20 Oct Towards a European Standardisation of Information Security: Comparative Analysis of the Regulations of Spain, France and Italy

Authors: Francesco Capparelli, Andrea Sudano, Maria Rosaria De Ligio

 

In an era of profound digitisation and increasingly interconnected IT infrastructures, data protection and cyber security have emerged as central issues on the political and regulatory agenda of European nations. The pervasiveness of connected devices, the expansion of online services and the complexity of IT architectures have amplified the attack surface, making the cyber environment extremely exposed to threats of various kinds. Against this backdrop, there is a pressing need to pursue regulatory standardisation at the European level, in order to erect a strong, homogenous and resilient regulatory bulwark against the sophisticated cyber threats of the 21st century.

Several European nations, in particular Spain, France and Italy, have embarked on regulatory paths aimed at strengthening their cyber defences. A comparative analysis of these legislative initiatives reveals a synergy and convergence of intentions, testifying to a collective awareness of the importance of coordinated and integrated action at a continental level.

Spain, in particular, has shown a strong regulatory commitment, culminating in the adoption of the ‘Real Decreto’. This legislative instrument, of strategic importance, defines strict security standards for critical infrastructures and essential services, promoting a security culture and encouraging collaboration between public bodies and private operators.

France, with the enactment of the ‘Loi de Programmation Militaire’, has strengthened the role of the ANSSI, giving it broad powers in the field of cyber security. This legislation, at the forefront in Europe, introduces stringent obligations for companies, including the notification of security incidents, thus consolidating the national cyber crisis response and management capacity.

Italy, aware of the challenges posed by the contemporary cyber environment, has responded with the promulgation of the ‘National Cyber Security Perimeter’. This crucial regulatory tool outlines clear paths for the protection of critical infrastructures and the proactive management of cyber threats, emphasising the essentiality of a structured collaboration between government agencies and private sector stakeholders.

In summary, although each nation retains regulatory specificities linked to its socio-political context, the analysis leads to the observation of an unambiguous European movement towards standardisation and harmonisation of cyber security policies. This regulatory convergence constitutes a fundamental pillar for the construction of a European cyber ecosystem that is secure, robust and capable of responding to future challenges, consistent with the premises and insights outlined in the background paper.

Below is an analysis of some of the main regulatory initiatives – realised in the context of Spanish, French and Italian legislation – concerning the issues under analysis, which deepen what has already been mentioned and introduce further elements of analysis.

 

Spain – Royal Decree 311/2022 and the National Security Scheme (ENS): A Detailed Analysis

In the European context, Spain has distinguished itself for its proactivity in adopting legislative measures to strengthen IT security, particularly with regard to public administration information systems. The aforementioned ‘Real Decreto 311/2022’ is an emblematic example of this commitment, introducing the National Security Scheme (ENS) as a reference regulatory tool.

The core of this regulation is the promotion of a high standard of security, aimed at ensuring the integrity, availability, confidentiality and authenticity of data and information managed by the public administration. These four pillars, which are fundamental in the field of IT security, have been identified as essential to ensure the resilience and robustness of information systems:

• • • • • Integrity: Ensures that information is protected from unauthorised modification, ensuring that data remains consistent and unchanged throughout its lifecycle.
        • Availability: Ensures that information systems are always accessible and functional, minimising the risk of interruptions or malfunctions.
        • Confidentiality: Protects sensitive information from unauthorised access, ensuring that only authorised users can access the data.
        • Authenticity: Ensures that information and data are genuine and have not been falsified or fraudulently altered.

A distinctive aspect of the ‘Royal Decree 311/2022’ is the introduction of a classification system for information systems, based on their criticality. This classification makes it possible to customise and calibrate security measures according to the level of risk associated with each system, thus ensuring adequate and proportionate protection.

Finally, the ENS provides for periodic audits of information systems. This ensures continuous and systematic supervision of compliance with the security standards imposed, ensuring that the measures taken are always state-of-the-art and in line with emerging cyber threats.

In summary, the ‘Real Decreto 311/2022’ and the National Security Scheme represent a significant step towards the creation of a secure and resilient cyber environment in Spain, laying the foundations for an effective and prudent management of cyber risks at national level.

 

France – Référentiel d’exigences SecNumCloud and the Agence nationale de la sécurité des systèmes d’information (ANSSI): An Insight into the French Regulatory Framework for Cloud Computing Security

In the European IT security landscape, France has shown a particular focus on the challenges and opportunities related to cloud computing. While this technology offers significant advantages in terms of flexibility, scalability and efficiency, it also presents specific vulnerabilities that require special attention in terms of security.

The Agence nationale de la sécurité des systèmes d’information (ANSSI), the French body in charge of IT security, recognised these challenges and responded with the publication of the ‘Référentiel d’exigences SecNumCloud’. This document is an essential reference point for cloud service providers in France, outlining precisely the security requirements that must be met to obtain an official qualification.

The adoption of this référentiel demonstrates a clear awareness by the French authorities of the potential threats associated with the cloud environment. These threats can include targeted attacks, data breaches, service interruptions and other risks that can compromise the integrity, availability and confidentiality of information.

The ‘Référentiel d’exigences SecNumCloud’ is characterised by its modular structure, divided into two parts:

• • • • • General Part: This section sets out the basic requirements that all cloud service providers must meet, regardless of the specific nature of the service offered. These requirements may cover aspects such as identity management, encryption, physical protection of data centres and other basic security measures.
        • Specific Part: This section focuses on particular requirements related to different types of cloud services, such as IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service). This approach allows security measures to be tailored to the specific needs and characteristics of each service.

In conclusion, with the introduction of the ‘Référentiel d’exigences SecNumCloud’, France has consolidated its position as a leader in cloud computing security in Europe. This framework is a reference model for other countries, underlining the importance of a proactive and judicious approach to security in an increasingly digitised and interconnected era.

 

Italy – Directorial Decree prot. N. 29 of 02/01/2023 and the National Cybersecurity Agency (ACN): An Analysis of the New Italian Regulatory Framework for the Security of Cloud Services

In the European context of cybersecurity and digitisation of services, Italy has undertaken significant regulatory and organisational initiatives to ensure a high standard of data and critical infrastructure protection. One of the most recent manifestations of this commitment is represented by the ‘Directorial Decree prot. No. 29 of 02/01/2023’, which introduced important novelties concerning the qualification and management of cloud services for the Public Administration.

The decree sanctioned the transfer of specific competences from the Agenzia per l’Italia Digitale (AgID) to the Agenzia per la Cybersecurezza Nazionale (ACN). This decision reflects the growing awareness of the strategic importance of cybersecurity and the need to centralise competences in a specialised body with the resources and technical capabilities required to meet the challenges of the contemporary cyber landscape.

The centrality of cloud services for public administration is indisputable. Thanks to their flexibility and scalability, these services are an optimal solution for managing large volumes of data and providing efficient services to citizens. However, the increasing dependence on such services has made the need to ensure high security standards and prevent potential vulnerabilities evident.

In this context, ACN has taken a leading role in the definition and implementation of cybersecurity policies. One of the most significant initiatives undertaken by the agency has been the creation of a ‘marketplace’ dedicated to qualified cloud services. This platform, managed directly by the ACN, provides a comprehensive overview of cloud services that have obtained official qualification, thus ensuring transparency, reliability and compliance with established security standards.

In conclusion, Italy, through the ‘Directorial Decree prot. No. 29 of 02/01/2023’ and the establishment of the ACN as a reference body for cybersecurity, has strengthened its commitment to protecting digital infrastructures and promoting a secure and resilient cyber environment. These measures represent a fundamental step towards the realisation of an integrated and coherent national cyber security strategy.

 

European Unification in Information Security: The Pivotal Importance of the ISO/IEC 27001 Standard

Within the complex and articulated fabric of European information security regulations outlined in the preceding paragraphs, the unifying role of the ISO/IEC 27001 standard emerges prominently. This international normative reference represents, without a shadow of a doubt, a pillar in the information security landscape.

The ISO/IEC 27001 standard does not merely provide indications or guidelines, but proposes a structured and meticulously detailed framework for the design, implementation, maintenance and optimisation of an Information Security Management System (ISMS). Its intrinsically universal nature and its flexibility, which allows it to adapt effectively to a multiplicity of scenarios and operational contexts, elevate it to an indispensable reference model. Indeed, this standard not only synthesises but, in fact, amalgamates and enhances the regulatory efforts undertaken by the various European nations, ensuring consistency and standardisation in the approach to information security.

In this perspective, the ISO/IEC 27001 standard acts as a catalyst, capable of harmonising the various legislative initiatives and providing a common, robust and homogeneous framework, in perfect harmony with the analyses and reflections set out in the reference document.

 

Legal conclusions

An in-depth analysis of recent legislative initiatives undertaken by pivotal nations such as Spain, France and Italy clearly reveals a synergetic commitment and a shared strategic vision: ensuring effective data protection, with a particular focus on the public administration sector. Despite the fact that each of these nations retains its own peculiarities and regulatory specificities, there is a univocal awareness of the essentiality of adhering to stringent security standards and implementing advanced methodologies to protect citizens’ personal data and safeguard the integrity of national information systems.

In this context, Article 28 of the General Data Protection Regulation (GDPR) is of crucial importance. This regulatory provision introduces the figure of second-party audits, a control and verification measure that proves to be crucial in ensuring that external providers, in particular data processors, adhere to high security standards. These audits, interpreted in synergy with national regulations and the ISO/IEC 27001 standard, are not mere control tools, but represent real bastions of security. They embody the European authorities’ determination to weave a capillary and robust protection network. In this perspective, each individual external provider is not simply an external entity, but becomes an essential component of an integrated and homogeneous system, in which the protection of European citizens’ data and the resilience of national information systems are placed at the centre of attention.

In conclusion, the harmonisation of regulatory efforts at the European level, combined with the adoption of international standards such as ISO/IEC 27001, constitutes a significant advancement towards the realisation of a European cyber ecosystem that is secure, resilient and fully aligned with the expectations and needs of the continent’s citizens and institutions. This vision, in perfect coherence with the premises and insights outlined in the reference document, underlines the importance of a proactive and judicious approach to security in an increasingly digitised and interconnected age.

 

The ICO Case and IA Risk Assessment Reflections: A Confrontation between Privacy and Security

The contemporary landscape of Artificial Intelligence (AI) systems is often the scene of cases and examples that raise ponderous questions and generate extensive reflections on ethics, security and data protection. An emblematic case in this sense is the events involving the ICO (Information Commissioner’s Office) in the context of an investigation into the generative chatbot implemented by Snap. This episode not only raised further questions about risk assessment in the AI sphere, but also cast a sharp light on the challenge that lies in the distinction and integration between privacy-related risk assessment and the AI risk management system envisaged by the European legislation known as the AI Act.

The distinction between these two levels of risk assessment, although appearing clear at first glance, becomes considerably more complicated when diving into the nuances and operational details. On the one hand, privacy risk assessment, as outlined by the General Data Protection Regulation (GDPR), essentially focuses on the impact that a technology, process or system may have on the personal data and privacy of the individuals involved. The focus is primarily on data minimisation, purpose limitation and storage, and ensuring the rights and freedoms of data subjects.

On the other hand, the AI risk management system, as contemplated by the AI Act, exhibits a significantly broader scope, embracing an in-depth and multidimensional analysis of the potential risks associated with AI systems. This analysis is not limited solely to privacy risks, but expands to include variables such as the security, accuracy, robustness, resilience and reliability of AI systems, as well as the ethical, social and societal implications and risks they might pose.

The intersection and synthesis of these two worlds – the privacy risk assessment and the broader IA risk assessment – is represented, and partly recomposed, through the conduct of an Ethics and Data Protection Impact Assessment. This approach not only assimilates the principles and requirements of the GDPR, establishing a rigorous examination of the impact of systems on data protection, but is elevated to incorporate and integrate relevant ethical and security criteria and variables as outlined in the AI Act.

It is crucial to emphasise how the fusion of these two levels of analysis and risk assessment enables the construction of a more holistic and robust framework that is able to capture and comprehensively address the complexities, challenges and risks that permeate the implementation and use of AI systems in real-world scenarios. The ultimate goal is to ensure that AI solutions are not only compliant with legal and regulatory standards, but also ethically sound, socially acceptable and technologically secure, thus building a digital ecosystem in which innovation and protection go hand in hand and are mutually reinforcing.

 

Conclusion: The Arduous and Perennial Commitment to Security in the Artificial Intelligence Landscape

Although the AI Act represents an essential and indispensable regulatory cornerstone in the European landscape of Artificial Intelligence (AI) technologies, it cannot and should not be perceived as a point of arrival, but rather as a foundation from which to build. Its regulatory architecture, in fact, provides a structure and a regulatory basis, but the effectiveness of its implementation and the actual achievement of its goals depend on a collective, multi-sectoral and multidisciplinary effort.

Organisations, as central players in the AI ecosystem, are called upon to internalise and put into practice the principles, standards and guidance enshrined in the AI Act, adopting a proactive and forward-looking approach. It is not only a matter of ensuring regulatory compliance and avoiding possible penalties, but also of ensuring that AI systems are safe, reliable, ethical and socially responsible at every stage of their life cycle.

Security, in this context, is multifaceted, extending from IT security to data protection, from technological reliability to operational robustness, and involves safeguarding users and their data from potential threats, vulnerabilities and risks. Threats, in fact, can manifest themselves in different forms and at different times, making it imperative that security measures are integrated, dynamic and capable of adapting to changes in the technological environment and the threats themselves.

It is therefore essential that organisations invest resources, skills and energy in the constant improvement and updating of security and data protection strategies, technologies and skills. This commitment takes the form of a series of actions and activities such as continuous training, regular testing and audits, updating security policies and technologies, and promoting an organisational culture centred on security and ethics.

In an era marked by rapid technological evolution and the growing complexity of security and data protection challenges, safeguarding AI systems and the information they process is not a goal that, once achieved, can be taken for granted. On the contrary, it is an ongoing endeavour, a path that requires vigilance, adaptability and a relentless desire for excellence and ethical and social responsibility on the part of organisations and all players involved in the AI ecosystem.