Legislative changes on cybersecurity: new sanctions and notification obligations

Recent legislative changes provide for increased penalties for unauthorized access to computer systems and introduce the obligation for public administrations to notify the National Cybersecurity Agency (ACN) of any cyber attack within 24 hours. Public administrations that do not comply with these provisions risk administrative sanctions ranging between 25,000 and 125,000 euros. The same penalty is applied if action is not taken to resolve the vulnerabilities reported within 15 days. These new provisions aim to improve the institutional response to cyber incidents and ensure greater security in public systems.

Expansion of the functions of the ACN and inter-ministerial committee

The National Cybersecurity Agency will not only be responsible for collecting, but also processing and classifying cyber incident notifications. At an institutional level, the Interministerial Committee for the Security of the Republic will see the participation of numerous ministers, including agriculture, infrastructure, transport, university and research, in addition to the traditional figures of foreign affairs, interior, defence, justice, economy, and energy security. This expanded composition will allow for a more integrated and coordinated strategy for national security.

New responsibilities for cybersecurity in public administrations

Each public body will have to establish a unit dedicated to cybersecurity and appoint a contact person for these activities within one year of the law coming into force. These structures and roles will have to be created using the human and financial resources already available, therefore without further burdening public finances. The bill also promotes the use of cryptography and establishes a National Cryptography Center at the Agency. As regards public contracts for IT goods and services, administrations will have to take into account the essential elements of cybersecurity established by a Prime Ministerial Decree, which will reward the use of technologies developed in Italy or in allied countries.

Changes to the penal code and new control measures

The doubling of penalties for unauthorized access to computer systems is accompanied by the introduction of the crime of extortion through computer crimes and new aggravating circumstances for scams committed remotely. A new "repentance" clause provides mitigation for hackers who cooperate to mitigate damage and help authorities. The law also extends the wiretaps provided for organized crime to cyber crimes, under the coordination of the national anti-mafia and anti-terrorism prosecutor. During inspections of judicial offices, compliance with the security regulations in the databases used will be verified. Finally, those who have held senior national security roles will have restrictions on new positions for a period of three years after the termination of their mandate, to prevent possible conflicts of interest.