Italy: Implemented Second Decree implementing the National Cybersecurity Perimeter (Incident Notification)

On 1 January 2022, the grace period for the implementation of prime ministerial decree 81/2021 ended, defining incident notification procedures as part of the implementation of the National Cybersecurity Perimeter. The decree categorises entities and systems based on their criticality, depending on which different time limits are set out for both implementation of the appropriate security measures and notification of any incidents to the Italian CSIRT and competent authorities. In particular, the decree contains tables outlining what entities are required to notify the CSIRT of incidents within six hours or within one hour of becoming aware of it. Entities that are part of the Perimeter shall follow these notification procedures starting 1 January 2022.