With the May 18th, 2018 Legislative Decree n.65, Italy has implemented the 2016/1148 Directive, commonly defined as the NIS (Network and Information Security) Directive, interpreted to define the necessary measures to maintain a high level of network and information systems security. The decree applies to Operators of Essential Services (OES) and to Digital Service Providers (DSP). The OES are entities, public or private, which provide essential services for society and economy in the Health and Energy sector and relative to supply and distribution of drinking water, among transports, the banking sector and financial markets infrastructure, and among the digital infrastructure sector. The DSP are companies which provide e-commerce services, cloud computing and web search engines, with more than 50 employees and an annual turnover or budget superior to 10 million euros. Starting from the 9th of November 2018, the Competent NIS Authorities (i.e. competent Ministries per sector) are required to identify in a more precise way, operators who respect the NIS requirements.
OESs and DSPs are called upon to adopt technical and organizational measures which are adequate and proportionate to the risk management and to prevent and minimize the impact of incidents for the safety of network and information systems and they must notify, without unreasonable delay, the incidents which have a significant effect, respectively on the continuity and on the providing of the service, to the Italian Computer Security Incident Response Team (CSIRT).
In that range, ICT Cyber Consulting offers various services:
a. Identification of technical and organizational measures, adequate and proportionate to the risks posed to network and informational systems security which are used by essential services providers and operators of essential services.
b. Identification and contextual consultancy regarding the adoption of measures to prevent and minimize accidental impacts posed to network and informational systems security used by digital and essential services operators;
c. Procedure and policy predisposition preliminary to appropriate notification without undue delay to the competent Authority or to CSIRT – Italy of any incident having an impact on providing a digital service or which occurred to essential services operators, including the information which can simplify the identification of the transnational consequences of such events.