Table of contents
- Origins of the term “Cyber”
- The international cyber security landscape
- European cyber security regulations
- The Italian cyber security Framework
Cyber security is now a fundamental pillar for protecting information and digital infrastructures. However, to ensure security and prevent risks, advanced technologies alone are not enough: a clear and comprehensive legal framework is essential.
This article explores the main regulations at the international, European, and Italian levels, outlining the roles of institutions such as the National Cyber Security Agency (ACN) and analyzing key laws like the NIS2 Directive.
A particular focus will be given to crucial concepts such as incident reporting obligations and the protection of critical infrastructures.
Origins of the term “Cyber”
The term ”Cyber” derives from the Greek word κυβερνήτης (kybernetes), meaning “helmsman, ship pilot,” and, by extension, “one who guides and governs a city or state” (source: Accademia della Crusca).
The term “cybernetics” was coined by mathematician Norbert Wiener (1894-1964), who laid the theoretical foundations of this multidisciplinary field. He studied the control and flow of information in biological, mechanical, cognitive, and social systems, as described in his 1948 book “Cybernetics, or Control and Communication in the Animal and the Machine”.
The international cyber security landscape
At the global level, cyber security regulations revolve around international conventions aimed at combating cyber threats and fostering cooperation between nations.
Example
The Budapest Convention on Cybercrime, adopted by over 130 countries, which establishes a common framework for addressing cybercrimes such as hacking, fraud, and data misuse while promoting cross-border collaboration against cyber threats.
Additionally, institutions such as the United Nations and the International Telecommunication Union (ITU) work to standardize cyber security policies and encourage the development of secure communication networks. However, differences in national priorities often hinder a unified global approach.
European cyber security regulations
The European Union (EU) has developed a comprehensive legal framework to address cyberattacks and protect critical infrastructures. Key regulations include:
GDPR (General Data Protection Regulation – EU 2016/679)
EU Reg. 2016/679, or the General Data Protection Regulation (“GDPR”), became fully applicable in all member states on May 25, 2018.
While primarily focused on the protection of individuals with regard to the processing and free movement of personal data, it has significant implications for cyber security.
In fact, it requires organizations to implement technical and organizational measures to protect personal data, with the aim of preserving it from unauthorized access, data loss, accidental or unlawful modification or destruction, adopting a risk-based approach.
NIS2 Directive (2022/2555)
A milestone regulation is the NIS2 Directive (2022/2555), which expands upon the previous NIS Directive (2016/1148).
This legislation broadens the scope compared to the previous NIS Directive (2016/1148), including more sectors and introducing specific obligations for essential service operators and digital service providers.
Affected organizations are required to implement effective cyber security measures related, in particular, to risk and business continuity management and governance, with a requirement to report cyber incidents to the relevant authorities within specified timeframes.
Key requirements include:
- Oobligation to report cyber incidents to the relevant authorities within 24 hours;
- Adoption of risk management measures that also cover the supply chain;
- Strengthening of operational resilience and governance.
ENISA (European Union Agency for Cyber Security)
The EU has also established the European Union Agency for Cyber Security (ENISA), which works with organizations and businesses to strengthen trust in the digital economy, provides guidance, promotes the resilience of European infrastructure, and supports member states in improving their cyber resilience and digital security.
The Italian cyber security framework
According to ITU, the International Telecommunication Union (a United Nations agency specializing in ICT), Italy is a model country in cyber security, with reference to 5 parameters: legal, technical, organizational, capacity building and cooperation (source: Global Cyber Security Index 2024).
Italy has aligned itself with European cyber security legislation, developing specific laws to address and its own national needs.
Within Italian cyber security legislation we mention:
Law No. 133/2019
Law No. 133/2019, on Urgent Provisions on the Perimeter of National Cyber Security, ensures the protection of essential infrastructure against cyber threats.
This law stems from the conversion of Decree-Law 105/2019.
The purpose of the legislation is to ensure a high level of security of networks, information systems and IT services of public administrations, as well as national, public and private entities and operators, through the establishment of a national cyber security perimeter and the provision of measures to ensure the necessary security standards aimed at minimizing risks.
National Cyber Security Agency (ACN)
Law No. 109/2021, on urgent provisions on cyber security and the definition of the national cyber security architecture, established the Agency for National Cyber Security (ACN) in charge of implementing Italy’s cyber security strategy, with the task of strengthening the country’s cyber defenses and ensuring compliance with EU regulations.
Legislative Decree 138/2024
Recently, the transposition of the NIS2 Directive through Legislative Decree 138/2024 (which came into force on October 16, 2024, and entailed the repeal of Legislative Decree No. 65/2018) introduced new obligations for companies.
The regulation stipulates that from December 1, 2024, to February 28, 2025, public and private entities to which NIS2 applies must register on the digital platform to be made available by ACN – without prejudice to the possibility of identifying additional entities deemed critical.
The key elements are:
- Sstrengthened obligations with a requirement to implement security measures in relation to at least 10 areas, with a multi-risk and proportional approach;
- A more structured incident reporting process;
- A strengthening of enforcement, inspection and sanction powers;
- The introduction of new tools, such as: coordinated vulnerability disclosure (CVD);
- Crisis management, particularly cross-border crises, with the establishment of the Cyber Crisis Liaison Organization Network (CyCLONe) and the National Cyber Crisis Authority (source: official ACN website).
Conclusion
The legal framework for cyber security is constantly evolving to address the challenges posed by rapid technological advancements and increasing cyber threats. Ensuring compliance with European and Italian cyber security laws is not just a legal obligation but also a crucial step in building digital trust and protecting critical infrastructures and personal data.
Adopting a proactive cyber security approach not only minimizes risks but also transforms regulatory compliance into a competitive advantage.
Questions and answers
1. What is the legal framework for cyber security?
It includes laws and regulations aimed at protecting IT systems and data security.
2. What is the purpose of the NIS2 Directive?
To ensure high-level cyber security protection for essential infrastructures across the EU.
3. What does Italian cyber security law require?
It includes laws like Legislative Decree 138/2024, implementing NIS2, and national security perimeter regulations.
4. What are the obligations for essential service operators?
They must report cyber incidents within 24 hours and implement risk management measures.
5. What does the National Cyber Security Agency (ACN) do?
The ACN oversees cyber security strategies and ensures regulatory compliance.
6. What is the Budapest Convention on Cybercrime?
It is an international treaty setting global standards for combating cybercrime.
7. Which sectors are covered by NIS2 regulations?
Industries such as energy, transportation, healthcare, and digital service providers.
8. Why is incident reporting important?
It ensures quick response and mitigation of cyber threats.
9. What are the main cyber threats?
Common threats include hacking, ransomware, phishing, and attacks on critical infrastructure.
10. How does cyber security protect personal data?
It prevents unauthorized access, data breaches, and accidental data loss.
