**”Cyber Security 2025: The Regulatory Revolution for Italian Public Administrations”**

**"Cyber Sicurezza 2025: La Rivoluzione Normativa per le Pubbliche Amministrazioni Italiane"**

# Cyber Security in 2025: A New Beginning for Public Administration

2025 represents a crucial year for public administrations and private organizations, particularly for those who must comply with the obligations set forth by recent Italian and European regulations on cyber security. As this date approaches, it is essential to understand the legislative context and the ways in which institutions must adapt to ensure an adequate level of protection against cyber threats.

## Key Regulations: Law No. 90 of 2024 and Legislative Decree No. 138/24

At the center of this new regulatory landscape are two fundamental instruments: Law No. 90 of 2024, which establishes provisions to strengthen national cyber security and address cyber crimes, and Legislative Decree No. 138/24, which implements the NIS 2 directive, designed to ensure a high level of cyber security within the European Union. These regulations not only impose specific obligations but also aim to promote a culture of security and information protection within public administrations.

### Objectives of the Regulations

The primary objective of these regulations is to enhance the ability of public administrations to prevent, manage, and respond to cyber incidents. This implies proper cyber risk management and continuous preparation for emerging threats.

## Common Areas of Intervention

Although the two regulatory texts have differences in details, there are some fundamental common areas of intervention that administrations must consider:

### Incident Reporting

One of the central points is the obligation to report cyber incidents. Both Law No. 90 of 2024 and Legislative Decree No. 138/24 require an initial report of incidents within 24 hours of identification, followed by a more detailed report within 72 hours. This timing is crucial to ensure a rapid and appropriate response to detrimental events.

### Definition of Cyber Incident

Both regulations provide definitions and criteria for classifying cyber incidents. Law No. 90 allows for external references for incident taxonomy, while the NIS 2 Decree offers a clear and articulated explanation, outlining the specific requirements for reporting a significant incident.

## Governance and Cyber Risk Management

Strengthening governance and cyber risk management is another central aspect. Both regulatory texts emphasize the need to designate cyber security officials within administrations. Law No. 90, in particular, requires the creation of a dedicated risk management structure that must actively monitor security measures.

Providing a framework for risk management is essential not only to ensure compliance with regulations but also to promote a culture of cyber security that permeates the entire organization.

## The Role of Procurement

The public procurement sector plays a significant role in ensuring a secure environment. Law No. 90 of 2024 establishes special requirements for public contracts related to IT goods and services, emphasizing information security and the identification of suppliers that meet appropriate security criteria.

Similarly, the NIS 2 Decree requires that risk management measures be adopted throughout supply chains. This focus is crucial to ensure that vulnerabilities do not extend throughout the supply chain and compromise response and recovery capabilities from threats.

## A Common Compliance Model

The emergence of a common compliance model that integrates the requirements of national and European regulations is essential. Public administrations can benefit from a systemic approach that combines compliance with internal regulations and those of the European Union. This implies not only fulfilling regulatory obligations but also promoting a culture of information sharing regarding cyber security.

Share Button