The Importance of the Cybersecurity Bill
After the introduction of the GDPR, which revolutionized the management of personal data in Europe, Italy advances with the Cybersecurity Bill. The importance of laws regulating the Public Administration's approach to prevention, monitoring, and resolution procedures concerning cybersecurity reaches its peak in developing practices that will profoundly impact our culture and habits.
Awareness of cyber threats is still limited, despite the exponential increase in threats and their effects. Since 2016, with the introduction of the GDPR, the importance of norms protecting personal data has been recognized. Now, with the Cybersecurity Bill, the focus shifts to the efficiency of security systems.
GDPR and Cybersecurity
To summarize, the GDPR established new standards for personal data protection in the EU, introducing measures such as:
- Scope of Application: The GDPR applies to all organizations that process personal data of individuals residing in the EU.
- Explicit Consent: Consent for data processing must be clear, specific, informed, and revocable.
- Rights of Data Subjects: For example, the right to access, rectify, delete, restrict processing, data portability, and objection.
- Data Protection by Design and Default: Organizations must implement appropriate technical measures to ensure that principles are integrated into the design of processes and systems.
- Breach Notification: Breaches must be notified within 72 hours of becoming aware of them.
- **Data Protection Impact Assessment (DPIA): ** Must be conducted to assess risks and implement measures to mitigate them.
- Penalties: Up to 20 million Euros or 4% of the global annual turnover.
Clearly, cybersecurity solutions had to adapt technical and organizational measures to ensure a security system in line with the GDPR, capable of ensuring confidentiality, integrity, availability, and resilience of processing systems and services. However, the GDPR does not specifically focus on cybersecurity systems themselves but rather on what needs to be protected, in what context, and why.
The New Cybersecurity Bill in Italy
Approved on June 19, 2024, the Cybersecurity Bill introduces norms aimed at regulating and strengthening cybersecurity practices in the country, starting with Public Administration.
Unlike the GDPR, which focuses on data protection, the Cybersecurity Bill focuses on the efficiency of security systems. The main key points include:
- Significant increases in penalties for crimes such as unauthorized access to IT systems (a public official would be punished with imprisonment from 2 to 10 years) and damage to information, data, and IT programs (imprisonment from 2 to 6 years).
- Encouragement in choosing Italian, European, and NATO security solutions
- Promotion of international collaboration
- Education and training, public awareness
- 24-hour notification obligation for all public and private entities within the National Cybersecurity Perimeter (PSNC), as well as central Public Adm., Regions, Metropolitan Cities, municipalities with over 100,000 inhabitants, public transport companies, and local health agencies.
- The Public Adm. must act quickly in case of vulnerabilities reported by the ACN
- Use of encryption as a defense tool with the establishment of a national encryption center at the ACN
- Appointment of a security officer in the office and a manager for digital transition.
Comparing GDPR and the Cybersecurity Bill
The differences between the Cybersecurity Bill and the General Data Protection Regulation are fundamentally divided into three macro areas:
- Main Focus
- Geographical Scope
- Type of Data
The Italian bill focuses primarily on the protection of critical infrastructures and response to cyber threats, is limited to Italy, and focuses on data and systems critical to national security.
The GDPR, on the other hand, is centered on the protection of personal data and individuals' rights over their data and applies throughout the EU and to organizations processing data of EU citizens (regardless of their location). Obviously, the data processed are personal data of individuals.
Both the Bill and the GDPR are regulatory tools aimed at improving security and protection in the digital context. However, while the GDPR aims to protect data, individual rights, and obligations for data controllers, the Bill aims to improve infrastructures to protect data themselves through measures like establishing national agencies, motivating public-private collaborations, strengthening incident response capabilities, and focusing on training, awareness, and R&D investments.
At this moment, there is a need for solutions with characteristics complementary to the objectives of the regulations.
Maximum Compliance with Oplon Secure Access
The key features for achieving maximum compliance with GDPR and the Cybersecurity Bill are divided into areas:
- Personal Data Protection
- Use of encryption to protect data both in transit and at rest.
- Role-based access (PAM) to ensure the right authorization for the right user
- Identity and access management (IAM) to manage and monitor who has access to data and systems
- Threat Monitoring and Detection
- Continuous monitoring to detect suspicious activities
- Maximum traceability to accurately detect threats.
- Incident Response
- Incident response plans to respond quickly and effectively.
- Incident management tools to coordinate the response.
- Training and Awareness
- Continuous staff training programs to increase awareness of security practices
- Regular simulations and tests to prepare staff to respond appropriately.
Cybersecurity solutions must therefore be ready to comply with regulations and also facilitate tasks outside their structure, such as appointing a data protection officer or notifying data breaches within 24 hours of discovery.
In all these cases, Oplon Secure Access (OSA) is compliant and will help you become compliant with both the Cybersecurity Bill and the GDPR.
Becoming Compliant: Oplon Secure Access
Thanks to the ZTNA approach, including MFA, PAM, and encryption features to protect data both in transit and at rest, OSA plays a vital role in protecting information and access to infrastructures. Another advantage of the solution is the ability for continuous monitoring and activity traceability within the environment, also thanks to the possibility of recording actions taken.
The configuration method of the features has been structured through the concepts of 'efficiency' and 'ease,' making it extremely simple to absorb information and facilitating the training and education of technical staff. Another differentiating feature is data ownership: since the solution's installation is exclusively done on the user's systems without using any third-party applications, the notification of a possible exfiltration can easily be done within 24 hours of becoming aware of it, well below the 72 hours required by the GDPR.
Oplon Networks is a 'Made in Italy' company that collaborates in European projects aimed at standardizing security systems in the continent's countries, benefiting any organization that chooses this solution, given the directives present in the new regulations. Finally, Oplon Secure Access takes a step further by materializing a concept that makes holistic approaches like ZTNA a real usable product: 'In-browser converging resources'. We converge the resources to be reached through leading methodologies in the cybersecurity market into a single point, to make access and use extremely protected, secure, and easy.
Oplon Secure Access: ‘Securely access from anywhere to anything, just through the browser.'