Cybersecurity: the Montecitorio Chamber approves the bill, here are the measures

May 15, 2024

32 6 minutes read

There are numerous interventions in the bill, a government initiative, containing provisions regarding the strengthening of national cybersecurity and computer crimes, approved by the Montecitorio Chamber with 149 yes votes, eight no votes and 109 abstentions, and which now passes to the examination of the Assembly of Palazzo Madama. The provision, which bears the signatures of the Prime Minister, Giorgia Meloni, and the Minister of Justice, Carlo Nordio, composed after the examination in the joint Constitutional Affairs and Justice commissions of 23 articles compared to the original 18, is aimed at ensuring a higher protection and response capacity in the face of cyber emergencies, in light of the current geopolitical context, and aims to therefore to strengthen national security, in favor of public administrations, businesses and citizens, also considering the significant development of potentially aggressive technologies, contemplating centralized governance of security aspects and providing provisions for the prevention and combating of computer crimes. It is also expected to strengthen the functions of the National Cybersecurity Agency (ACN) and its coordination with the judicial authorities in the event of cyber attacks. Cyber security, moreover, represents one of the main interventions envisaged by the National Recovery and Resilience Plan as part of the digital transformation of public administration and the digitalisation of the country.

Going into more detail about the measures, an obligation to report certain types of incidents having an impact on networks, information systems and IT systems managed by certain entities is introduced. As for the methods by which to make the notification, an initial report must be made without delay and, in any case, within the maximum period of 24 hours from the moment in which it became known. Complete notification of all available information must take place within 72 hours of the same moment. The notification obligations placed on the subjects included in the national cyber security perimeter are increased: these are public administrations, public and private bodies and operators who carry out institutional or essential functions for the interests of the State, identified with a specific administrative act adopted by the President of the Council of Ministers, on the proposal of the Inter-Ministerial Committee for Cybersecurity. It is also provided that the data relating to cyber incidents are collected, on the basis of the notification obligations required by current legislation, by the National Cybersecurity Agency, which takes care of their publicity as official reference data of cyber attacks. Article 5 of the bill provides for the possibility of having additional subjects participate in the meetings of the cybersecurity unit, such as representatives of the National Anti-Mafia and Anti-Terrorism Directorate and representatives of the Bank of Italy, in relation to specific issues of particular relevance concerning the tasks of proposing initiatives regarding the country’s cybersecurity.

Rules are introduced regarding the operational coordination of information services for security and the National Cybersecurity Agency, while the structure responsible for cybersecurity activity is established for the public administrations indicated in the provision, where it is not already present. At the same time, the establishment of the cybersecurity contact is being prepared, the single point of contact of the administrations involved with the National Cybersecurity Agency. Furthermore, the structures responsible for cybersecurity activities in public administrations are given the function of verifying that electronic communication programs and computer applications comply with the guidelines on encryption, as well as those on the conservation of passwords adopted by the Cybersecurity Agency. national and by the Authority for the protection of personal data, and which do not contain vulnerabilities. Article 10 of the text enhances the use of cryptography as a cyber defense tool and establishes the National Cryptography Center at the National Cybersecurity Agency, with the functions of a national center of competence for all aspects of cryptography in the unclassified field , i.e. not covered by secrecy. The functioning of the Center is regulated by order of the Director General of the Agency. Article 12 establishes a ban, lasting two years, on hiring, including assignments, from private entities, aimed at carrying out cybersecurity tasks, for employees belonging to the staff role of the National Cybersecurity Agency who have participated, in the interest or at the expense of the Agency itself, in specific specialization training courses.

Green light also given to some cybersecurity criteria in the regulation of public contracts, with the adoption of a decree by the President of the Council of Ministers, within 120 days from the date of entry into force of the measures in question, on the proposal of the Cybersecurity Agency national and subject to the opinion of the Interministerial Committee for the Security of the Republic, to identify, for certain technological categories of goods and services, the essential cybersecurity elements to be taken into consideration in relation to the procurement activities of IT goods and services used in a connected context to the protection of strategic national interests. In the context of contracts for the procurement of IT goods and services, a series of obligations and powers are envisaged for contracting authorities, including central purchasing bodies, in relation to the essential cybersecurity elements already identified. This regulation will apply to public administrations, managers of public services and publicly controlled companies, but also to other private entities falling within the scope of national cyber security. The text contains amendments to the Criminal Code, such as that of article 240, on confiscation, with the provision in relation to the new aggravating circumstance that the joint Constitutional Affairs and Justice commissions of Montecitorio have included in the bill with regard to aggravated fraud, which applies the security measure of mandatory confiscation of assets and IT or telematic tools used in whole or in part for the commission of the crime, as well as assets that constitute the profit or product of the crime itself, or sums of money, goods or other utilities available to the culprit for a value corresponding to the profit produced, if it is not possible to carry out direct confiscation of the profit or product.

Intervention is also made on other articles of the Criminal Code linked to unauthorized access to a computer or telematic system, to the illegal detention, dissemination and installation of equipment, codes and other means suitable for accessing computer or telematic systems, to the detention, diffusion and illegal installation of equipment and other means capable of intercepting, preventing or interrupting telegraphic or telephone communications or conversations, the illegal interception, impediment or interruption of computer or telematic communications, the illegal detention, dissemination and installation of equipment and other means aimed at intercepting, preventing or interrupting computer or telematic communications, falsification, alteration or suppression of the content of computer or telematic communications, damaging information, data and computer programs, damaging information, data and computer programs used by the State or by another public body or in any case of public utility, to damage IT or telematic systems. Again in the Criminal Code, article 635-quater.1 is introduced on the illegal possession, dissemination and installation of equipment, devices or IT programs aimed at damaging or interrupting an IT or telematic system. The crime of extortion through computer crimes carried out by forcing someone to do or omit something, procuring an unfair profit for themselves or another, through the conduct or the threat to carry it out referred to in the crimes referred to therein, is punished. As for damaging IT or telematic systems of public utility, the prison sentence is increased from two to six years. Currently the expected sanction, however, is from one to four years. There is room for a further aggravating circumstance in the event that the crime is committed remotely through IT or telematic tools capable of hindering one’s own or others’ identification.

The exceptions relating to the ordinary regime of notification of the notice of the request for extension of preliminary investigations and the setting of the hearing in chambers by the Judge for preliminary investigations in the event of failure to accept the request are extended to computer crimes. Article 18 of the bill extends the rules on wiretapping provided for organized crime to computer crimes under the coordination of the National Anti-Mafia and Anti-Terrorism Prosecutor, while Article 20 intervenes on the procedure for applying the special protection measures for witnesses of justice and for other protected persons, providing that the central commission must request the opinion of the national anti-mafia and anti-terrorism prosecutor on the proposal for admission to special measures, even in the case of serious cyber crimes. The relationships between the National Cybersecurity Agency, the National Anti-Mafia and Anti-Terrorism Prosecutor and the Judicial Police with the public prosecutor are regulated. Of note is the amendment presented by the Action deputy, Enrico Costa, approved during examination by the commissions, which gives inspectors from the Ministry of Justice the possibility of carrying out checks on access to databases. Finally, the government expressed a favorable opinion, in the Chamber, on an agenda, again presented by Costa, on a bill that commits the executive to introducing an organic regulation of the Trojan tool, “in the first provision useful”.