On 5 November 2020, the prime ministerial decree 131/2020 entered into force, defining the implementation of the National Cybersecurity Perimeter. After defining a series of terms connected to the implementation of the perimeter and referencing relevant prior legislation, Article 3 of the Decree outlines the sectors of activity that are subject to inclusion in the Perimeter, as well as the authorities responsible for selecting specific entities in each sector, and the gradual approach that foresees a gradual inclusion of entities starting with those deemed the most critical. Article 4 offers three main criteria for administrations to identify critical entities: the territorial scope of their essential function, the consequences of possible compromise, and the possibility of mitigating any such consequences. Article 5 disciplines the procedure for adding entities to the perimeter, with the involvement of the Information Security Department (Dipartimento delle Informazioni per la Sicurezza (DIS)). Article 6 concerns the creation of an Interministerial Table for the Implementation of the National Cybersecurity Perimeter, to support the technical Interministerial Committee for the Security of the Republic (CISR). Articles 7 and 8 outline the obligations of entities that are included in the Perimeter, consisting mainly of the creation of a comprehensive list of their critical assets, in cooperation with DIS and CISR. Per Article 9, critical entities are required to transmit this list, alongside a risk assessment, to the relevant structure at the Presidency of the Council of Ministers within six months of being notified of their inclusion in the Perimeter.
Original source