INFORMATION TECHNOLOGY
Italian Cybersecurity Agency: the new Regulation on cloud services for the public administration adopted and in force starting from August 1st , 2024.
Digital services are the primary means of delivering services to citizens by Public Administrations. The transition journey to the PA cloud ensures reliability, security, and long-term sustainability of public services.
The qualification process allows the Agency to perform pre-checks on the compliance level of cloud services offered by private operators, which Public Administrations can use as an alternative to self-providing services.
The selection of cloud services qualified by ACN is based on the classification of data and services of Public Administrations. Through this classification, the impact of services and data handled by a Public Administration is determined relative to their level of criticality.
Public Administrations can consult the ACN Catalogue to verify qualified services and the granted qualification level, to proactively determine if they conform to the required classification level for managing their data or services.
The ACN Unified Regulation for digital infrastructures and cloud services for the Public Administration clarifies
The Regulation, adopted by ACN through Directorate Decree n. 21007/24 of 27 june 2024 and applicable from August 1, 2024, updates the minimum levels and characteristics in response to the changing risk landscape and the terms related to the qualification issuance process. The Regulation also governs the use of housing infrastructures and proximity services (so-called edge services), increasingly prevalent due to the need to reduce latency times for end users
One of the main novelties also involves differentiation between:
In both cases, a post-validation monitoring phase is scheduled during the 36-month validity period of the qualification and adaptation, enabling ACN to verify the maintenance of requirements necessary for data and service processing, in accordance with the classification level.
As of 1 August 2024, cloud service infrastructures that had obtained a valid QI1-4 level qualification will be converted - as far as the nomenclature is concerned - to AI1-4 level.
The qualification process allows the Agency to perform pre-checks on the compliance level of cloud services offered by private operators, which Public Administrations can use as an alternative to self-providing services.
The selection of cloud services qualified by ACN is based on the classification of data and services of Public Administrations. Through this classification, the impact of services and data handled by a Public Administration is determined relative to their level of criticality.
Public Administrations can consult the ACN Catalogue to verify qualified services and the granted qualification level, to proactively determine if they conform to the required classification level for managing their data or services.
The ACN Unified Regulation for digital infrastructures and cloud services for the Public Administration clarifies
- the methods for classification, migration and qualification of cloud services, which the PA can procure via open market;
- the measures and requirements for achieving minimum levels of security, computing capacity, energy efficiency, and reliability of digital infrastructures for the PA;
- the quality, security, performance, scalability, and portability characteristics of cloud services for the PA..
The Regulation, adopted by ACN through Directorate Decree n. 21007/24 of 27 june 2024 and applicable from August 1, 2024, updates the minimum levels and characteristics in response to the changing risk landscape and the terms related to the qualification issuance process. The Regulation also governs the use of housing infrastructures and proximity services (so-called edge services), increasingly prevalent due to the need to reduce latency times for end users
One of the main novelties also involves differentiation between:
- the qualification of cloud services provided by private suppliers, which requires a pre-verification of compliance followed by the publication of the corresponding data card on the ACN Catalogue,
- the adaption of infrastructures (regardless of the nature of the responsible entities) and services provided by public operators, based on a declaration of conformity submitted to ACN according to the specified requirements.
In both cases, a post-validation monitoring phase is scheduled during the 36-month validity period of the qualification and adaptation, enabling ACN to verify the maintenance of requirements necessary for data and service processing, in accordance with the classification level.
As of 1 August 2024, cloud service infrastructures that had obtained a valid QI1-4 level qualification will be converted - as far as the nomenclature is concerned - to AI1-4 level.