Back

Italy


            Status regarding Budapest Convention
Last updated : 14/05/2020

Status regarding Budapest Convention

Status : Party Signed : 23/11/2001 Ratified / acceded : 05/06/2008 See legal profile

Cybercrime policies/strategies

The Italian Cyber Security Action Plan has been implemented since 01/03/2017.The document sets out the operational guidelines and actions to be executed in order to implement the National Strategic Framework for Cyberspace Security.

In February 2017 a new and updated decree further reinforced the role assigned to the Interministerial Committee for the Security of the Republic providing guidelines to increase the level of cyberspace security in the country.

Ever since 2013 steps had been taken on cybersecurity by adopting a decree of the President of the Council of Ministers of 2013 and drawing up a National Strategic Framework for Cyberspace Security and a National Plan for Cyberspace Protection and ICT Security

Objectives of the national strategy are:

  • Obj. 1 - Enhancing technical, operational and analytic expertise of all concerned stakeholders and institutions through a joint effort and a coordinated approach.
  • Obj 2 - Strengthening capabilities to protect national critical infrastructures and strategic assets and stakeholders.
  • Obj 3 - Facilitating public-private partnerships.
  • Obj 4 - Promoting and encouraging a Culture of Cybersecurity.
  • Obj 5 - Reinforcing capabilities to counteract online criminal activities, malicious and illegal activities.
  • Ojb. 6 - Strengthening of international cooperation.

To achieve the above guideline the Italian Government has identified eleven operational guidelines:

  • Act. 1 - Enhance the expertise of the intelligence community.
  • Act. 2 - Identify the Network and Information Security (NIS) Authority that will engage at the European level.
  • Act. 3 - Develop a widely shared cyber taxonomy and promote a common understanding of cybersecurity terms and concepts.
  • Act. 4 - Foster Italy’s participation in international initiatives to enhance cybersecurity.
  • Act. 5 - Attaining the full operational capability of the National Computer Emergency Response Team.
  • Act. 6 - Legislative and compliance with international obligations.
  • Act. 7 - Compliance with standards and security protocols.
  • Act. 8 - Support for industrial and technological development.
  • Act. 9 - Strategic communication.
  • Act. 10 - Allocation of adequate human, financial, technological and logistic resources to the strategic sectors of the Public Administration.
  • Act. 11 - Implementation of a national system of information risk managemen

(Source: https://www.cyberwiser.eu/italy-it)

Specialised institutions

The Ministerial Decree of 28 April 2008 has set out specific investigative areas of competence in this field for the Post and Communications Police, i.e.:

  • ensuring, at a general level, the integrity and functionality of the computer network, including the protection of critical computerised infrastructures, the prevention of, and fight against, computer attacks to the domestic strategic structures, and the security and regularity of telecommunications services;
  • the fight against on line child pornography;
  • intelligence activity for the prevention of, and fight against, the use and forgery of means of payment; this sector has a direct impact on e-commerce and the focus of special units’ investigations is on software or hardware technologies that are used to capture, reproduce and make use of identities, payment codes and cards in electronic transactions.

Recently, under Article 2 of Decree Law of 18 February 2015 no. 7, converted with amendments into Law no. 43 of 17 April 2015, the role of the Post and Communications Police has been reinforced in the prevention of, and fight against, terrorism including on the Internet.

As to the regulation and supervision of Italian telecommunications companies, the competent authority is the Ministry of Economic Development.

As far as the protection of personal data is concerned, the Italian Data Protection Authority has been set up by Law no. 675 of 31 December 1996 (transposing Directive 95/46/EC into the Italian legal system). This is an independent administrative authority whose powers are set forth at present by the Code on the protection of personal data.

With respect to on line copyright, since 2013 under the “Regulation on the protection of copyright on electronic communications networks and implementing procedures pursuant to Legislative Decree no. 70 of 9 April 2003” the Authority for safeguarding communications (AGCOM) shall have some powers to take action for prevention purposes.

 

Italy has also several Computer Emergency Response Teams (CERTs) covering the public and private sectors as well as citizens.

The Italian national CERT - CERT Nazionale (in Italian) is based on a public-private collaboration on cybersecurity for citizens and companies. It is responsible for raising awareness, and helping to prevent and coordinate cyber incidents on a large scale.

GARR-CERT provides support for the Italian Academic and Research Network, working to reduce the risk of computer security incidents. (in Italian; English).

CERT PA (part of the government agency for Digital Italy) is responsible for computer security incidents in public administration. (in Italian).

CERT Posteitaliane is a private structure within the Poste Italiane Group, providing services for security specialists, large organisations, clients, and consumers. (in Italian; in English).

(Source: https://www.cyberwiser.eu/italy-it)

Jurisprudence/case law

  • Court of Cassation sitting en banc, judgment no. 26889 of 28/04/2016 (filed on 01/07/2016) Rv. 266905

The interception of communications between persons present by installing a computerised sensor in electronic devices is only admitted in proceedings for organised crime offences in respect of which Article 13 of Decree Law no. 151 of 1991, converted into Law no. 203 of 1991, shall apply; under this provision communications may also be captured in private premises and a prior identification and indication of such places is not required and there is no need to prove that criminal activities are being carried out there. (In the grounds for the decision the Court pointed out that, due to the invasive force of the means used, the legal classification of the offence, which is covered by the notion of organised crime, shall be anchored to sufficient, reliable and objective circumstantial evidence as rigorously highlighted in the grounds underlying the authorisation order).

  • Court of Cassation sitting en banc, judgment no. 17325 of 26/03/2015 (filed on 24/04/2015) Rv. 263020

As to the abusive access to a computer or electronic system, the place of commission of the offence under Article 615-ter of the Criminal Code coincides with the place where the user is located and, through an electronic processor or other automated data processing devices and by dialling a "keyword" or going through the authentication process, he/she bypasses the security measures put in place by the owner to select access procedures and protect the databanks stored in the central system, or he/she remains there and exceeds the limitations of the authorisation he/she has been granted. (In the grounds for the decision the Court pointed out that the electronic system for processing data that are shared by more than one desk is a single one and, due to its capacity to make information available on an equal basis for all authorised users, relevance will be given to the place where the remote device is located from which access is made rather than the place where the central processor is located).

  • Court of Cassation sitting en banc, judgment no. 4694 of 27/10/2011 (filed on 07/02/2012) Rv. 251269

Whoever, even though duly authorised, accesses, or remains in, a protected computer or electronic system in violation of the conditions and limitations as prescribed by the owner of the system to actually limit access thereto shall be held liable of an offence under Article 615 ter of the Criminal Code; for this action to constitute an offence, the purpose and aim motivating the person to access the system are irrelevant.

(to consult the Electronic Documentation Centre – CED – of the Court of Cassation: http://www.italgiure.giustizia.it/index_it.asp?lang=en&. Restricted access only)


Tools on Cybercrime & Electronic Evidence Empowering You!

These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe. 

Contribute Contribute

  Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?

  Share this information with us helping to keep this platform up to date.

Useful links Useful links