Skip to content Skip to sidebar Skip to footer
Menu
Menu
Data Protection & Cybersecurity

Italian cybersecurity certification requirements for technology suppliers

December 7, 2022
9 minRead time
italian cybersecurity certification suppliers
Share This Article
Share Post

Technology suppliers must bear Italian cybersecurity certification obligations in supplies to companies covered by the National Cyber Security Perimeter that are now operational.

As of June 30, 2022, certification and testing obligations are operational for suppliers of technology goods, systems, and services to companies within the Italian National Cybersecurity Perimeter.

In this article, after a brief regulatory overview, we provide an overview of the testing and certification procedures and methodology carried out by the Italian Center for National Assessment and Certification (CVCN), as well as some considerations regarding the obligations on technology goods and services providers.

The Italian regulations applicable to companies in the National Cybersecurity Perimeter

The Italian Law Decree No. 105/2019 defined the National Cybersecurity Perimeter, which was established to ensure a high level of security of the networks, information systems, and IT services of the so-called “essential services” operators (i) having an office in the national territory, (ii) on which the exercise of an essential function or the provision of service essential to the Italian State depends, and (iii) from whose malfunction, interruption (even partial or improper use) may result in harm to national security.

Following such a decree, a series of further decrees were issued to implement the national cybersecurity perimeter, namely:

  • The Prime Minister’s Decree No. 131/2020 identified the public and private entities included in the National Italian Cybersecurity Perimeter (based on specific criteria and within different strategic sectors, i.e., space and aerospace, energy, telecommunications, economy and finance, transportation, digital services);
  • The Prime Minister’s Decree No. 81/2021 established the security measures that those included in the Italian Cybersecurity Perimeter must take and how to report incidents.ย  These operators are required to prepare annually the list of assets deemed “strategic” for the provision of essential services and essential functions of their respective relevance and, about these assets, to take measures to ensure high levels of security and to notify any incidents to the CSIRT (“Computer Security Incident Response Team“) active at the National Cybersecurity Agency (“ACN“); finally,
  • The Presidential Decree No. 54/2021, in implementation of Article 1, co. 6, of Law Decree No. 105/2019, introduced the obligation for entities included in the Perimeter to notify the CVCN of their intention to acquire technology goods, systems, and services to be deployed on their “strategic” assets and belonging to specific categories outlined in the Prime Minister’s Decree of June 15, 2021.

The procedure of certification activities for suppliers to companies in the Italian National Cybersecurity Perimeter

In light of the above regulatory framework, companies subject to the Italian Cybersecurity Perimeter will have to notify the CVCN of their intention to proceed with the procurement of technology goods, systems, and services before entering into a contract or call for tenders having as their object the provision of technology goods, systems, and services falling under the categories outlined in the Prime Ministerial Decree of June 15, 2021.

Below we outline the procedure to be followed:

Stages of the testing procedure

Following notification, the CVCN initiates a testing procedure (the costs of which are borne by the supplier) consisting of three stages:

1.ย  preliminary verifications, to be carried out within 45 days of the notification made by the company within the Perimeter that intends to use a particular ICT asset or system referred to in the P.C.M. June 15, 2021.ย  However, an additional period of 15 days could be granted, but only once in cases of particular complexity.

If, at the expiration of this deadline, the CVCN has not ruled, this may be interpreted as a silence of consent, and the company subject to the Boundary may proceed with the contracting or launching of the tender with the identified supplier;

2.ย  preparation for the execution of the tests; and

3.ย  execution of the hardware and software tests, to be carried out within 60 days from the date the company is subject to the Perimeter notification that the technology asset/service is physically available and ready for testing at the CVCN.

At the end of the procedure above, even in the case of a positive outcome, the CVCN may directly prescribe additional requirements on the use/implementation of the technology products/goods tested to the company falling under the Perimeter.

Methodology and Frequency

The CVCN has adopted internal risk analysis parameters and severity levels, but these have not yet been disclosed.ย  Depending on the ACN’s assessment of these parameters, the following types of tests may be performed:

  • aimed at assessing the proper implementation of security features for consistency with design specifications;
  • intrusion tests to support vulnerability analysis.

In any case, tests should be performed in such a way as to avoid duplication.

If the same product/service has already been tested or is being tested, the CVCN will not conduct further evaluations provided that:

  • tests for all security features and intrusion tests of the same product have already been performed or are in progress;
  • Intrusion tests have been performed or conducted concerning severity levels not lower than those selected for the last evaluation.

In other cases, the CVCN should identify other tests to be performed, excluding those previously performed or in progress, to avoid overlap.

Main consequences for suppliers of technology goods and services to companies in the Italian National Cybersecurity Perimeter

As a result of the notice and in the case of performing tests at the CVCN, suppliers of technology goods and services subject to the testing activities are subject to obligations to cooperate and support, as well as to bear the costs of the assessment activities carried out by the CVCN and the Assessment Centers at the Ministries of Defense and Interior and the testing activities conducted by the Accredited Testing Laboratories, which are an integral part of the arrangement related to the CVCN.

In particular, suppliers are required to provide the following:

  • proof of the suitability of the security functions of the service/product being tested;
  • a test environment adequately representative of the operational reality at the laboratory or, if necessary, at the premises of the supplier itself or the company within the Perimeter that intends to purchase its ICT goods/services;
  • a general description of the architecture of the service/product to be tested and its functions;
  • a description of the security features implemented in the service/product being tested;
  • a description of the functionality and security tests already performed by the vendor or other third parties, including their results.

This is a distinctly burdensome procedure that could slow down the start of deliveries for the benefit of companies in the Italian national cybersecurity perimeter, which is not in line with the spirit of the relevant regulations.ย  For this reason, we support different suppliers to find the most efficient solutions to handle these burdens.

You can read the article “NIS2 Directive approved โ€“ New cybersecurity obligations for many companies” on a similar issue.

Photo by Markus Spiske on Unsplash

(Visited 239 times, 1 visits today)
Tags:
0LikesShare Post