Tag Archives: cybersecurity

NIS 2 ENTERS INTO FORCE IN ITALY: LEARN WHAT YOU NEED TO DO

Legal news

After a long wait, EU directive 2022/2555 (“NIS 2 Directive”), which aims at achieving a common level of cybersecurity across member states, has been finally implemented in Italy, with legislative decree 138/2024 (“Legislative decree”).

The Legislative decree will apply starting from today, October 18, 2024.

Who are the actors involved?

The new regulation applies to economic operators that:

      • exceed the thresholds provided for small enterprises (i.e., more than 50 employees and annual turnover/balance sheet of more than Euro 10 million);
      • are subject to Italian jurisdiction.

      It is important to note that certain operators identified as critical subjects (according to the decree 134/2024, implementing EU directive 2022/2557 on critical subjects) are subject to the Legislative decree, even if they do not exceed the dimensional limits mentioned above. Among them, there are several operators in the healthcare field, such as:

      • Healthcare providers;
      • Subjects carrying out research and development on medicines;
      • Manufacturers of basic pharmaceutical products and pharmaceutical preparations;
      • Manufactures of medical devices considered critical in case of a public health emergency;
      • Wholesale distributors of medicinal products.

      What are the deadlines at this early stage?

      • All operators active in Italy must carry out an assessment to understand whether they fall within the scope of the Legislative decree;
        • From 1 January to 28 February of each year (starting from 2025) the economic operators subject to the Legislative decree must register or update their registration on the digital platform managed by the National Cybersecurity Agency (“NCA”) providing a set of information such as the company mission, address, and contact information, etc;
        • Within 31 March of each year (starting from 2025), NCA will draft a list identifying the so-called “essential and important subjects” following the criteria of Article 6 of the Legislative decree;
        • From 15 April to 31 May of each year (starting from 2025) the subjects identified as essential or important should provide further information, such as the IP address, domain names, EU’s States where the service is carried out, name of the legal representative, etc.

        What will happen after this first phase?

        After this first phase, a new set of obligations will progressively come into force, such as:

        • The obligation of essential and important subjects to implement technical measures to ensure the security of information and network systems used by operators (within 18 months from the communication of being considered as an essential or important subject);
          • The duty for essential and important subjects to notify the Computer Security Incident Response Team – Italy (“CSIRT Italy”) of each accident that can impact service delivery (within 9 months from the communication of being considered as an essential or important subject).

          How to proceed in these first months?

          It is key for all economic operators operating in Italy, before February 28, 2025, to carry out an assessment and understand if they fall under the perimeter of the application of the Legislative decree and, if so, act accordingly.

          Your Face at the Airport: the EDPB Weighs in on Face Boarding

          Legal news, , , , , ,

          As you wander around an airport waiting to travel for the summer, you may notice that your image is captured by various devices. This process, known as facial recognition or “face boarding”, has recently been the subject matter of an opinion by the EDPB https://www.edpb.europa.eu/edpb_it, which issued an opinion (no. 11/2024, https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-112024-use-facial-recognition-streamline_en, pursuant to article 64 of the GDPR) – on the processing of data obtained in airports using facial recognition to streamline airport passenger’s flow.

          The EDPB assessed the compatibility of such data processing with:

          • article 5(1)(e) and (f) of the GDPR on storage limitation and integrity and confidentiality;
          • article 25 of the GDPR on privacy by default and privacy by design;
          • article 32 of the GDPR on security of processing.

          The opinion takes into account four different scenarios:

          • Scenario 1: Storage of an enrolled biometric template – which is a set of biometric features stored in a database for future authentication purposes – only in the hands of the passenger.

          Enrolment consists in recording – by each passenger who has consented to such processing – the biometric template and ID necessary for the processing, on the passenger’s device. Neither the passengers’ ID, nor their biometric data are retained by the airport operator after the enrolment process.

          The passenger is authenticated when going through specific checkpoints at the airport (equipped with QR scanners and cameras), through the use of a QR code produced by the passenger’s device, where the biometric template is stored.

          The EDPB opinion concludes that such processing could be considered in principle compatible with article 5(1)(f), 25 and 32 of the GDPR (nonetheless, appropriate safeguards must be implemented, including an impact assessment).

          • Scenario 2: centralized storage of an enrolled biometric template in an encrypted form, stored in a database within the airport premises and with a key solely in the passenger’s hands.

          The enrolment is controlled by the airport operator and consists in generating ID and biometric data that is encrypted with a key/ secret. The database is stored within the airport premises, under the control of the airport operator. Individual-specific encryption keys/ secrets are stored only on the individual’s device

          Passengers are authenticated when going through specific checkpoints, equipped with a control pod, a QR scanner and a camera. The passenger’s data are sent to the database to request the encrypted template, which is then checked locally on the pod and/or user’s device.

          The opinion concludes that such processing could be considered in principle compatible with article 5(1)(e)(f), 25 and 32 of the GDPR subject to appropriate safeguards. In fact, the intrusiveness from such processing through a centralized system can be counterbalanced by the involvement of the passengers, who hold control of the key to their encrypted data.

          • Scenario 3: centralized storage of an enrolled biometric template in a database within the airport, under the control of the airport operator and Scenario 4: centralized storage of an enrolled biometric template in a cloud, under the control of the airline company or its cloud service provider.

          The enrolment is done either in a remote mode or at airport terminals.

          At the airport passengers go through dedicated control pods equipped with a camera. Biometric data is sent to the centralized database or to the cloud server – where the matching of the data is processed. The biometric matching is only performed when the passengers present themselves at pre-defined control points at the airport, but the data processing itself is done in the cloud or in centralized databases.

          The EDPB considers that the use of biometric data for identification purposes in large central databases, as in Scenarios 3 and 4, interfere with the fundamental rights of data subjects and could possibly entail serious consequences. As such, Scenarios 3 and 4 are not compatible with article 25 of the GDPR because they imply the search of passengers within a central database, by processing each biometric sample captured. Also, taking into account the state of the art, the measures envisaged in such Scenarios would not ensure an appropriate level of security under article 5(1)(f) of the GDPR.

          In conclusion, the EDPB regards with suspicion the processing (through matching-and-authenticating process) of biometric templates of the passengers when it happens in centralized storage tools (databases or clouds). The EDPB regards that this increases risks for the security of data, requires the processing of much more data and does not leave passengers in control of the data.