the decree-law of 27 July 2005, n. 144, converted, with modifications, by law 31 July 2005, n. I 55, constitutes fulfillment of the obligation referred to in Article 33 I of the Code of Criminal Procedure.
5. With one or more decrees of the President of the Council of Ministers of a non-regulatory nature, to be adopted within one hundred and eighty days from the date of entry into force of the law converting this decree, the terms and procedures are defined:
a) to ensure the first operation of the Agency, through the identification of appropriate spaces, temporarily and for a maximum of twenty-four months, according to appropriate agreements with the administrations concerned, for the implementation of the provisions of this decree;
b) for the transfer, also through appropriate agreements with the administrations concerned, of the functions referred to in article 7, as well as for the transfer of capital goods and documentation, including classified ones, for the implementation of the provisions of this decree.
6. In relation to the transfer of the functions referred to in article 7, paragraph 1, letter m from the AgID to the Agency, the decrees referred to in paragraph 5 also define the links between the two administrations, for the functions that remain under the responsibility of AgID.
7. From the date of appointment of the Director General of the Agency and until the adoption of the regulations referred to in Article 11, paragraphs 3 and 5, the DIS, within the scope of the resources allocated to the Agency. Within 90 days of the approval of the regulations referred to in article 11, paragraphs 3 and 5, of the expenses made pursuant to this paragraph, the President of the Council of Ministers informs COPASIR.
8. In the first application of the provisions referred to in this decree and for a maximum period of eighteen months from the date of conversion into law, the Agency makes use of a core of staff, not exceeding 30 percent of the total staffing initial, of units belonging to the Ministry of Economic Development, the Agency for Digital Italy, the DIS, other public administrations and independent authorities, made available to the Agency upon specific request, including by name, and according to the methods identified through agreements with their respective administrations. The related burden remains with the administration to which it belongs.
9. The regulation referred to in article 12, paragraph I, provides for specific selective procedures for the classification, up to a maximum of 50 per cent of the total staff, of the personnel referred to in paragraph 8 and the personnel referred to in article 12, paragraph 2, letter b), if already belonging to the public administration, in the contingent of personnel assigned to the Agency referred to in the same article 12, which take into account the duties performed and the positions held during the period of service at the Agency , as well as the skills possessed and the requisites of professionalism and experience required for the specific positions. The grades resulting from the selection procedures referred to in this paragraph, relating to the personnel referred to in paragraph 8, start from 30 September 2022.
10. The Agency may avail itself of the patronage of the State Attorney, pursuant to article 43 of the consolidated text approved by royal decree no. 1611.
Art.18 (Financial coverage)
[MEF]
To the burden deriving from the application of this decree, valued in euro … for the year 2021, euro … for the year 2022 and euro … starting from the year 2022, the Fund referred to in art .. ..
2. The Minister of the Economy and Finance is authorized to make, with its own decrees, the necessary budget changes for the implementation of this decree.
3. The proceeds from the sanctions imposed by the Agency pursuant to the provisions of the legislative decree NIS, the perimeter decree-law and the legislative decree 1 August 2003, n. 259, and related implementing provisions, are paid to the Fund referred to in paragraph 1 of this article.
Art. 19 (Entry into force)
1. This decree enters into force on the day following that of its publication in the Official Gazette of the Italian Republic and will be presented to the Chambers for conversion into law. This decree, bearing the seal of the State, will be included in the Official Collection of legislative acts of the Italian Republic. It is compulsory for anyone who is responsible to observe it and to have it observed.

Previous articleHow to recycle waste with separate collection
Next articleIncome 2021: You can now request an appointment to make the declaration by calling this number