Cybercrime policies/strategies
The Italian Cyber Security Action Plan has been implemented since 01/03/2017.The document sets out the operational guidelines and actions to be executed in order to implement the National Strategic Framework for Cyberspace Security.
In February 2017 a new and updated decree further reinforced the role assigned to the Interministerial Committee for the Security of the Republic providing guidelines to increase the level of cyberspace security in the country.
Ever since 2013 steps had been taken on cybersecurity by adopting a decree of the President of the Council of Ministers of 2013 and drawing up a National Strategic Framework for Cyberspace Security and a National Plan for Cyberspace Protection and ICT Security
Objectives of the national strategy are:
- Obj. 1 - Enhancing technical, operational and analytic expertise of all concerned stakeholders and institutions through a joint effort and a coordinated approach.
- Obj 2 - Strengthening capabilities to protect national critical infrastructures and strategic assets and stakeholders.
- Obj 3 - Facilitating public-private partnerships.
- Obj 4 - Promoting and encouraging a Culture of Cybersecurity.
- Obj 5 - Reinforcing capabilities to counteract online criminal activities, malicious and illegal activities.
- Ojb. 6 - Strengthening of international cooperation.
To achieve the above guideline the Italian Government has identified eleven operational guidelines:
- Act. 1 - Enhance the expertise of the intelligence community.
- Act. 2 - Identify the Network and Information Security (NIS) Authority that will engage at the European level.
- Act. 3 - Develop a widely shared cyber taxonomy and promote a common understanding of cybersecurity terms and concepts.
- Act. 4 - Foster Italy’s participation in international initiatives to enhance cybersecurity.
- Act. 5 - Attaining the full operational capability of the National Computer Emergency Response Team.
- Act. 6 - Legislative and compliance with international obligations.
- Act. 7 - Compliance with standards and security protocols.
- Act. 8 - Support for industrial and technological development.
- Act. 9 - Strategic communication.
- Act. 10 - Allocation of adequate human, financial, technological and logistic resources to the strategic sectors of the Public Administration.
- Act. 11 - Implementation of a national system of information risk managemen
(Source: https://www.cyberwiser.eu/italy-it)
Cybercrime legislation
State of cybercrime legislation
Italy has been one of the first countries in Europe that implemented the recommendation «on computer-related crime» adopted on 13 September 1989 by the Committee of Ministers of the Council of Europe.
In fact, Law no. 547 of 23 December 1993 was passed a few years later and it laid down “amendments and supplementary provisions to the Criminal Code and the Code of Criminal Procedure on cybercrime”.
This legislative framework has remained unchanged up to the recent introduction of new rules under Law no. 48 of 18 March 2008 by which Italy implemented the Budapest Convention.
Therefore, even though Italy does not have specific rules in place on cybercrime, it has amended its existing law provisions (already included in the Criminal Code and the Code of Criminal Procedure) ever since 1993 so as to bring them in line with the phenomena connected to cybercrime.
Substantive law
The Italian Criminal code and the special laws indicated below (on copyright and the protection of credit cards) cover all the offences under Articles 2-10 of the Budapest Convention.
Under Articles 24 and 24bis of Legislative Decree no. 231 of 8 June 2001 provisions have also been made for the liability of legal persons in case of commission of some cybercrimes when these have been committed for their benefit.
Procedural law
Any investigation into cybercrime shall be governed for any offence by the Italian Code of Criminal Procedure and in particular the provisions regulating inspections (Article 244 et seq.), searches (Article 247 et seq.), telephone interception and electronic surveillance (Article 266 et seq.).
By Law no. 48 of 18 March 2008 it has been specified – in the wording of many law provisions of the Code of Criminal Procedure – that, as far as digital evidence is concerned, investigators shall adopt “the technical measures aimed at ensuring the preservation of original data and preventing it from being altered”.
Safeguards
As the law provisions on cybercrime have been included in the Italian Criminal Code and Code of Criminal Procedure, the general safeguards laid down in the Italian Constitution shall apply, in particular the rules on the personal liberty of citizens (Article 13), inviolability of domicile (Article 14) and confidentiality of correspondence (Article 15).
Related laws and regulations
The legal framework on cybercrime finally includes the following special laws:
- Law on copyright (Law of 22 April 1941, no. 633) that also lays down criminal sanctions in relation to alleged violations on the Internet (Article 171 et seq.);
- Criminal-law protection of credit cards under Article 55 of Legislative Decree of 21 November 2007 no. 231;
- Italian Personal Data Protection Code – Legislative Decree no.196 of 30 June 2003, also laying down provisions on data retention (Article 132) including provisions on the requests from foreign investigative authorities (Article 132, paragraph 4-ter);
- Electronic Communications Code (Legislative Decree 1 August 2003, no. 259) including the related obligations for Italian telecommunications companies pursuant to Article 96 (so-called mandatory assistance for purposes of justice).
(for the wording of the aforementioned Italian law provisions: http://www.normattiva.it/ - only in Italian language at the moment)
Specialised institutions
The Ministerial Decree of 28 April 2008 has set out specific investigative areas of competence in this field for the Post and Communications Police, i.e.:
- ensuring, at a general level, the integrity and functionality of the computer network, including the protection of critical computerised infrastructures, the prevention of, and fight against, computer attacks to the domestic strategic structures, and the security and regularity of telecommunications services;
- the fight against on line child pornography;
- intelligence activity for the prevention of, and fight against, the use and forgery of means of payment; this sector has a direct impact on e-commerce and the focus of special units’ investigations is on software or hardware technologies that are used to capture, reproduce and make use of identities, payment codes and cards in electronic transactions.
Recently, under Article 2 of Decree Law of 18 February 2015 no. 7, converted with amendments into Law no. 43 of 17 April 2015, the role of the Post and Communications Police has been reinforced in the prevention of, and fight against, terrorism including on the Internet.
As to the regulation and supervision of Italian telecommunications companies, the competent authority is the Ministry of Economic Development.
As far as the protection of personal data is concerned, the Italian Data Protection Authority has been set up by Law no. 675 of 31 December 1996 (transposing Directive 95/46/EC into the Italian legal system). This is an independent administrative authority whose powers are set forth at present by the Code on the protection of personal data.
With respect to on line copyright, since 2013 under the “Regulation on the protection of copyright on electronic communications networks and implementing procedures pursuant to Legislative Decree no. 70 of 9 April 2003” the Authority for safeguarding communications (AGCOM) shall have some powers to take action for prevention purposes.
Italy has also several Computer Emergency Response Teams (CERTs) covering the public and private sectors as well as citizens.
The Italian national CERT - CERT Nazionale (in Italian) is based on a public-private collaboration on cybersecurity for citizens and companies. It is responsible for raising awareness, and helping to prevent and coordinate cyber incidents on a large scale.
GARR-CERT provides support for the Italian Academic and Research Network, working to reduce the risk of computer security incidents. (in Italian; English).
CERT PA (part of the government agency for Digital Italy) is responsible for computer security incidents in public administration. (in Italian).
CERT Posteitaliane is a private structure within the Poste Italiane Group, providing services for security specialists, large organisations, clients, and consumers. (in Italian; in English).
(Source: https://www.cyberwiser.eu/italy-it)
International cooperation
Competent authorities and channels
Under Law 48/2008 – through the introduction of Article 51, paragraph 3 quinques of the Code of Criminal Procedure – it is the Public Prosecutor’s Office attached to the Court of the main city of a Court of Appeal District where the competent judge is based that holds jurisdiction to conduct the investigations into cybercrime.
Therefore this is a rule governing territorial jurisdiction (as is the case for terrorist and organised crime offences) that has a wider scope as compared as to the general rule applying to the other offences prescribing that jurisdiction is indeed held by the Public Prosecutor’s Office attached to the Court of the so-called circondario (area of a province).
Even though specialised investigative tasks have been assigned by law to the Post and Communications Police, other police forces (State Police, Arma dei Carabinieri, Guarda di Finanza) may as a rule conduct investigations into cybercrime.
(For a list of the offices of the Italian judicial administration the following search engine may be used: https://www.giustizia.it/giustizia/it/mg_4.page - only in Italian at the moment).
Authority for extradition and provisional arrest in the absence of other treaties (Article 24)
MINISTERO DELLA GIUSTIZIA
DIPARTIMENTO PER GLI AFFARI DI GIUSTIZIA
DIREZIONE GENERALE DELLA GIUSTIZIA PENALE
UFFICIO II- COOPERAZIONE GIUDIZIARIA INTERNAZIONALE
The stage of pre-trial investigation
Via Arenula 70, 00186 Roma
tel. +390668852180, fax.: +390668897528
ufficio2.dgpenale.dag@giustizia.it
www.giustizia.it
Authority for Mutual Legal Assistance in the absence of other agreements or arrangements (Article 27)
MINISTERO DELLA GIUSTIZIA
DIPARTIMENTO PER GLI AFFARI DI GIUSTIZIA
DIREZIONE GENERALE DELLA GIUSTIZIA PENALE
UFFICIO II- COOPERAZIONE GIUDIZIARIA INTERNAZIONALE
Via Arenula 70, 00186 Roma
tel. +390668852180, fax.: +390668897528
ufficio2.dgpenale.dag@giustizia.it
www.giustizia.it
24/7 Contact point (Article 35)
Postal and Communications Police Service of the Italian National Police
(Servizio Polizia Postale e delle Comunicazioni)
Description of Contact:
There is an officer on duty 24 hours a day. During normal duty hours (Mon-Fri, 08:00-20:00), the operator can immediately connect the caller to a computer crime investigator. After hours, please dial the mobile phone number to contact directly the officer on duty.
Language Capabilities of Contact:
English, Italian
Practical guides, templates and best practices
Italy has ratified most of the multilateral treaties and conventions on international cooperation, and with many countries on a bilateral basis. A list thereof is available at https://www.giustizia.it/giustizia/it/mg_1_3.page?tabait=y&tab=p&aia=&ait=AIT32552#TopAi (only in Italian at the moment).
Jurisprudence/case law
- Court of Cassation sitting en banc, judgment no. 26889 of 28/04/2016 (filed on 01/07/2016) Rv. 266905
The interception of communications between persons present by installing a computerised sensor in electronic devices is only admitted in proceedings for organised crime offences in respect of which Article 13 of Decree Law no. 151 of 1991, converted into Law no. 203 of 1991, shall apply; under this provision communications may also be captured in private premises and a prior identification and indication of such places is not required and there is no need to prove that criminal activities are being carried out there. (In the grounds for the decision the Court pointed out that, due to the invasive force of the means used, the legal classification of the offence, which is covered by the notion of organised crime, shall be anchored to sufficient, reliable and objective circumstantial evidence as rigorously highlighted in the grounds underlying the authorisation order).
- Court of Cassation sitting en banc, judgment no. 17325 of 26/03/2015 (filed on 24/04/2015) Rv. 263020
As to the abusive access to a computer or electronic system, the place of commission of the offence under Article 615-ter of the Criminal Code coincides with the place where the user is located and, through an electronic processor or other automated data processing devices and by dialling a "keyword" or going through the authentication process, he/she bypasses the security measures put in place by the owner to select access procedures and protect the databanks stored in the central system, or he/she remains there and exceeds the limitations of the authorisation he/she has been granted. (In the grounds for the decision the Court pointed out that the electronic system for processing data that are shared by more than one desk is a single one and, due to its capacity to make information available on an equal basis for all authorised users, relevance will be given to the place where the remote device is located from which access is made rather than the place where the central processor is located).
- Court of Cassation sitting en banc, judgment no. 4694 of 27/10/2011 (filed on 07/02/2012) Rv. 251269
Whoever, even though duly authorised, accesses, or remains in, a protected computer or electronic system in violation of the conditions and limitations as prescribed by the owner of the system to actually limit access thereto shall be held liable of an offence under Article 615 ter of the Criminal Code; for this action to constitute an offence, the purpose and aim motivating the person to access the system are irrelevant.
(to consult the Electronic Documentation Centre – CED – of the Court of Cassation: http://www.italgiure.giustizia.it/index_it.asp?lang=en&. Restricted access only)
Sources and links
- Post and Communications Police
- Ministry of Economic Development
- Italian Data Protection Authority
- Authority safeguarding communications:
- Guidelines to fight cybercrimes and protect victims (pilot project in Italy)
- GENVAL - Evaluation report on the seventh round of mutual evaluations "The practical implementation and operation of European policies on prevention and combating Cybercrime" - Report on Italy
- Other GENVAL 7th round evaluation reports
These profiles do not necessarily reflect official positions of the States covered or of the Council of Europe.
Are you aware of the latest legislative or policy developments on cybercrime and electronic evidence?
Share this information with us helping to keep this platform up to date.
- Cybercrime website
- Template: Mutual Legal Assistance Request for subscriber information (Art. 31 Budapest Convention). English and bilingual versions available.
- Template: Data Preservation Request (Articles 29 and 30 Budapest Convention). English and bilingual versions available.