The world of cloud services in Italy has a new regulation as of August 1st.
On June 27th, the National Cybersecurity Authority approved regulation 21007/24, marking the end of the transitional period and the start of the regular regime.
The Regulation is part of Italy’s Cloud Strategy and consolidates into a single regulatory framework the directives that digital infrastructures and cloud services must comply with.
Verification and control processes are redefined, both ex ante and ex post, distinguishing between Public Administrations subject to Compliance and private providers required to obtain Qualification.
The three-level classification system (Strategic-Critical-Ordinary, based on data compromise risks) is maintained, with new rules introduced for in-house infrastructures and edge computing. High attention is given to the sustainability of data centers providing cloud services.
Table of Contents
1 The new Cloud Regulation for Public Administration
2 In-Housing Infrastructures and Edge Data Centers
3 The adaptation procedure for Public Administration cloud services
4 Raising security levels
5 Evaluation of the economic and technical offer
6 Migration methods: more detailed guidelines
7 Inix Group, a key player in technological change
8 Ensuring compatibility of information systems
9 Inix Data Management
10 Focus on sustainability
11 Inix’s role in selecting and training top talent
The challenge of Data Management is becoming increasingly crucial for any player operating in the digital infrastructure sector, particularly in the growing cloud services market. To keep pace with such a technological challenge, the National Cybersecurity Agency (ACN) adopted the "Unified Regulation for Cloud Infrastructures and Services for the Public Administration" on June 27th through Director’s Decree 21007/24.
The new Regulation comes after a phased process that began in 2021 with Agid Determination 628/21 and followed by a transitional period lasting a year and a half.
After the approval of the Data Protection Authority and the conclusion of the European Commission’s “stand still” period without objections, the publication of the new Regulation 21007/24 now initiates the ordinary and permanent regime.
Effective from August 1, 2024, the new Regulation updates the minimum requirements to the changed risk scenario and intervenes by harmonizing rules and deadlines for the issuance of qualifications, pushing the public sector towards cloud technologies according to the best standards of security, resilience, performance, and scalability.
The Innovations of the Cloud Regulation for the Public Administration
The new ACN Regulation No. 21007/24 does not overturn the existing framework but consolidates the classification system, optimizing some procedures now fully digitized through the Agency’s website. The regime that differentiated public administrations and in-house companies from private providers is maintained and requires the former to comply with requirements through the Adaptation process: before launching a new cloud service, public administrations must inventory and classify their digital services. For private entities, instead, the process goes through Qualification, which includes a formal ex-ante verification during the application phase (infrastructure owners are also subject to Adaptation). This is followed by online publication in the ACN Catalog, shifting technical checks to the operational phase. With 21007/24, qualifications are valid for 36 months and subject to periodic ACN monitoring to ensure compliance and maintenance of necessary requirements. Any non-compliance triggers a 45-day remediation plan, after which (unless exceptions apply) ACN can gradually proceed toward revocation.
In-Housing Infrastructures and Edge Data Centers
Another new feature: the Regulation also governs the use of housing infrastructures and edge proximity services, with some compliance requirements waived. In the first case, the declaration of conformity allows certain functions to be fulfilled by an in-house infrastructure, meaning not outsourced but relying on a public law legal entity (usually within its own perimeter). The 21007/24 also regulates the edge computing model, a scheme involving caches hosted in small proximity data centers where data from a central cloud are temporarily replicated. Among other benefits, edge computing provides higher speed and minimal latency, making it highly useful for data-dense environments such as a Local Health Authority (ASL).
The adaptation procedure for public administration cloud services
Digital infrastructures and cloud services provided directly on-premises by public administrations or entrusted to in-house companies are subject to the Adaptation process. The first step is the classification of data and services according to their potential criticality for the country (except for exemptions related to Public Order and Defense) based on the following criteria:
1. risk and evolution of the cyber threat;
2. national, European, and international regulations and standards;
3. presence of personal data, risks to the rights and freedoms of natural persons, type of data processed (e.g. health or criminal convictions and offences) or categories involved (e.g. vulnerable individuals).
There are three classes of data provided for by the Regulation:
1. Strategic, if their compromise could cause harm to national security;
2. Critical, potential harm to the maintenance of functions relevant to society, public health, public safety, and the economic and social well-being of the country;
3. Ordinary, all other potential harms. To obtain the declaration of conformity, the administration sends the relevant form to ACN via certified email (Pec), which can be updated in the event of substantial changes.
Raising the levels of security
Digital services have now become the primary method through which public administrations deliver services to citizens. The process of document dematerialization is expected to further consolidate in the future. The centrality of personal data protection within the framework of the Regulation is therefore clear, as it already accounts for the management of vulnerabilities and potential or likely cyber incidents. In 21007/24, based on the most recent observed risk profiles, anti-DDoS measures were added and other specific requirements were modified, for example regarding the processing of metadata. Among the new technologies used to combat cybercrime, the text aligns with the widespread “Zero Trust” model (Zero Trust Architecture), whereby no IT system is to be trusted by default, even if previously verified. The measures introduced in the Regulation also provide important clarifications regarding the validity of ISO certificates and the respective issuing bodies.
The evaluation of the economic and technical offer
Orientation within the extensive qualification chain involves strategic decisions with significant technical and economic implications. Even the mere implementation of various cloud functional levels (Software-As-A-Service, Platform-As-A-Service, Infrastructure-As-A-Service, or physical infrastructure) requires a comparative evaluation between the pursued objectives and the available means, methods, and timelines. The guiding principles are those of economy, efficiency, and effectiveness, following the so-called “Best Value” framework. The use, for example, of an in-house company may indeed imply economies of scale, but it is also a manifestation of the public administration’s power of self-organization to produce a public service by itself according to complex evaluations, often also of a legal or governmental nature.
Migration methods: more detailed guidelines
Il Regolamento 21007/24 descrive inoltre i termini e le modalità con cui le Amministrazioni devono effettuare le migrazioni al cloud. Si tratta del processo di trasferimento di applicazioni, dati e infrastrutture IT generalmente da server on-premise a un cloud pubblico, o talvolta da un provider cloud a un altro. Le linee guida inserite nel Regolamento prevedono la definizione di un “piano di migrazione”, specificando tempistiche e modalità operative con l’obiettivo di supportare le amministrazioni. L’accento, anche in questo caso, è posto sulla sicurezza delle procedure, inclusi l’uso di canali di comunicazione sicuri e criptati durante la fase di migrazione, oltre a protocolli aggiornati e approvati. Inoltre, a seguito del completamento positivo della migrazione, è previsto l’obbligo di cancellare tutti i dati eventualmente memorizzati o archiviati.
Inix Group, a protagonist of technological change
Cloud migrations are one of the many services provided by Inix of Sesto San Giovanni. Active for several years in various sectors, from Healthcare to Industry, from Retail to Finance, Inix has established itself as a reference company in the provision of IT services. From Lombardy, a team of expert system administrators took the first steps to combine their skills and passions to create a unique project in the field of information systems. The offering of solutions is complete and innovative, designed to meet the specific needs of individual companies. Constantly adapting to ISO certifications and following ITIL principles, Inix operates, among other areas, in Cloud and Security in collaboration with market leaders, merging scalable solutions over time, including SaaS systems on the Inix cloud, and ensuring maximum security in terms of sensitive data and hardware updates.
Guarantee of compatibility of information systems
In an interconnected and globalized world like IT, the choice of suppliers for public administrations cannot ignore compatibility with international standards and is an integral part of every new project. Among the reference standards, beyond international norms and best practices, the National Framework for Cybersecurity and Data Protection stands out. In this regard, the Cloud Data Management Interface (CDMI) is an international standard that has established itself in the cloud market. It is a functional interface that many applications use to create, store, manage, or delete data storage in the fastest and most efficient way.
Inix’s Data Management
In the complex IT landscape, Data Management—both among public and private entities—requires operations with high technological specialization. This is an area in which Inix has distinguished itself by ensuring reliability and efficiency to its clients at every stage. The portfolio of solutions it offers is extensive, enabling it to manage everything from Document Preservation (billing cycle, human resources management, supply chain, and logistics) to the digitization of documents for various institutions, including museums, libraries, universities, hospitals, and central archives. A distinctive vocation is operating within a highly technological ecosystem in healthcare, allowing public administrations to provide specialized services to operators and citizens, including access to health data and imaging diagnostics through web portals, among many others.
Focus on sustainability
One of the unavoidable guiding principles is the environmental impact of digital infrastructures. The demand for increasingly high-performance infrastructures, networks, and cloud services has raised significant concerns about the use of vast water resources in IT, particularly for cooling powerful hardware systems. This issue, initially raised within the scientific community, has now reached the political arena, with calls for economic and fiscal incentives for green solutions, even beyond the scope of PNRR funds. Sustainability is a key topic for a dynamic player like Inix, which for years has been active both in implementing renewable energy sources and optimizing consumption. The company from Sesto San Giovanni has grown by focusing from the beginning on advanced infrastructures designed with energy savings and efficiency in mind, also thanks to ongoing research on hardware components for its data centers.
Role of Inix in the selection and training of top talents
The paradigm shift we are witnessing in the cloud sector also requires a constant investment not only in technological research and development but also in the quality of human capital. Inix is, in fact, an established reality supporting all those central and local administrations that, unwilling to mandatorily upgrade their digital infrastructure, intend to rely on a young and dynamic player already strong in its resources. A clear market positioning sees Inix committed to the quality of its personnel recruiting, aimed at attracting and developing the best talents. Training plans are constantly updated to create an optimized environment for teamwork, based on competence, creativity, and flexibility.
Article Source: ForumPA, 03 Settembre 2024 Written by Manlio Serreti
