To ensure 5G cybersecurity, the government has included 5G technology within the scope of application of its ‘Golden Power’ regime (Law Decree n.21/2012), recently integrated and amended with Law Decree n.105 of 21 September 2019 (“Law Decree 105/2019). The scope of Golden Power application also relates to agreements with non-EU entities on:
- the purchase of goods and services relating to the design, implementation, maintenance, and operation of 5G networks; and/or
- the acquisition of related high-tech components.
The law imposes a notification obligation for certain transactions, and the government may use the Golden Power by either imposing mitigation measures or vetoing the relevant transaction if mitigation would not limit risks to the integrity and security of networks and data. According to the statutory law, when a Golden Power notification is filed, the National Office for Assessment and Certification (Centro di valutazione e certificazione nazionale – CVCN) will assess possible vulnerability factors that could compromise the integrity and security of 5G networks and data transmitted through a preliminary investigation, which becomes part of the procedure.
Moreover, the EU NIS Directive, implemented in Italy through Legislative Decree no. 65 of 18 May 2018 and supplemented by the Law Decree 21/2012, has created a perimeter of national cyber security affecting public administrations as well as public and private national operators which:
- exercise an essential function of the state, or ensure the provision of an essential service for the maintenance of social, civil, and economic activities that are fundamental for the interest of the state, and
- provide these functions or services through critical systems such as information systems and services whose malfunctioning, interruption or improper use could affect national security.
The law identifies a series of requirements and notification duties that operators must meet. These include an obligation to: (i) notify to the Presidency of the Council of Ministers and to the Minister of Economic Development, and subsequently update, a list of critical systems used by the operator; (ii) notify any incident having an impact on such critical systems to Italy’s Critical Security Incident Response Team (CSIRT); and (iii) comply with measures to guarantee a high standard of security for critical systems.
The decree also affects suppliers of goods, ICT systems and services to be used on critical systems by requiring operators planning to purchase such goods and services to notify the CVCN. Furthermore, the new legislation introduces a duty of collaboration with the CVCN, which may ask suppliers to meet certain conditions or request hardware and software testing for any risk assessment at their own expense. In this case, any supplier contract must include a condition precedent or a termination clause contingent upon the outcome of any CVCN assessment.