The challenges and objectives of the Italian Cybersecurity Strategy for 2022-2026
The National Cybersecurity Strategy for 2022/2026 (the "Strategy") addresses the main cyber threats, lists the objectives to be pursued over the next few years and specifies the guidelines aimed at increasing resilience to cyberattacks. The Strategy is accompanied by an implementation plan ("Implementation Plan") outlining the operational guidance for the enforcement of the Strategy and the (no. 82) measures to be adopted.
The underlining approach of the Strategy and the objectives
In its preface, the Strategy emphasises the rate at which cyberattacks (both cybercrime and cyber espionage) are on the increase, causing significant reputational and economic damage to private entities, and highlights that the issue represents a serious threat to the proper functioning of energy infrastructure and IT healthcare systems. However, while it is impossible to fully eliminate this risk, the Strategy aims at establishing preventive measures and risk-mitigation actions.
In concrete terms, the Strategy outlines the challenges raised by the current cybersecurity framework and sets objectives to be pursued over the next few years.
These challenges include the need to migrate the Italian public administration and industrial sectors to a cyber-resilient digital environment. The Strategy will therefore likely have an impact on private entities, both as beneficiaries of the expected improvements in terms of cybersecurity and as players which may assume an active role in fighting cyber threats, for the reasons below.
Firstly, the Strategy is based on a security-oriented and whole-of-society approach, which essentially aims to raise awareness of cyber risks and ensure the security and integrity of IT architecture "at every level of society". In addition to the concepts of network, system and data security, the Strategy aims to raise awareness of the importance of cybersecurity among both the general public and private and public entities, based on the idea that digital security is comparable to physical or real-world security, with safeguards and preventive measures being required for both spaces.
Secondly, the Strategy promotes cooperation between the public and private sectors. Private entities will work with public bodies in certain working teams to find solutions to common issues; on the other hand, certain private entities will be directly affected by the new measures since they will be required to comply with the relevant requirements. The Strategy is specifically aimed at those private entities operating in sectors which are deemed to be of national strategic significance, including home affairs, national security, aerospace, energy, telecommunications, economics and finance, transportation and digital services (the "Cybersecurity Perimeter").
In line with general EU trends, the challenges envisaged by the Strategy also include the need to reduce or eliminate Italy's dependence on technologies supplied by non-EU providers. The Strategy outlines Italy's technological dependency on non-EU market leaders in the development of software and "emerging disruptive technologies" (e.g. cloud computing and AI). The implementation of the measures for ensuring such independence may eventually mean that IT providers based outside the EU will no longer be able to offer their services to Italian public administration bodies or authorities or to certain private entities.
The Implementation Plan: objectives
The Strategy sets the following objectives:
(i) the protection of those assets falling within the Cybersecurity Perimeter;
(ii) responsiveness to cyberattacks; and
(iii) the development of secure and reliable digital technologies, research and industrial competitiveness.
As regards objective (i), the Strategy highlights that the protection of assets falling within the Cybersecurity Perimeter may be achieved by ensuring IT infrastructure security along the entire supply chain. The Implementation Plan provides for the adoption of the following measures in this regard:
- developing and adopting of certain EU cybersecurity certification schemes;
- a system of public tenders based on criteria which ensure cybersecurity from a qualitative perspective;
- promoting the use of cryptography from the project phase for networks, apps and services onwards.
Apart from the aforementioned measures, the Implementation Plan also provides for the migration of Italian public administration authorities to cloud infrastructures ensuring a high degree of cybersecurity (see The Italian Cloud Strategy: requirements for the Cloud Service Providers wishing to work with the Public Administration for more details).
In terms of objective (ii), the Implementation Plan contains a list of operative measures likely to improve the responsiveness of the public authority in charge of handling cyber threats, incidents or crises. As previously mentioned, these measures promote cooperation between public administrative entities and private entities and help to establish best practices.
Lastly, in the context of objective (iii), we note that, in order to ensure technological independence, the Italian government plans to allocate funds to the private sector and for the following areas and/or activities:
(i) tech industries located in Italy and Europe, especially those in the fields of cloud and edge computing and blockchain,
(ii) research and development activities aimed at increasing cybersecurity,
(iii) internationalisation of Italian cybersecurity industries,
(iv) start-ups and industries committed to the development of cybersecurity products and services, in line with the interests of Italy and other countries,
(v) development of proprietary algorithms, digitalisation and innovation in the commercial sector generally and in those sectors providing digital services to public administrative entities.