Clifford Chance

In the context of the recovery plan and the NextGenerationEU funds, the Italian government adopted an investment plan, including measures related to the regulation of cloud services and allocating substantial funds to set up an effective cybersecurity infrastructure.

The plan includes the establishment of the National Cybersecurity Agency (Law Decree No. 82/2021, the "Agency"), enjoying  wide-ranging powers and replacing the Agency for Digital Italy (the "AgID") in certifying private entities wishing to provide services to Italian public administration authorities; it also includes the adoption of the Italian Cloud Strategy (the "Strategy") which sets out guidelines for migrating Italian public administration data and digital services to the cloud, which is expected to be completed by June 30, 2026. For the purposes of the Strategy, cloud services include infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS).

In particular, the Strategy intends to pursue:

1. technological independence from non-EU cloud providers, in order to avoid unilateral amendments to contractual clauses deriving therefrom;
2. control over data; and
3. resilience to cyberattacks and technical faults to ensure the effectiveness of cloud services adopted by Italian public administration authorities.

It is worth stressing that, according to the guidelines set out in the Strategy, digital infrastructures used by Italian public administration authorities for processing data and providing services must be located in the EU and, in those cases where a non-EU entity requires the cloud service provider to access the data it is storing, the latter must inform the Agency and share the public administration's data or metadata subject to the latter's prior authorisation. Such a provision, along with the underlying intention of eliminating Italy's – and ultimately the EU's – dependence on non-EU cloud providers, has a great impact as non-EU jurisdictions may impose duties upon non-EU cloud service providers to grant access to sensitive and/or strategic data relating to Italian citizens and institutions.

In addition to the Strategy, another crucial regulation for cloud services was enacted by the AgID on December 15, 2021 (the "Cloud Regulation"), which implements the guidance set out in the Strategy by setting minimum security, processing capacity and digital infrastructure reliability requirements, as well as quality, portability, performance and scalability standards for cloud services used by Italy's public administration authorities.

One of the key measures outlined in the Cloud Regulation centres on the qualification of data and services handled by the public administration. The latter are classified on the basis of the damage in terms of confidentiality, integrity and availability which may be caused to Italy if they are compromised:

1. strategic: if national security may be affected in the event of their being compromised;
2. critical: if the maintenance of relevant societal, health, public safety and economic and social wellbeing services provided by the state may be affected in the event of their being compromised; and
3. ordinary: if the provision of public services may not be affected in the event of their being compromised or, in any case, an infringement of the economic and social wellbeing of the state.

The Cloud Regulation further provides for classifying cloud services into different levels (from 1 to 4): depending on the relevant level, providers will be entitled to process either strategic, critical or ordinary data. It is therefore a good idea for cloud service providers to assess whether their cloud service meets the requirements for the data they are expected to deal with before entering into any form of contractual arrangement with Italian public administration authorities.

The joint application of both the Cloud Regulation and the Strategy requires all cloud service providers intending to provide cloud services to the public administration to meet specific requirements based on the specific public administration authority or body they wish to cooperate with and the category of data involved