The growing number of cyber attacks targeting critical infrastructures has led major international players, including, for example, the United States and the European Union, to accelerate the adoption of measures aimed at increasing the security of their systems and their own networks.
Even if only looking exclusively at the European dimension, in recent months we have found two extremely important initiatives in the field of cybersecurity. In fact, on the one hand, a draft of the Regulation was published aimed at raising the levels of cyber security of the institutions, bodies and agencies of the European Union by increasing the resilience of the systems and the ability to respond to cyber attacks. On the other hand, the Council and the European Parliament have reached an agreement on the so-called NIS 2 Directive, the European legislation that aims to further improve the resilience and response capacities of the public, private and Union sectors as a whole. through measures for a common high level of cybersecurity.
At the national level, the Italian legislator had for some time already conceived an articulated and complex body of legislation aimed at establishing the so-called “National Cyber Security Perimeter”. This legislation introduces numerous legal obligations aimed at ensuring a high level of security of the networks, information systems and IT services of national operators, public and private, who perform an essential function or provide an essential service from whose malfunction, interruption, even partial, or improper use, may result in prejudice to national security.
The regulatory framework of the National Cyber Security Perimeter lays its foundations on the decree-law 105/2019 on which, at present, three Decrees of the President of the Council of Ministers (DPCM) and a Decree of the President of the Republic (DPR) are grafted. ) implementation. Given the complexity and quantity of sources, for the purposes of compliance with the legislation in question, an overview of all the obligations introduced is necessary, which is not limited exclusively to the purely technical aspects, but also manages to combine those of a legal nature, especially considering the significant impact that the legislation has on the organization of the actors involved.
Bringing an example of the great pervasiveness of the discipline, the DPR intervenes on the procedures, methods and terms with which the subjects affected by the legislation who intend to proceed with the assignment of supplies of ICT goods, systems and services must comply, introducing an evaluation process by the National Assessment and Certification Center (CVCN).
The CVCN is scheduled for operation on June 30, 2022 and represents one of the last elements that complete the complex regulatory apparatus of the National Cyber Security Perimeter. In particular, this structure is responsible for carrying out a technological scrutiny on ICT goods, systems and services belonging to the categories identified with the specific Prime Ministerial Decree of 15 June 2021 and intended to be used on infrastructures that support essential services or functions included in the scope of application of the legislation in question. This implies a review of the supply chain and, in particular, of the selected suppliers and the products used by the subject included in the National Cyber Security Perimeter.
In this regard, one of the main powers of the CVCN is to impose conditions of use of the products purchased, as well as to request the carrying out of hardware and software tests before their use. Therefore, it will carry out a preventive check aimed at ascertaining the security and absence of known vulnerabilities of ICT supplies that interact with the systems responsible for carrying out essential functions or services. Among the various objectives of this verification is to reduce the risk that the products and services purchased or the vulnerabilities present therein can be exploited for cyber attacks aimed at exfiltrating sensitive information or interrupting or limiting the functioning of national critical infrastructures. Therefore, the CVCN checks could respond to logics similar to those that have recently forced public administrations to “diversify” technological products and services from Russia in order to prevent prejudices to IT security.
This need for protection entails a new burden on the actors included in the National Cyber Security Perimeter, who, in addition to being already called upon to make considerable compliance efforts both on an organizational and process level, will have to redesign the procurement procedures. taking into account the new regulatory framework. Furthermore, it is evident the significant impact that the evaluation process can have on the business not only of the operators subject to the evaluation process, but also of their suppliers. In fact, in the event of a negative outcome of the assessment, the subject affected by the legislation on the National Cyber Security Perimeter will not be able to execute the contracts. The possibility of blocking the execution of contracts or calls for tenders requires their integration with clauses that condition them, suspensively or resolutively, on compliance with the conditions imposed or the favorable outcome of the tests.
These aspects and the increasing regulation of the sector denote the growing importance of legal skills when it comes to cybersecurity. In fact, the tendency to approach this topic in an exclusively technical way risks, in the long term, not allowing a complete pursuit of safety objectives. Consistent with this approach, even the very recent National Cybersecurity Strategy, published by ACN, the agency that protects national interests in cyberspace, underlines that, in order to ensure an effective and lasting level of protection, it is essential to define and maintain an updated and coherent legal framework on cybersecurity. Therefore, the national strategy also emphasizes the key role that legislation plays in guaranteeing effective protection of IT infrastructures.
In conclusion, it is necessary to enter into the perspective that, when it comes to cyber security measures such as SCIM, or System for Cross-Domain Identity Management, the technical and legal aspects are two essential aspects of the same coin. Therefore, also considering the transversal nature of the matter, in order to guarantee compliance with sector regulations, it is essential to have skills capable of making the world of cybersecurity, understood in its most technical dimension, dialogue with the legal one.
* Chiomenti Law Firm, with the collaboration of Lucrezia Falciai, Associate of Chiomenti