Critical analysis of Cybersecurity is an increasingly relevant topic in the Italian and international panorama. With the entry into force of Law 90/2024 and NIS 2 , which require regulatory and operational adaptation for efficient management of IT risks, new provisions on cybersecurity have been introduced, with significant impacts on companies, public administrations and cybersecurity experts.
One of the most controversial aspects concerns legitimate security testing . While the law aims to strengthen protection against cyber threats, it also raises questions about the implications for IT security professionals, especially those involved in penetration testing, vulnerability assessment, and red teaming .
In this article we will analyze in detail the provisions of Law 90/2024 and of European-unitary derivation on cyber security, their effects on cybersecurity in Italy and the possible critical issues related to the application of the legislation in security testing contexts.
What is Security Testing and Why is it Important?
Security testing is the set of practices and methodologies El Salvador WhatsApp Number List used to test the resistance of computer systems and networks to possible attacks. The most common activities include: Red teaming : Advanced exercises involving a team of experts tasked with simulating a real attack to assess an organization’s defense capability.
These practices are essential to prevent data breaches, protect critical infrastructure, and ensure compliance with national and international cybersecurity regulations.
It is however essential to underline that, even before the entry into force of this regulation, the adoption of IT security measures, both technical and organizational, adequate to continuously evolving risks, not only represented a legal obligation established mainly by the GDPR but also constituted an essential responsibility towards citizens and the protection of their personal data.
The law applies mainly to two categories of entities which we can define as:
First Cluster : Central Public Administrations and essential bodies (e.g. ministries, regions, autonomous provinces. Metropolitan cities);
Second Cluster : Large local authorities (e.g. municipalities with over 100,000 inhabitants. Local health authorities, urban public transport companies).
>The inclusion of the Local Health Authorities is particularly relevant, considering that they had not previously been included in the National Cyber Security Perimeter provided for by Legislative Decree 105/2019, despite being often among the main targets of cyber attacks, also due to the chronic lack of funds that afflicts them.
A recent example that highlights the vulnerability of the WhatsApp Number Database healthcare sector is the ransomware attack, presumably of pro-Russian origin. That hit the National Health Service (NHS) in London, causing serious repercussions on the health of the most critically ill patients.
The PAs of the first cluster had to comply immediately;
The entities in the second cluster. However, had until January 17, 2025 to comply;
Mandatory reporting of cyber incidents with penalties ranging from 25,000 to 125,000 euros in case of failure to notify.
>It is also essential to underline that failure to Bulk Database report a computer incident may lead to disciplinary and administrative-accounting liability for the officials and managers involved.
The sanctions provided for come into play only in the event of repeated failure to comply with the notification obligation. Leaving the ACN (National Cybersecurity Agency) to assess the severity. This approach is undoubtedly more lenient than, for example, the sanctions applicable to private entities under the GDPR.
This difference may be justified by the fact that the legislation in question was introduced with a financial invariance clause and is aimed primarily, although not exclusively. At public administrations. Which operate under stringent budgetary constraints.
