Answer ... (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Legislative Decree 65/2018 (‘NIS Law’) imposes specific obligations regarding security measures and notification of incidents on providers of certain critical services (operators of essential services (OESs) and digital service providers (DSPs), as identified under the same law).
Furthermore, Law 105/2019, with its implementing regulations, aims to guarantee the security of networks, information systems and information services of public administrations, public and private entities and operators headquartered in the national territory which are critical for the exercise of an essential function of the state or the provision of an essential service for the maintenance of civil, social or economic activities fundamental to the interests of the state. Law 105/2019 also applies to telecommunications, aerospace, transport and certain digital services, as identified pursuant to the law.
In the last few years, the Bank of Italy has adopted several initiatives in order to promote innovation and cyber resilience in the Italian financial sector. On 23 September 2020, the Bank of Italy updated Circular 285/2013 (“Regulatory Provisions for Banks”) to ensure full alignment with the European Banking Authority Guidelines on internal governance under Directive 2013/36/EU. Another example is the adoption of the TIBER-IT National Guidance, which is the national transposition of the Threat Intelligence‑Based Ethical Red Teaming Framework issued by the European Central Bank, a reference model for conducting advanced cybersecurity tests harmonised at the European level.
Finally, the recently adopted EU Regulation 2022/2554 on digital operational resilience for the financial sector – the European Union’s flagship initiative on digital operational and cyber resilience in the financial sector – will apply from 17 January 2025.
(b) Certain types of information (personal data, health information, financial information, classified information)?
The GDPR provides for heightened obligations in connection with ‘special categories of personal data’, which are defined, as per Article 9, as:
- data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
- genetic data;
- biometric data;
- data concerning health; or
- data concerning a natural person’s sex life or sexual orientation.
It provides for higher standards of protection for these types of data (eg, a prohibition on collection except in restricted cases – for instance, where personal data has been manifestly made public by the data subject).
Special protection is accorded by Law 124/2007 to information protected by state secrets. In particular, pursuant to Article 39 of Law 124/2007, this protection applies to acts, documents, news, activities and anything else whose dissemination is likely to damage the integrity of the Italian state, including in relation to:
- international agreements;
- the defence of the fundamental constitutional order;
- the independence of the state and its relations with other states; and
- the preparation and military defence of the state.
The protection of information protected by state secrets is primarily the responsibility of the prime minister, who must provide the Department of the Information for Security and the competent agencies (the External Agency for Information and Security and the Internal Agency for Information and Security) with the necessary directives to improve the protection of critical infrastructure, both material and immaterial, in particular with regard to national cyber and information security.