While many companies re still struggling with the adjustment to the 2016/679 regulation on data protection, for many of them the time is approaching to address the 2016/1148 directive on the security of networks and information systems, implemented in Italy by Legislative Decree No. 65/2018 which came into force the last 24 June.
The recipients of the directive are: the digital service providers and the operators of essential services. The first, defined in Annex 3 of the decree, are search engines, online marketplaces and cloud computing service providers. The second category includes those specified in Annex 2: energy, transport, health, banks and financial market infrastructures, suppliers and managers of drinking water, digital infrastructures.
The precise definition of the subjects to whom the rule will be applicable will take place by November 9 when the ministries involved (Infrastructures and transport, Economic Development, Health, Economics and Environment) will have to provide timely identification. The chosen subjects will have to get to work, but if they have done well the tasks related to the GDPR the effort should not be so strong. In fact, the obligations established both for digital service providers (Articles 14, 15 and 16) and for operators of essential services (Articles 12 and 13) are very similar to the ones introducted by the GDPR. In general the law talk about “risk-adequate safety” and notification to the competent authorities, “without unjustified delay, of incidents having a significant impact”. It is impossible not to notice the evident overlap of these constraints to the provisions of the 2016/679 regulation contained in articles 32, where it obliges the adoption of “adequate technical and organizational measures to guarantee a level of safety appropriate to risk”, and 33, in which it is established that “in case of violation of personal data, the data controller shall notify the authority (…) without undue delay”.
On this basis, the transposition of the provisions of the directive, even in the complexity of defining when and how safety meets the requirement of “adequacy”, should find the companies rather prepared.
