What will the National Cybersecurity Agency (Acn) look like? What does the decree provide?

Here is the draft of the decree law on cyber with the establishment of the National Cybersecurity Agency (Acn)

The establishment of the National Cybersecurity Agency (Acn) is ready after the Draghi government destroyed the project of the former premier Giuseppe Conte of the internal Dis agency which had been engineered by the former number one of Dis, Gennaro Vecchione , torpedoed by the Draghi government who appointed Elisabetta Belloni .

Here are all the details on the cyber decree-law scheme with the establishment of the National Cybersecurity Agency (Acn).

The government accelerates on the National Cybersecurity Agency (Acn), a public body with regulatory, administrative, patrimonial, organizational autonomy, envisaged in the draft of 19 articles, incomplete and subject to change, of the Cybersecurity law decree that should arrive in the Council of ministers.

Given "the vulnerability of the networks, information systems, IT services and electronic communications of public and private entities that can be exploited in order to cause the total or partial malfunction or interruption of essential functions of the State and services essential for the maintenance of civil, social or economic activities fundamental to the interests of the State ", the government wants to redefine the Italian cybersecurity architecture also providing for the establishment of a special agency to" adapt it to technological evolution, to the context of threat from the cyber space, as well as to the European regulatory framework, and to have to link, also, also to protect the legal unit of the legal system, the provisions on the security of networks, information systems, IT services and electronic communications ".

In addition to the Acn, the decree establishes, at Palazzo Chigi, an inter-ministerial committee for cybersecurity (Cics) "with the functions of consulting, proposing and deliberating on cybersecurity policies, also for the purpose of protecting national security in the cyber space".

The provision also provides for the hiring of ad hoc personnel, even those not coming from the public administration. The cybersecurity core, set up at the ACN, a sort of front line that ensures support for the premier in the event of a crisis, is composed of the prime minister's military advisor, a representative, respectively, of the Dis, the Aise, the Aisi and each of the ministries represented in the inter-ministerial committee for the security of the republic (Cisr), as well as a representative of the ministry of the university, the minister delegated for technological innovation and digital transition, and a representative of the civil protection department of Palazzo Chigi.

The President of the Council of Ministers is exclusively assigned: top management and general responsibility for cybersecurity policies, also for the purposes of protecting national security in the cyber space; the adoption of the national cybersecurity strategy, after consulting the inter-ministerial committee for cybersecurity (Cics); the appointment and dismissal of the Director General and Deputy Director General of the National Cybersecurity Agency.

The President of the Council of Ministers, after consulting the Cics, issues the directives for cybersecurity and issues all provisions necessary for the organization and functioning of the National Cybersecurity Agency. The proposal of the Cybersecurity Agency was delivered in the past few hours to Copasir, called to express an opinion on the text.

+++

SCHEME OF A DECREE-LAW CONTAINING URGENT PROVISIONS IN THE FIELD OF CYBER SECURITY, DEFINITION OF THE NATIONAL CYBER SECURITY ARCHITECTURE AND ESTABLISHMENT OF THE NATIONAL CYBER SECURITY AGENCY.

THE PRESIDENT OF THE REPUBLIC

HAVING REGARD to articles 77 and 87 of the Constitution;

GIVEN the law of 23 August 1988, n. 400, containing the discipline of the Government activity and the order of the Presidency of the Council of Ministers;

CONSIDERING that the vulnerabilities of the networks, information systems, IT services and electronic communications of public and private entities can be exploited in order to cause the total or partial malfunction or interruption of essential functions of the State and essential services for the maintenance of civil, social or economic activities essential for the interests of the State, as well as public utility services, with potentially serious repercussions on citizens, businesses and public administrations, up to the point of causing prejudice to national security;

CONSIDERING the extraordinary need and urgency, in the current regulatory framework and in the face of the ongoing implementation of important and strategic technological infrastructures, also in relation to recent attacks on the networks of European countries and important international partners capable of determining effects, including of a systemic nature and which further underline how the cyber domain constitutes a ground for comparison with reflections on national security, to rationalize the skills in this area, to ensure more effective coordination, to implement measures aimed at making the country more secure and resilient also in the digital domain, to have the most suitable tools for immediate intervention that make it possible to deal with any emergency situations involving cybersecurity profiles with maximum effectiveness and promptness;

CONSIDERING also the need and urgency to implement the National Recovery and Resilience Plan, approved by the Council of Ministers at the meeting of 29 April 2021, which provides for specific projects in the field of cybersecurity, in particular for the establishment of a national cybersecurity, as a necessary factor to ensure the development and growth of the national economy and industry, placing cybersecurity at the foundation of the digital transformation;

CONSIDERING therefore that it is necessary to intervene urgently in order to redefine the Italian cybersecurity architecture, also providing for the establishment of a specific National Cybersecurity Agency, to adapt it to technological evolution, to the context of threats coming from cyber space, as well as to the European regulatory framework, and to have to link, also, also to protect the legal unity of the legal system, the provisions on the security of networks, information systems, IT services and electronic communications;

GIVEN the resolution of the Council of Ministers, adopted at the meeting of ……. 2021; On the proposal of the President of the Council of Ministers;

ISSUES the following decree-law:

Art. I (Definitions)

1. For the purposes of this decree, the following definitions apply:

a) cybersecurity, the set of activities necessary to protect and ensure the availability, confidentiality and integrity of networks; information systems, IT services and electronic communications from cyber threats, also guaranteeing their resilience;

b) perimeter decree-law, the decree-law 21 September 2019, n. 105, converted, with amendments, by law 18 November 2019, n. 133, containing urgent provisions regarding the perimeter of national cyber security and the regulation of special powers in sectors of strategic importance;

c) legislative decree NlS, the legislative decree 18 May 2018, n. 65, implementing Directive (EU) 2016/1148 of the European Parliament and of the Council, of 6 July 2016, concerning measures for a high common level of security of networks and information systems in the Union;

d) CISR, the Interministerial Committee for the Security of the Republic referred to in Article 5 of Law no. 124;

e) DIS, the Security Information Department referred to in Article 4 of Law no. 124 of 2007;

j) AlSE, the external information and security agency referred to in article 6 of law no. 124 of 2007; g) AISI, the information and internal security agency referred to in article 7 of law no. 124 of 2007; h) COPASIR, the Parliamentary Committee for the security of the Republic referred to in Article 30 of Law no. 124 of 2007; i) national cybersecurity strategy, the strategy referred to in article 6 of the NJS legislative decree.

Art. 2 (Powers of the President of the Council of Ministers)

1. The President of the Council of Ministers is exclusively attributed:

a) top management and general responsibility for cybersecurity policies, including for the purposes of protecting national security in the cyber space;

b) the adoption of the national cybersecurity strategy, after consulting the Interministerial Committee for Cybersecurity (CICS) referred to in Article 4;

c) the appointment and dismissal of the Director General and Deputy Director General of the National Cybersecurity Agency referred to in Article 5.

2. For the purposes of exercising the competences referred to in letter a) and implementing the national cybersecurity strategy, the President of the Council of Ministers, having consulted the CICS, issues the directives for cybersecurity and issues any provision necessary for the organization and functioning of the National Cybersecurity Agency.

Art. 3 (Delegated authority)

1. The President of the Council of Ministers, where he deems it appropriate, may delegate to the delegated authority referred to in article 3 of law no. 124 of 2007, where established, the functions referred to in this decree that are not exclusively attributed to it.

2. The President of the Council of Ministers is constantly informed by the delegated Authority on the procedures for exercising the functions delegated pursuant to this decree and, without prejudice to the power of directive, may at any time invoke the exercise of all or some of they.

3. The Delegated Authority, in relation to the functions delegated pursuant to this decree, participates in the meetings of the Interministerial Committee for the digital transition referred to in article 8 of the decree-law 1 March 2021, n. 22, converted, with modifications, by law 22 April 2021, n. 55. 2 draft 08/06/2021

Art. 4 (Interministerial Committee for Cybersecurity)

1. The Interministerial Committee for Cybersecurity (CICS) is set up at the Presidency of the Council of Ministers, with the functions of advising, proposing and deliberating on cybersecurity policies, also for the purposes of protecting national security in the cyber space.

2. The Committee:

a) proposes to the President of the Council of Ministers the general guidelines to be pursued within the framework of national cybersecurity policies;

b) carries out high surveillance on the implementation of the national cybersecurity strategy;

c) promotes the adoption of the necessary initiatives to foster effective collaboration, at national and international level, between institutional subjects and private operators interested in cybersecurity, as well as for the sharing of information and for the adoption of best practices and measures aimed at the goal of cybersecurity and industrial, technological and scientific development in the field of cybersecurity;

d) deliberates and expresses opinion on the budget and final balance sheets of the National Cybersecurity Agency.

3. The Committee is chaired by the President of the Council of Ministers and is composed of the delegated Authority, where established, the Minister of Foreign Affairs and International Cooperation, the Minister of the Interior, the Minister of Justice, the Minister of Defense, the Minister of Economy and Finance, the Minister of Economic Development, the Minister of Ecological Transition, the Minister of University and Research and the Minister Delegate for Technological Innovation and Digital Transition

4. The Director General of the Agency performs the functions of Secretary of the Committee.

5. The President of the Council of Ministers may call other members of the Council of Ministers, the director general of the DIS, the director of the AISE, the director to participate in the meetings of the Committee, also following their request, without the right to vote. of the AISI, as well as other civil and military authorities whose presence is deemed necessary from time to time in relation to the issues to be dealt with.

6. The Committee also performs the functions already attributed to the CISR by the perimeter decree-law and the related implementing measures, with the exception of those provided for by article 5 of the same perimeter decree-law.

Art. 5 (National Cybersecurity Agency)

1. To protect national interests in the field of cybersecurity, also for the purposes of protecting national security in the cyber space, the National Cybersecurity Agency (ACN), named for the purposes of this decree "Agency", is established, with headquarters in Rome.

2. The Agency has legal personality under public law and is endowed with regulatory, administrative, patrimonial, organizational, accounting and financial autonomy, within the limits of the provisions of this decree. The regulations provided for in this decree may also contain provisions in derogation from the regulations in force, in relation to the performance of the functions of protection of national security in the cyber space attributed to the Agency itself and taking into account the activities carried out in connection with the Information System for the security of the Republic referred to in law no. 124 of 2007.

3. The President of the Council of Ministers and the Delegated Authority, where established, make use of the Agency for the exercise of the powers referred to in this decree.

4. The general management of the Agency is entrusted to a senior manager of the State administration or equivalent, identified among persons of particular and proven professional qualification in the field of cybersecurity and in possession of documented high-level experience in the management of innovation processes. The offices of the general manager and deputy general manager have a maximum duration of four years and are renewable, with subsequent measures, for a maximum total duration of a further four years. As foreseen by this decree, the Director General of the Agency is the direct contact person of the President of the Council of Ministers and of the Delegated Authority, where established, and is hierarchically and functionally superordinate to the staff of the Agency. The Director General is the legal representative of the Agency.

5. The activity of the Agency is regulated by this decree and by the provisions whose adoption is foreseen by the same.

6. The Agency may request, also on the basis of specific agreements and in compliance with the areas of particular competence, the collaboration of other State bodies, other administrations, police forces or public bodies for the performance of its institutional tasks.

Art. 6 (Organization of the National Cybersecurity Agency)

1. The organization and functioning of the Agency are defined by a specific regulation which provides, in particular, for its division into general management level offices, as well as into non-general management level structures.

2. The Director General and the Board of Auditors are bodies of the Agency. The regulation referred to in paragraph 1 also governs:

a) the functions of the Director General and Deputy Director General of the Agency;

b) the composition and functioning of the Board of Auditors;

c) the establishment of any secondary offices.

3. The regulation referred to in paragraph 1 is adopted, within one hundred and twenty days from the date of entry into force of the law converting this decree, by decree of the President of the Council of Ministers, also by way of derogation from article 17 of the law of 23 August 1988 , no. 400, after consulting COPASIR, after consulting CICS.

Art. 7 (Functions of the National Cybersecurity Agency)

1. The Agency:

a) is the National Cybersecurity Authority and, in relation to this role, ensures, in compliance with the competences attributed by the current legislation to other administrations, coordination between the public entities involved in the field of cybersecurity at national level and promotes the implementation of actions municipalities aimed at ensuring cyber security and resilience for the development of the digitization of the country, the production system and public administrations, as well as for the achievement of autonomy, national and European, with regard to IT products and processes of strategic importance to protection of national interests in the sector. For networks, information systems and IT services relating to the management of classified information, the provisions of the regulation adopted pursuant to article 4, paragraph 3, letter I), of law no. 124 of 2007, as well as the competences of the central office for secrecy referred to in article 9 of law no. 124 of 2007;

b) prepares the national cybersecurity strategy;

c) carries out all necessary support activities for the functioning of the Cybersecurity Unit, referred to in Article 8 of this decree;

d) is the competent national authority and single point of contact for the security of networks and information systems, for the purposes referred to in the legislative decree NIS, to protect the legal unit of the legal system, and is competent to ascertain violations and to the imposition of the administrative sanctions provided for by the same decree;

e) is the National Cybersecurity Certification Authority pursuant to Article 58 of Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019, and assumes all the tasks relating to cyber security certification already assigned to the Ministry of Economic Development under the law in force, including those relating to the ascertainment of violations and the imposition of sanctions;

f) assumes all cybersecurity tasks already assigned by the provisions in force to the Ministry of Economic Development, including those relating to:

1) the perimeter of national cyber security, referred to in the perimeter decree-law and related implementing measures, including the functions attributed to the National Assessment and Certification Center pursuant to the perimeter decree-law, the inspection and verification activities referred to Article 1, paragraph 6, letter e), of the perimeter decree-law and those relating to the ascertainment of violations and the imposition of administrative sanctions provided for by the same decree, without prejudice to those referred to in Article 3 of the regulation adopted with decree of the President of the Council of Ministers n. 131 of 2020;

2) the security and integrity of electronic communications, as per articles 16-bis and 16-ter of the legislative decree 1 August 2003, n. 259, and related implementing provisions;

3) the security of networks and information systems, as per legislative decree NlS;

g) participates, for the areas of competence, in the coordination group established pursuant to the regulations referred to in article 1, paragraph 8, of the decree-law of 15 March 2012, n. 21, converted, with modifications, by law 11 May 2012, n. 56;

h) assumes all the tasks already assigned to the Presidency of the Council of Ministers regarding the national cyber security perimeter, as per the perimeter decree-law and the related implementing measures, including the inspection and verification activities referred to in Article 1 , paragraph 6, letter e), of the perimeter decree-law and those relating to the ascertainment of violations and the imposition of administrative sanctions provided for by the same decree, without prejudice to those referred to in Article 3 of the regulation adopted by decree of the President of Council of Ministers n. 131 of 2020;

i) assumes all the tasks already assigned to the DIS by the perimeter decree-law and the related implementing measures and supports the President of the Council of Ministers for the purposes of article 1, paragraph 19-bis, of the perimeter decree law;

l) on the basis of the activities falling within the competence of the Cybersecurity Unit referred to in Article 8 of this decree, provide for the activities necessary for the implementation and control of the execution of the measures taken by the President of the Council of Ministers pursuant to 'article 5 of the perimeter decree-law;

m) assumes all the tasks relating to cybersecurity already assigned to the Agency for Digital Italy by the current provisions and, in particular, those referred to in Article 51 of Legislative Decree no. 82, as well as on the adoption of guidelines containing technical rules of cybersecurity pursuant to article 71 of the same legislative decree. The Agency also assumes the duties referred to in article 33-septies, paragraph 4, of the decree-law no. 179, converted, with amendments, by law 17 December 2012, n. 221, already attributed to the Agency for Digital Italy;

n) develops national capabilities for prevention, monitoring, detection, analysis and response, to prevent and manage IT security incidents and IT attacks, also through the CSJRT Italia referred to in Article 8 of the NlS legislative decree;

o) participate in national and international exercises that concern the simulation of cybernetic events in order to increase the resilience of the country;

p) takes care of and promotes the definition and maintenance of an updated and coherent national legal framework in the domain of cybersecurity, also taking into account the guidelines and developments in the international arena. To this end, the Agency expresses non-binding opinions on legislative or regulatory initiatives concerning cybersecurity;

q) coordinates, in conjunction with the Ministry of Foreign Affairs and International Cooperation, international cooperation in the field of cybersecurity. Within the European Union and internationally, the Agency handles relations with the competent bodies, institutions, and entities, as well as follows cybersecurity issues in the competent institutional offices, except for the areas in which the law assigns specific competences to other administrations. In such cases, liaison with the Agency is in any case ensured in order to guarantee unified national positions consistent with the cybersecurity policies defined by the President of the Council of Ministers;

r) pursuing objectives of excellence, it supports the development of industrial, technological and scientific skills and abilities in the areas of competence, through the involvement of academia, research and the national production system. For these purposes, the Agency can promote, develop and finance specific projects and initiatives, also aimed at promoting the technological transfer of research results in the sector. The Agency ensures the appropriate synergies with the other administrations to which the law attributes competences in the field of cybersecurity; s) stipulates bilateral and multilateral agreements, also through the involvement of the private and industrial sector, with institutions, bodies and organizations of other countries for Italy's participation in cybersecurity programs, ensuring appropriate synergies with other administrations to which the law assigns expertise in the field of cybersecurity;

t) promotes, supports and coordinates Italian participation in European Union and international projects and initiatives, also through the involvement of national public and private entities, in the field of cybersecurity and related application services. The Agency ensures the appropriate synergies with the other administrations to which the law attributes competences in the field of cybersecurity;

u) carries out communication and awareness promotion activities on cybersecurity, in order to contribute to the development of a national culture on the subject;

v) promotes training, technical-professional growth and the qualification of human resources in the field of cybersecurity, also through the assignment of scholarships, doctorates and research grants, on the basis of specific agreements with public and private entities;

z) for the purposes referred to in this article, it may establish and participate in public-private partnerships on the national territory, as well as, subject to the authorization of the President of the Council of Ministers, in consortia, foundations or companies with public and private subjects, Italian and foreign .

aa) is designated as the National Coordination Center pursuant to Article 6 of Regulation (EU) 2021/887 of the European Parliament and of the Council of 20 May 2021, establishing the European Center of Competence for Cybersecurity in the Industrial, Technological and research and the network of national coordination centers.

2. Within the framework of the Agency, the national representative and his / her deputy are appointed, by decree of the President of the Council of Ministers, to the Governing Council of the European Center of Competence for Cybersecurity in the Industrial, Technological and research, pursuant to Article 12 of Regulation (EU) 2021/887.

3. The Italian CSIRT referred to in article 8 of the NIS legislative decree is transferred to the Agency and takes the name of: "CSIRT Italy"

4. The National Assessment and Certification Center, set up at the Ministry of Economic Development, is transferred to the Agency.

5. In compliance with the competences of the Guarantor for the protection of personal data, the Agency, for the purposes referred to in this decree, consults the Guarantor and collaborates with him, also in relation to accidents involving violations of personal data. The Agency and the Guarantor may stipulate specific protocols of intent which also define the methods of their collaboration.

Art. 8 (Core for cybersecurity)

1. The Cybersecurity Nucleus is permanently set up at the Agency, in support of the President of the Council of Ministers in the field of cybersecurity, for aspects relating to the prevention and preparation for any crisis situations and for the activation alert procedures.

2. The Cybersecurity Nucleus is chaired by the Director General of the Agency or by the Deputy Director General designated by him and is composed of the Military Advisor of the President of the Council of Ministers, a representative, respectively, of the DIS, AISE, 'AISI, of each of the Ministries represented in the Committee referred to in Article 5 of Law no. 124 of 2007, of the Ministry of University and Research, of the Minister delegated for technological innovation and digital transition, of the Department of Civil Protection of the Presidency of the Council of Ministers. For aspects relating to the handling of classified information, the Unit is supplemented by a representative of the Central Office for secrecy referred to in Article 9 of Law no. 124 of 2007.

3. The members may be attended at the meetings by other representatives of their respective administrations in relation to the matters being discussed. On the basis of the topics of the meetings, representatives of other administrations, universities or research bodies and institutes, as well as private operators interested in the subject of cybersecurity, may also be called to participate.

4. The Nucleus can be convened in a restricted composition with the participation of the representatives of the administrations and interested parties only, also in relation to the crisis management tasks referred to in Article 10.

Art. 9 (Tasks of the Cybersecurity Unit)

1. For the purposes referred to in Article 8, the Cybersecurity Unit carries out the following tasks:

a) may formulate proposals for initiatives in the field of cybersecurity of the country, also within the framework of the international context on the matter;

b) promotes, on the basis of the directives referred to in Article 2, paragraph 2, the programming and operational planning of the response to cyber crisis situations by the administrations and private operators concerned and the development of the necessary inter-ministerial coordination procedures , in connection with civil defense and civil protection plans, also within the framework of the provisions of article 7-bis, paragraph 5, of decree-law no. 174 of 2015, converted, with amendments, by law n.198 of 2015;

c) promotes and coordinates the conduct of inter-ministerial exercises, or the national participation in international exercises concerning the simulation of cybernetic events in order to increase the resilience of the country;

d) evaluates and promotes, in conjunction with the administrations competent for specific cybersecurity profiles, procedures for sharing information, including with interested private operators, for the purpose of disseminating alerts relating to cyber events and for crisis management;

e) receives, through the CSIRT Italy, communications about cases of breaches or attempts to breach security or loss of integrity significant for the purposes of the correct functioning of networks and services, from DIS, AISE and from 'AISI, by the police forces and, in particular, by the organ of the Ministry of the Interior referred to in article 7-bis of decree-law no. 144 of 2005, converted, with amendments, by law no. 155 of 7 draft 08/06/2021 2005, by the structures of the Ministry of Defense, as well as by the other administrations that make up the Unit and by the CERTs established in accordance with current legislation; j) receives accident notifications from CSIRT Italy in accordance with the provisions in force;

g) evaluates whether the events referred to in letters e) and j) assume such dimensions, intensity or nature that they cannot be dealt with by the individual competent administrations in the ordinary way, but require the taking of coordinated decisions in the inter-ministerial context, providing in this case to promptly inform the President of the Council of Ministers, or the delegated Authority, where established, on the current situation and on the performance of the connection and coordination activities referred to in Article 10, in the composition envisaged therein.

Art.10 (Crisis management involving cybersecurity aspects)

1. In crisis situations involving aspects of cybersecurity, in cases in which the President of the Council of Ministers calls the CISR on the management of the aforementioned crisis situations, the Minister delegated for innovation is called to participate in the meetings of the Committee technology and digital transition and the Director General of the Agency.

2. The Unit ensures support for the CISR and the President of the Council of Ministers, in the matter of cybersecurity, for the aspects relating to the management of crisis situations pursuant to paragraph 1, as well as for the exercise of the powers attributed to the President of the Council ministers, including the preliminary activities and the necessary activation procedures, pursuant to article 5 of the perimeter decree-law.

3. In situations of cyber crises, the Nucleus is integrated, as needed, with a representative, respectively, of the Ministry of Health, the Ministry of Sustainable Infrastructure and Mobility, the Department of Firefighters, Public Rescue and of the civil defense, also representing the Interministerial Technical Commission of Civil Defense, authorized to take decisions that bind their administration. At the meetings, the members may be accompanied by other officials of their administration. Representatives of other administrations, including local ones, and bodies, also authorized to take decisions, and of other public or private subjects that may be interested may be called to participate in the same meetings.

4. It is the task of the Nucleus, in the composition for crisis management, referred to in paragraph 3, to ensure that the reaction and stabilization activities under the responsibility of the various administrations and entities with respect to cyber crisis situations are carried out in a coordinated manner. in accordance with the provisions of article 9, paragraph I, letter b).

5. The Unit, for the performance of its functions and without prejudice to the provisions of article 7-bis, paragraph 5, of decree-law no. 174 of 2015, converted, with amendments, by law no. 198 of 2015:

a) keeps the President of the Council of Ministers, or the delegated Authority, where established, constantly informed on the current crisis, preparing updated points of the situation;

b) ensures coordination for the implementation at inter-ministerial level of the decisions of the President of the Council of Ministers for overcoming the crisis;

c) collects all data relating to the crisis;

d) prepares reports and provides information on the crisis and transmits them to the public and private subjects concerned;

e) participates in the European mechanisms for managing cyber crises, also ensuring links aimed at managing the crisis with the equivalent bodies of other states, NATO, the EU or international organizations of which Italy is a member.

Art.11 (Accounting rules and financial provisions)

1. The President of the Council of Ministers is exclusively responsible for determining the annual requirement of the Agency's financial resources, which he communicates to COPASIR. The annual allocation of financial resources for the Agency is assigned in the estimate of the expenditure of the Ministry of Economy and Finance.

2. The revenues of the Agency consist of:

a) financial endowments and ordinary contributions referred to in article 18 of this decree;

b) fees for services provided to public or private entities;

c) proceeds deriving from the exploitation of industrial property, intellectual property and inventions of the Agency;

d) other capital and operating income;

e) contributions from the European Union or international organizations, also following participation in specific calls, projects and collaboration programs;

f) proceeds from sanctions pursuant to the provisions of article 18, paragraph 3;

g) any other possible income.

3. The accounting regulation of the Agency, which ensures its managerial and accounting autonomy, is adopted by decree of the President of the Council of Ministers, upon proposal by the Director General of the Agency, within one hundred and twenty days from the date of entry into force of the conversion law of this decree, also in derogation from the general accounting rules of the State, also in derogation from article 17 of law no. 400, subject to the opinion of COPASIR and consulted the CICS, subject to verification of accounting regularity by the Board of Auditors and in compliance with the fundamental principles established by them, as well as the following provisions:

a) the budget and the final budget adopted by the Director General of the Agency are approved by decree of the President of the Council of Ministers, following a resolution of the CICS;

b) the budget and final balance are sent to the Court of Auditors for the control of the legality and regularity of the management. The Court of Auditors is competent to check the legitimacy of documents, pursuant to article 3, paragraph 4, of law no. 20;

c) the financial management balance is sent, together with the report of the Court of Auditors, to COPASIR.

4. By regulation adopted by decree of the President of the Council of Ministers, on the proposal of the Director General of the Agency, within one hundred and twenty days from the date of entry into force of the law converting this decree, also by way of derogation from article 17 of law 23 August 1988, n. 400, following the opinion of COPASIR and after hearing the CICS, the procedures for the stipulation of contracts for works contracts and supply of goods and services for the activities of the Agency aimed at protecting national security in the cyber space and for those carried out in connection with the Information System for the security of the Republic referred to in Law no. 124 of 2007, without prejudice to the discipline in compliance with the provisions of article 162 of the code of public contracts relating to works, services and supplies, pursuant to legislative decree no. 50.

Art.12 (Personal)

1. A specific regulation establishes, in compliance with the criteria set out in this decree, the discipline of the contingent of personnel assigned to the Agency. The regulation defines the organization and recruitment of personnel, and the related economic and social security treatment, providing, in particular, for the staff of the Agency an economic treatment equal to that enjoyed by the employees of the Bank of Italy, on the based on the comparability of the functions performed and the level of responsibility held.

2. The regulation determines, within the limits of available financial resources, in particular:

a) the establishment of a staff role and the general regulation of the employment relationship employed by the Agency;

b) the possibility of proceeding, in addition to permanent hires through competition procedures, to fixed-term hires, with private law contracts, of subjects in possession of duly documented high and particular specialization, identified through appropriate selective methods, for the carrying out activities that are absolutely necessary for the Agency's operations or for specific projects to be completed within a set period of time;

c) the possibility of making use of a contingent of experts, not exceeding fifty units, made up of personnel in a position of out of office, command or other similar position, provided for by the legal systems to which they belong, coming from ministries, from other public administrations, or from personnel not belonging to the public administration, in possession of specific and high competence in the field of cybersecurity and innovative digital technologies, in the development and management of complex processes of technological transformation and related communication and dissemination initiatives, as well as significant experience in digital transformation, including the development of large-scale digital programs and platforms. The regulation, for these purposes, governs the methods of formation of the quota and the remuneration due for each professionalism;

d) the determination of the maximum percentage of employees that can be hired [the letter and the limit of no. 50 units];

e) the possibility of employing personnel from the Ministry of Defense, according to terms and procedures to be defined with a specific decree of the President of the Council of Ministers of a non-regulatory nature;

f) the hypothesis of incompatibility;

g) the procedures for carrying out the career within the Agency;

h) the discipline and procedure for the definition of the legal aspects and, limited to any accessory remuneration, economic of the employment relationship of the personnel subject to negotiation with the personnel representatives;

i) the methods of application of the provisions of Legislative Decree 10 February 2005, n. 30, bearing the Industrial Property Code, the intellectual property and inventions of the employees of the Agency;

l) cases of termination of service of staff hired on permanent contracts and cases of early termination of fixed-term relationships.

3. If the recruitments referred to in paragraph 2, letter b) concern permanent university professors or confirmed university researchers, the provisions of article 12 of the decree of the President of the Republic of 11 July 1980, n. 382, also as regards the placement on leave.

4. In the first application of the provisions referred to in this decree, the number of posts envisaged by the staffing plan of the Agency is identified as a total of three hundred units. The regulation identifies which of the provisions contained therein may be subject to revision as a result of the negotiation with the staff representatives.

5. With successive decrees of the President of the Council of Ministers, the organic endowment is redetermined in four hundred and fifty units in 2024, in six hundred units in 2025, in seven hundred units in 2026 and in eight hundred units in 2027.

6. Hiring carried out in violation of the prohibitions provided for by this decree or by the regulation are void, without prejudice to the personal, financial and disciplinary responsibility of the person who ordered them.

7. Without prejudice to the provisions of article 42 of law no. 124 of 2007, the personnel who, in any case, work in the employ of or in favor of the Agency are required, even after the cessation of this activity, to respect the secrecy of what they have become aware of during the exercise or due to their own functions.

8. The regulation referred to in this article is adopted, within one hundred and twenty days from the date of conversion into law of this decree, by decree of the President of the Council of Ministers, also by way of derogation from article 17 of law no. 400, after consulting COPASIR and after consulting CICS.

Art.13 (Treatment of personal data)

1. The processing of personal data carried out for national security purposes in application of this decree is carried out pursuant to article 58, paragraphs 2 and 3, of legislative decree no. 196.

Art. 14 (Annual reports)

1. By 30 April of each year, the President of the Council of Ministers sends Parliament a report on the activity carried out by the Agency in the previous year, in the field of national cybersecurity.

2. By June 30 of each year, the President of the Council of Ministers sends COPASIR a report on the activities carried out in the previous year by the Agency in connection with the Information System for the security of the Republic referred to in Law no. 124 of 2007, as well as in relation to the areas of activity of the Agency subject to the control of the Committee pursuant to this decree.

Art. 15 (Amendments to the NIS legislative decree)

1. The following amendments are made to the NIS legislative decree:

(a) in point (a) of Article 3, the words from: "NIS competent authority" to: "by sector," are replaced by the following: "NIS competent national authority, the single, competent national authority";

b) in article 3, after letter a), the following is inserted: "a-bis) sector authority, the authorities referred to in article 7, paragraph 1, letters a) to e)";

c) in Article 4, paragraph 6 is replaced by the following: “6. The list of essential service operators identified pursuant to paragraph 1 is reviewed and, if necessary, updated on a regular basis, and at least every two years after 9 May 2018, in the following ways: a) sector authorities, in relation to the areas of competence, propose changes to the list of operators of essential services to the competent national authority NIS, according to the criteria referred to in paragraphs 2 and 3; b) the proposals are evaluated by the competent national authority NIS which, with its own provisions, changes the list of operators of essential services, notifying the sector authorities in relation to the areas of competence. ";

d) in Article 6, in the heading, the words: "cyber security" are replaced by the following: "cybersecurity"; in paragraphs 1, 2 and 3, the words: "cyber security" are replaced by the following: "and cybersecurity"; in paragraph 4, the words: "The Presidency of the Council of Ministers" are replaced by the following: "The Cybersecurity Agency" and the words: "cyber security" are replaced by the following: "cybersecurity";

(e) Article 7 is replaced by the following:

"Art. 7 (National competent authority and single point of contact)

1. The National Cybersecurity Agency shall be designated as the NIS competent national authority for the sectors and subsectors listed in Annex II and for the services listed in Annex III. The following are designated as sector authorities:

a) the Ministry of Economic Development, for the digital infrastructure sector, subsectors IXP, DNS, TLD, as well as for digital services;

b) the Ministry of Sustainable Infrastructure and Mobility, for the transport sector, air, rail, water and road subsectors;

c) the Ministry of Economy and Finance, for the banking sector and for the infrastructure sector of the financial markets, in collaboration with the supervisory authorities of the sector, the Bank of Italy and Consob, according to methods of collaboration and exchange of information established by decree of the Minister of Economy and Finance;

d) the Ministry of Health, for health care activities, as defined by article 3, paragraph 1, letter a), of Legislative Decree no. 38, provided by operators employed or appointed by the same Ministry or affiliated with it, and the Regions and autonomous Provinces of Trento and Bolzano, directly or through the territorially competent health authorities, for the health assistance activities provided by the operators authorized and accredited by the Regions or autonomous Provinces in the territorial areas of their respective competence;

e) the Ministry of Ecological Transition for the energy sector, electricity, gas and oil subsectors;

f) the Ministry of Ecological Transition and the Regions and Autonomous Provinces of Trento and Bolzano, directly or through the territorially competent Authorities, with regard to the supply and distribution of drinking water.

2. The competent national authority NIS is responsible for the implementation of this decree with regard to the sectors referred to in Annex II and the services referred to in Annex III and supervises the application of this decree at national level, also exercising the related inspection and sanctioning powers.

3. The National Cybersecurity Agency is designated as the single point of contact for the security of networks and information systems.

4. The single point of contact shall act as a liaison to ensure the cross-border cooperation of the NIS competent national authority with the competent authorities of other Member States, as well as with the cooperation group referred to in Article 10 and the network of CSIRTs of referred to in Article 11.

5. The single point of contact collaborates in the cooperation group effectively, efficiently and securely with the representatives designated by the other States.

6. The competent national authority NIS and the single contact point consult, in accordance with current legislation, the law enforcement authority and the Guarantor for the protection of personal data and collaborate with them.

7. The Presidency of the Council of Ministers shall promptly notify the European Commission of the designation of the single contact point and that of the competent national authority NIS, the relative tasks and any further changes. Appropriate forms of advertising are ensured for the designations.

8. The charges deriving from this article equal to 1,300,000 euros starting from 2018, will be provided pursuant to article 22. ";

f) in Article 8, paragraph I, the words from: "the Presidency" to: "security" are replaced by: "the National Cybersecurity Agency";

g) Article 9, paragraph I, is replaced by the following

1. The sector authorities collaborate with the competent national authority NIS for the fulfillment of the obligations referred to in this decree. To this end, a technical liaison committee has been set up at the National Cybersecurity Agency. The Committee is chaired by the competent national authority NIS and is composed of the representatives of the state administrations identified as sector authorities and of representatives of the Regions and Autonomous Provinces in a number not exceeding two, designated by the Regions and Autonomous Provinces in the Permanent Conference for relations between the state, the regions and the autonomous provinces of Trento and Bolzano. The organization of the Committee is defined by decree of the President of the Council of Ministers, of a non-regulatory nature, after consultation with the Unified Conference. No attendance fees, fees or reimbursement of expenses are envisaged for participation in the Technical Linking Committee. ";

h) in article 12, paragraph 5, the words from: “and, for information,” to: “NIS,” are deleted;

i) in article 14, paragraph 4, the words from: “and, for information,” to: “NIS,” are deleted;

l) in Article 19, paragraph 1, the words: "by the competent NIS authorities" are replaced by the following: "by the competent national NIS authority";

m) in article 19, paragraph 2 is deleted;

n) in Article 20, paragraph 1, the words from: "The competent NIS authorities" to: "are competent" are replaced by: "The competent national NIS authority is competent";

o) in Annex I:

1) in point 1, the following is added after letter d): "e) CSIRT Italia conforms its services and activities to internationally recognized best practices in the field of prevention, management and response to cybernetic events" ;

2) in point 2, letter e), after the word: "standardized" the following is inserted: ", according to internationally recognized best practices,".

2. In the NIS legislative decree:

a) any reference to the Ministry of Economic Development, wherever it occurs, must be understood as referring to the National Cybersecurity Agency, except for the provisions referred to in Article 7, paragraph 1, letter a), of the same legislative decree;

b) any reference to the DIS, wherever it occurs, must be understood as referring to the National Cybersecurity Agency;

c) any reference to the competent NIS authorities, wherever it occurs, must be understood as referring to the competent NIS national authority, except for the provisions referred to in Article 5, paragraph 1, of the same legislative decree;

d) in Article 5, paragraph 1, paragraph, the words: "the competent NIS authorities" are replaced by the following: "the competent national NIS authority and the sector authorities";

e) in Articles 6 and 12, the words: "Interministerial Committee for the Security of the Republic (CISR)" are replaced by the following: "Interministerial Committee for Cybersecurity (CICS)".

Art. 16 (Other amendments)

1. In article 3, paragraph I-bis, of law no. 124 of 2007, after the words: “of this law” the following are added: “and in the matter of cybersecurity”.

2. In article 38 of law no. 124 of 2007, paragraph I-bis is repealed.

3. The name: “CSIRT Italia” replaces, for all purposes and wherever present in legislative and regulatory provisions, the name: “CSIRT Italiano”.

4. In the perimeter decree-law, the words: "Interministerial Committee for the Security of the Republic (CISR)" and "CISR", wherever they occur, are respectively replaced by the following: "Interministerial Committee for Cybersecurity (CICS)" and "CICS" , except for the provisions of article 5 of the same decree-law.

5. In the perimeter decree-law, any reference to the Security Information Department, or to the DIS, wherever it occurs, is to be understood as referring to the National Cybersecurity Agency.

6. In the perimeter decree-law, any reference to the Ministry of Economic Development and the Presidency of the Council of Ministers, wherever it occurs, is to be understood as referring to the National Cybersecurity Agency.

7. In the provisions of a regulatory and administrative nature whose adoption is provided for in Article 1 of the perimeter decree-law, any reference to the CJSR and the DIS must be understood as referring respectively to the CICS and the National Cybersecurity Agency.

8. In the provisions of a regulatory and administrative nature the adoption of which is provided for in Article 1 of the perimeter decree-law, any reference to the Ministry of Economic Development and the structure of the Presidency of the Council of Ministers responsible for technological innovation and digitization, wherever recurs, must be understood as referring to the National Cybersecurity Agency, with the exception of the provisions referred to in Articles 3 of the Prime Minister's Decree no. 131 of 2020.

9. The following changes are made to the perimeter decree-law: a) to article 1, paragraph 6, letter a), after the words "also in relation to the area of ​​use", the following sentence is added: "The obligation of communication referred to in this letter is effective from the thirtieth day following the publication in the Official Gazette of the Italian Republic of the decree of the President of the Council of Ministers which, after consulting the National Cybersecurity Agency, certifies the operation of the CVCN and in any case from 30 June 2022. ";

b) in article 3, paragraph 2 is repealed;

c) from the date on which the disclosure obligation governed by the previous letter a), article 3 becomes effective:

1) paragraph I is replaced by the following: “1. The subjects who intend to proceed with the acquisition, for any reason, of goods, services and components referred to in article i-bis, paragraph 2, of the decree-law of 15 March 2012, n. 21, converted, with modifications, by law 11 May 2012, n. 56, are obliged to make the communication referred to in Article 1, paragraph 6, letter a), in order to carry out the security checks by the CVCN on the basis of the procedures, methods and terms provided for by the implementation regulation. Article 1, paragraph 6, letter b) applies to suppliers of the aforementioned goods, services and components. ";

2) paragraph 3 is repealed;

10. Starting from the date on which the communication obligation governed by paragraph 9, letter a), of the decree-law of 15 March 2012, n. 21, converted, with modifications, by law 11 May 2012, n. 56, paragraph 3-bis of article 1-bis is replaced by the following: "Within ten days of the conclusion of a contract or agreement referred to in paragraph 2, the company that has acquired, for any reason, the goods or services referred to in the same paragraph, it notifies the Presidency of the Council of Ministers a complete report, also containing the communication from the National Assessment and Certification Center (CVCN), regarding the outcome of the assessment and any requirements, in order to allow any exercise of the power of veto or the imposition of specific prescriptions or conditions. If the contract was stipulated prior to the conclusion of the tests imposed by the CVCN, the term referred to in the first period starts from the communication of the positive outcome of the evaluation carried out by the CVCN Within 30 days of notification, the President of the Council of Ministers communicates any veto or the imposition of specific prescriptions or conditions. Special powers are exercised in the form of the imposition of specific prescriptions or conditions whenever this is sufficient to ensure the protection of the essential interests of defense and national security. Once the aforementioned terms have elapsed, the special powers are intended not to be exercised. If it becomes necessary to request information from the purchaser, this term is suspended, for one time only, until the requested information is received, which is made within ten days. If it becomes necessary to formulate preliminary inquiries to third parties, the aforementioned term of thirty days is suspended, for one time only, until the requested information is received, which is made within the term of twenty days. Requests for information and inquiries to third parties subsequent to the first do not suspend the terms. In case of incompleteness of the notification, the thirty-day term provided for in this paragraph starts from the receipt of the information or the elements that integrate it. Without prejudice to the provisions regarding sanctions in this paragraph, in the event that the notifying company has begun the execution of the contract or agreement subject to notification before the deadline for the exercise of special powers has elapsed, or has executed the contract or agreement in violation of the decree for the exercise of special powers, the Government may order the company to restore the previous situation at its own expense. Unless the fact constitutes a crime, anyone who fails to comply with the notification obligations referred to in this article or the provisions contained in the provision for the exercise of special powers is subject to a pecuniary administrative sanction up to 150 percent of the value of the transaction and in any case not lower. 25 per cent of the same value. In cases of violation of the notification obligations referred to in this article, even in the absence of notification, the Presidency of the Council of Ministers may initiate the procedure for the purpose of the possible exercise of special powers. For this purpose, the terms and procedural rules provided for in this paragraph apply. The term of thirty days referred to in this paragraph starts from the conclusion of the procedure for ascertaining the violation of the obligation to notify ".

11. In article 135 of the legislative decree 2 July 2010, n. 104, after letter h), the following is added: "h-bis) disputes concerning the provisions of the National Cybersecurity Agency;".

12. To the law of 22 April 2021, n. 53, the following changes are made:

a) to article 4, paragraph 1, letter b), the following are added after the words: "Ministry of Economic Development": "and the National Cybersecurity Agency";

b) in Article 18, any reference to the Ministry of Economic Development, wherever it occurs, must be understood as referring to the National Cybersecurity Agency.

13. In article 33-septies, paragraph 4, of the decree-law no. 179, converted, with amendments, by law 17 December 2012, n. 221, the words: “The AgID” are replaced by the following: “The National Cybersecurity Agency”.

14. In the legislative decree of 1 August 2003, n. 259, the following changes are made:

a) in articles 16-bis and 16-ter, any reference to the Ministry of Economic Development, wherever it occurs, must be understood as referring to the National Cybersecurity Agency;

b) in article 16-ter, paragraph 1, the words: "Minister of Economic Development" are replaced by the following: "President of the Council of Ministers";

c) in article 16-ter, paragraph 2, letter b), the words: "in collaboration with the territorial inspectorates of the Ministry of Economic Development," are deleted.

Art. 17 (Transitional and final provisions)

1. In order to carry out the inspection functions, ascertain violations and impose sanctions, referred to in Article 7, the Agency may provide, as well as with its own staff, with the help of the central body of the Ministry of internal for the security and regularity of telecommunication services referred to in article 7-bis of the decree-law 27 July 2005, n. 144, converted, with modifications, by law 31 July 2005, n. 155.

2. For the performance of the functions relating to the implementation and control of the execution of the measures taken by the President of the Council of Ministers pursuant to article 5 of the perimeter decree-law, the Agency shall provide with the assistance of central body of the Ministry of the Interior for security and for the regularity of telecommunication services referred to in article 7-bis of the decree-law of 27 July 2005, n. 144, converted, with modifications, by law 31 July 2005, n. 155.

3. Il personale dell'Agenzia, nello svolgimento delle funzioni ispettive, di accertamento delle violazioni e di irrogazione delle sanzioni, di cui all'articolo 7, nonché delle funzioni relative all'attuazione e al controllo dell'esecuzione dei provvedimenti assunti da parte del Presidente del Consiglio dei ministri ai sensi dell'articolo 5 del decreto-legge perimetro, riveste la qualifica di pubblico ufficiale.

4. Il personale dell'Agenzia addetto al CSIRT Italia, nello svolgimento delle proprie funzioni, riveste la qualifica di pubblico ufficiale. La trasmissione delle notifiche di incidente ricevute dal CSIRT Italia all'organo centrale del Ministero dell'interno per la sicurezza e per la regolarità dei servizi di telecomunicazione di cui all'articolo 7-bis del decreto-legge 27 luglio 2005, n. 144, convertito, con modificazioni, dalla legge 31 luglio 2005, n. I 55, costituisce adempimento dell'obbligo di cui all'articolo 33 I del codice di procedura penale.

5. Con uno o più decreti del Presidente del Consiglio dei ministri di natura non regolamentare, da adottare entro centottanta giorni dalla data di entrata in vigore della legge di conversione del presente decreto, sono definiti i termini e le modalità:

a) per assicurare la prima operatività dell'Agenzia, mediante l'individuazione di appositi spazi, in via transitoria e per un massimo di ventiquattro mesi, secondo opportune intese con le amministrazioni interessate, per l'attuazione delle disposizioni del presente decreto;

b) per il trasferimento, anche mediante opportune intese con le amministrazioni interessate, delle funzioni di cui all'articolo 7, nonché per il trasferimento dei beni strumentali e della documentazione, anche di natura classificata, per l'attuazione delle disposizioni del presente decreto.

6. In relazione al trasferimento delle funzioni di cui all'articolo 7, comma 1, lettera m dall'AgID all'Agenzia, i decreti di cui al comma 5 definiscono, altresì, i raccordi tra le due amministrazioni, per le funzioni che restano di competenza di AgID.

7. Dalla data di nomina del direttore generale dell'Agenzia e fino all'adozione dei regolamenti di cui all'articolo 11 , commi 3 e 5, alle spese occorrenti per assicurare la prima operatività dell'Agenzia provvede il DIS, nell'ambito delle risorse destinate all'Agenzia. Entro 90 giorni dall'approvazione dei regolamenti di cui all'articolo 11 , commi 3 e 5, delle spese effettuate ai sensi del presente comma, il Presidente del Consiglio dei ministri ne dà informazione al COPASIR.

8. In sede di prima applicazione delle disposizioni di cui al presente decreto e per un periodo massimo di diciotto mesi dalla data di conversione in legge, l'Agenzia si avvale di un nucleo di personale, non superiore al 30 per cento della dotazione organica complessiva iniziale, di unità appartenenti al Ministero dello sviluppo economico, all'Agenzia per l'Italia digitale, al DIS, ad altre pubbliche amministrazioni e ad autorità indipendenti, messo a disposizione dell'Agenzia stessa su specifica richiesta, anche nominativa, e secondo modalità individuate mediante intese con le rispettive amministrazioni di appartenenza. Il relativo onere resta a carico dell'amministrazione di appartenenza.

9. Il regolamento di cui all 'articolo 12, comma I , prevede apposite modalità selettive per l'nquadramento, nella misura massima del 50 per cento della dotazione organica complessiva, del personale di cui al comma 8 e del personale di cui all'articolo 12, comma 2, lettera b), ove già appartenente alla pubblica amministrazione, nel contingente di personale addetto all'Agenzia di cui al medesimo articolo 12, che tengano conto delle mansioni svolte e degli incarichi ricoperti durante il periodo di servizio presso l'Agenzia, nonché delle competenze possedute e dei requisiti di professionalità ed esperienza richiesti per le specifiche posizioni. Gli inquadramenti conseguenti alle procedure selettive di cui al presente comma, relative al personale di cui al comma 8, decorrono dal 30 settembre 2022.

10. LìAgenzia può avvalersi del patrocinio dell'Avvocatura dello Stato, ai sensi dell'rticolo 43 del testo unico approvato con regio decreto 30 ottobre 1933, n. 1611.

Art.18 (Copertura finanziaria)

[MEF]

All'onere derivante dall'applicazione del presente decreto, valutato in euro … per l'anno 2021 , euro … per l'anno 2022 ed euro … a decorrere dall'anno 2022, si provvede a valere sul Fondo di cui all'art .. ..

2. Il Ministro dell'economia e delle finanze è autorizzato ad apportare, con propri decreti, le occorrenti variazioni di bilancio per l'attuazione del presente decreto.

3. I proventi delle sanzioni irrogate dall'Agenzia ai sensi di quanto previsto dal decreto legislativo NIS, dal decreto-legge perimetro e dal decreto legislativo 1° agosto 2003 , n. 259, e relative disposizioni attuative, sono versati al Fondo di cui al comma 1 del presente articolo.

Art. 19 (Entrata in vigore)

1. Il presente decreto entra in vigore il giorno successivo a quello della sua pubblicazione nella Gazzetta Ufficiale della Repubblica italiana e sarà presentato alle Camere per la conversione in legge. Il presente decreto, munito del sigillo dello Stato, sarà inserito nella Raccolta ufficiale degli atti normativi della Repubblica italiana. È fatto obbligo a chiunque spetti di osservarlo e di farlo osservare.

---

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/mondo/tutto-sullagenzia-per-la-cybersicurezza-nazionale-acn-che-cosa-prevede-il-decreto/ on Thu, 10 Jun 2021 09:22:21 +0000.