Legislative Decree no. 138/2024 implemented Directive 2555/2022, known as NIS2, in Italy, relating to measures for a high common level of Cybersecurity in the Union, which repealed the previous Directive n.1148/2016 on the same subject. The topic is of interest because the subjects that fall within the scope of the decree in question are required to new obligations. In case of non-compliance with the fines are high, which is why it is necessary to carefully examine the conditions established by the law.
The problem of the cyber threats has become increasingly relevant in recent times. The Internet and computers are indispensable tools for communications, and consequently for the economy. Their protection is essential for the serenity of commercial relations within the Union. European legislation arises from the need to make the most of the potential of digitalization, limiting its negative effects.
Pursuant to article 41 co.1 of Legislative Decree 138/2024 The new provisions apply from 18 October 2024. Article 42 specifies for some obligations in the first application phase different starting dates from the general one established by Article 41.
Among the notable passages are:
Art. 3 on the scope of application, which refers to the sectors indicated in Annexes I, II, III and IV of the same provision and to other regulatory texts, including Legislative Decree 134/2024, which implemented EU Directive 2022/2557, the so-called CER. The public and private entities to which the decree applies also include associated companies.
Art. 5 on jurisdiction and territoriality. This article establishes the rules for determining which entities are subject to national jurisdiction. Generally, these are those that are established in the national territory, with some exceptions.
Art. 6 on the distinction between essential and important subjects, which has an impact on the extent of the sanctions.
Art. 7 relating to the obligation to register essential and important entities on the digital platform made available by the National Competent Authority NIS to be carried out by 28 February 2025. By 31 March of each year, the National Competent Authority NIS shall draw up the list of essential and important entities on the basis of the registrations and decisions adopted.
Art. 17 on cybersecurity information sharing arrangements between essential and important actors. The aim is to strengthen the capacity to prepare, detect and respond to incidents.
Chapter IV relating to the obligations of the subjects falling within the scope of the decree. This chapter defines the obligations of the essential and important subjects in terms of information security risk management and incident notification.
Chapter V on monitoring, supervision and enforcement, in particular art. 38 on administrative sanctions in case of non-compliance with obligations and on the deflationary mechanisms of the contentious sanctioning procedure.
Finally, it should be noted that:
1) The registration procedure is analyzed by the Determination of the General Director of the National Cybersecurity Agency of 11/26/2024;
2) The Prime Ministerial Decree no. 221 of 2024, Regulation for the definition of the criteria for the application of the safeguard clause referred to in Article 3, paragraphs 4 and 12, of Legislative Decree no. 138/2024, has recently been published in the Official Journal.
Content by the Lawyer. Luca Tiberi and Dr. Luca Arcidiacono
