Governance

Sectoral NIS authorities: functions and competencies 

Le autorità NIS sono fondamentali per proteggere le infrastrutture critiche e garantire la resilienza digitale contro le minacce informatiche. Con l'adozione del Decreto Legislativo 4 settembre 2024, n. 138, l'Italia si allinea alla Direttiva NIS 2, rafforzando le misure di sicurezza per gli operatori di servizi essenziali e il coordinamento a livello nazionale ed europeo.

Le pubbliche amministrazioni nell'ambito NIS

20 December 2024

Table of contents

  • Sectoral NIS authorities: an overview 
  • Scope of application and key sectors
  • Why a sectoral division is important
  • Incident reporting obligations
  • Security measures and operators’ obligations
  • Role of the Italian CSIRT

Sectoral NIS authorities play a fundamental role in protecting critical infrastructures and ensuring digital resilience in an era of increasing cyber threats. 

With the adoption of Legislative Decree No. 138 of September 4, 2024, Italy aligned itself with the European framework for Network and Information Security (NIS 2 Directive), redefining the scope and security measures for operators of essential services

Let’s explore how these authorities contribute to maintaining social activities and coordinating at the national and European levels. 

Sectoral NIS authorities: an overview 

Sectoral authorities are entities designated to support the national NIS authority in implementing the provisions of the decree. They operate in synergy with the Italian CSIRT (Computer Security Incident Response Team), working in strategic sectors such as energy, healthcare, transport, and digital services. 

According to Article 11 of Legislative Decree 138/2024, sectoral authorities perform specific functions, including: 

  • Verification and support for identifying essential and significant entities
  • Coordination of sectoral working groups for the uniform application of guidelines
  • Monitoring security at the sectoral level and contributing to the NIS Cooperation Group

Scope of application and key sectors

Sectoral NIS authorities operate in a wide range of strategic sectors to ensure the security of critical infrastructures and essential services, contributing to the continuity of activities crucial to society.

These sectors are defined in Legislative Decree No. 138 of September 4, 2024, which establishes a clear framework of competencies for each authority. 

Prime Minister’s Office 

This authority coordinates crucial areas such as: 

  • ICT Services Management: Essential for the functioning of public administration and many digital services. Collaboration with the National Cyber security Agency (ACN) ensures rapid interventions and integrated strategies. 
  • Space sector
    A growing field vital for telecommunications, environmental monitoring, and national security. 
  • Public administrations
    A cornerstone of the state requiring advanced protection against cyberattacks. 
  • Publicly-owned and affiliated companies
    Public organizations often responsible for critical infrastructures, such as transportation or waste management. 

Ministry of Economy and Finance 

This ministry oversees: 

  • Banking sector
    Ensures the security of financial transactions and citizens’ sensitive data. 
  • Financial market infrastructures
    Systems enabling the exchange of goods and values on a national and international scale, directly impacting economic stability. 

Ministry of Enterprises and Made in Italy 

Responsible for areas such as: 

  • Digital infrastructure
    The technological backbone of essential services and communications. 
  • Postal and courier services
    Crucial for logistics and e-commerce. 
  • Chemical manufacturing
    Includes production essential for the pharmaceutical industry and civil protection. 

Ministry of Health 

Focused on: 

  • Healthcare sector
    Involves hospitals, clinics, and other providers of essential public health services. 
  • Medical device manufacturing
    Devices used for diagnosis and treatment, requiring high safety and reliability standards. 

Ministry of Environment and Energy Security 

Covers environmentally and infrastructurally significant areas, including: 

  • Energy: Production and distribution of electricity, gas, and renewable sources. 
  • Potable Water Supply and Distribution: A primary resource essential for life and industry. 
  • Waste and Wastewater Management: Critical infrastructures for public health and environmental sustainability. 

Ministry of Infrastructure and Transport 

Includes: 

  • Transport sector
    Railways, ports, airports, and road transport, all indispensable for logistics and mobility. 
  • Public local transport services
    A key element for maintaining daily social activities. 

Ministry of Agriculture, Food Sovereignty, and Forestry 

Handles: 

  • Food Production, Processing, and Distribution: Ensures the safety and quality of one of the population’s most sensitive sectors. 

Ministry of Culture 

Protects entities and infrastructures engaged in cultural activities, such as archives, museums, and theaters. 

Ministry of Universities and Research 

Manages research institutions and universities, essential for innovation and technological development. 

Network and Information Security (direttiva NIS 2)

Why a sectoral division is important

Designating sectoral authorities allows targeted responses to the unique challenges of each field. For example: 

  • Attacks on energy systems can have devastating consequences for the economy and society. 
  • Healthcare must protect sensitive patient data and ensure service continuity. 
  • Digital infrastructures require constant updates to address increasingly sophisticated threats. 

This division also facilitates better alignment with European harmonization needs, promoting cooperation with other member states and ensuring compliance with the security standards defined by the NIS 2 Directive. 

Incident reporting obligations

Essential service operators must report a security incident to the competent authorities without undue delay, as required by Article 40 of the decree. Incident notification is crucial for national and European-level coordination and rapid response. 

The single point of contact facilitates cooperation among EU member states and ensures information exchange on threats. This strengthens risk management and prevents attack escalation. 

Security measures and operators’ obligations

The security measures required of operators are structured across various levels: 

  • Prevention
    Implementation of advanced technologies to mitigate risks. 
  • Protection
    Adoption of standardized guidelines to defend systems. 
  • Response
    Containment and recovery procedures post-incident. 

These measures must be proportionate to the risk and periodically verified by sectoral authorities, ensuring a systematic approach to risk management

Role of the Italian CSIRT

The Italian CSIRT is a cornerstone of the NIS strategy. It coordinates incident responses at the national level, providing technical support and advanced analysis.

In collaboration with sectoral authorities, it helps maintain operational continuity in essential sectors and fosters a culture of security. 

Conclusions 

The adoption of a coordinated framework and the designation of sectoral NIS authorities represent a crucial step toward the country’s cyber resilience.

Collaboration among various stakeholders, combined with compliance with European guidelines, allows effective tackling of Network and Information Security challenges in an increasingly interconnected context. 

Questions and answers

  1. What are the NIS sectoral authorities?
    They are bodies designated to implement the provisions of the NIS 2 directive in critical sectors.
  2. What is the role of the Presidency of the Council of Ministers?
    It manages ICT services, the space sector, and public administrations within the NIS framework.
  3. What does incident notification mean?
    It is the obligation for operators to report any security incidents to the competent authorities.
  4. Which sectors fall under the sectoral authorities?
    Energy, healthcare, transport, digital infrastructure, food, and culture, among others.
  5. What is the single point of contact?
    It is the mechanism that facilitates cooperation between EU member states on cyber security.
  6. What role does the Italian CSIRT play?
    It coordinates incident responses and supports competent authorities with analysis and technical resources.
  7. How are essential entities identified?
    Through criteria defined in the guidelines, with the support of sectoral authorities.
  8. What are the main security measures required?
    Prevention, protection, and incident response, tailored to the level of risk.
  9. What is the common high level of security?
    A goal that ensures uniform protection standards across the European Union.
  10. What is the importance of risk management?
    It allows for the identification and mitigation of vulnerabilities to prevent serious incidents.
18
To top