Stefano Mele is a partner at Gianni & Origoni, a law firm in Rome, Italy, and is the Chair of the firm’s Cybersecurity and Space Law practice. Stefano joins us on A Little Privacy, Please!® to discuss cybersecurity in the EU beyond the GDPR.
Watch the full episode of A Little Privacy, Please!
Those of us in the US who practice in the privacy and cybersecurity space are familiar with the GDPR. What other European cybersecurity regulations should American companies be aware of?
There is an impressive number of European Union regulations about cybersecurity.
NIS Directive One in 2018 was the first European Union cybersecurity regulation. NIS2 Directive entered into force on January 17, 2023, and is a key evolution of NIS Directive One, broadening its scope and trying to align provisions throughout European Union member states. NIS2 has strengthened the security requirements of the supply chain, reporting obligations about cyber incidents, and introduced stronger supervisory measures and stricter enforcement requirements, including consistent sanctions around the European Union.
We also have the Digital Operational Resilience Act (DORA) regulation for financial institutions and operators. DORA entered into force on January 17, 2023, and imposes rules for the protection, detection, containment, recovery, and repair capabilities against Information and Communication Technologies (ICT)-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk management, incident reporting, operational resilience testing, and ICT third-party risk monitoring.
We also have the EU Cyber Resilience Act and EU Cyber Security Act. The Cyber Security Act creates a certification framework for products and services sold within European Union boundaries. The Cyber Resilience Act, which is still a proposal within the European Union Legislature, will likely introduce security requirements for software and hardware producers.
What are some privacy or cybersecurity laws for Italian businesses or businesses doing business in Italy?
The Italian National Cyber Security Perimeter Regulation (Perimeter Law) can affect US hardware and software manufacturers. That is because companies and public administrations within the National Cyber Security Perimeter must abide by specific security requirements, including the local hosting of ICT assets essential to perform functions and services relevant to Italian national security.
The Perimeter Law is focused on Italian national security, whereas NIS2 is focused on the resilience of the supply chain and essential services for European Union citizens.
Public entities and companies in the EU can no longer select a vendor solely based on the most economical choice or cutting-edge technology. They must now check security levels and warranties the vendor can provide. That is why it is important, in my opinion, for United States companies to understand the security requirements of Italian Cyber Security Perimeter laws.
Tell us more about the launch of the Gianni & Origoni space law economics practice.
Some of the ways we are approaching space economy law are:
- Space-to-space, space-to-Earth, and Earth-to-space cyberattacks
- Insurance policies for space risk
- Litigation related to launch debris
- The extraction of raw materials and rare leads from other planets