Developments in the APT landscape, new campaigns and previously unseen malware, multiple data breaches reported

Critical vulnerabilities in n8n, Italy in the crosshairs of phishing and ransomware activity, the latest from China

 View all
Legal

The Establishment of Accredited Testing Laboratories (LAP) within the Italian Cybersecurity Framework

Telsy LAP foto orizz

The introduction of Law 133/2019, which established the National Cybersecurity Perimeter, set among its main objectives the development and implementation of a strategy aimed at strengthening national cyber resilience. This strategy included, among other measures, the mandatory adoption of various security requirements for public bodies and private entities providing essential services. Consequently, this obligation highlighted the national need for adequate structures and technical tools capable of assessing and verifying the reliability of ICT products to enhance the protection of critical national infrastructures.

In this context, through subsequent implementing decrees, the Testing Laboratories (LAP) were established. These technical structures are accredited by the National Cybersecurity Agency (ACN) in compliance with a broad regulatory framework, which includes, among others, the Prime Minister’s Decree (DPCM) No. 92/2022, technical determinations, and the international standard ISO/IEC 17025.

Today, LAPs operate in synergy with the National Evaluation and Certification Center (CVCN), the ACN’s technical body responsible for assessing the security levels of ICT goods, systems, and services intended for use within the National Cybersecurity Perimeter (PSNC).

Accreditation of a LAP by the ACN, such as Telsy‘s Futuring Technology Center, is therefore considered both a strategic enabler for a specific type of business supporting the ACN—Italy’s sole cybersecurity regulatory authority—and a means of distinguishing an entity through institutional recognition and technical competence.

 

Accredited Testing Laboratories (LAP): Definition and Characteristics

In the world of cybersecurity, where trust and resilience are essential elements, the Testing Laboratories (LAP), accredited by the National Cybersecurity Agency (ACN), play a key role in technological development aimed at protecting public interests.

Telsy LAP 5In fact, within an ever-evolving European digital transition context, LAPs actively contribute to enhancing the security of digital products and services against cyber threats. These highly sophisticated technical hubs focus on conducting complex verification and certification operations concerning the security standards of digital products and software, which constitute, at the national level, fundamental pillars supporting the National Evaluation and Certification Center (CVCN).

The reference regulatory framework is established by the Prime Minister’s Decree (DPCM) No. 92 of May 18, 2022, which regulates the accreditation of LAPs and Evaluation Centers (CV) within the scope of national cybersecurity. The DPCM 92/2022 provides a set of rules for LAP accreditation with the ACN in the cybersecurity sector, essential for their operations. It defines their scope, operational boundaries, management requirements, the roles of technical staff, and establishes a structured system for management and communication with authorities. The accreditation process is specifically governed by Article 12 of the aforementioned DPCM, which includes multiple steps to be completed within a maximum of 180 days. These steps include preliminary checks, technical documentation preparation, and an inspection visit by the Accreditation Commission, which will issue an opinion on granting or denying accreditation.

 

Regulatory Compliance and Strategic Value

Given the laboratory’s specific nature and the prestige of the activities carried out, what constitutes the strategic value of LAPs? The answer lies in analyzing certain regulatory references.

Telsy LAP 1First and foremost, for its relevance in understanding the LAP’s strategic role, Article 1, paragraph 7, letter b) of Decree-Law 105/2019 assigns to the CVCN—whom the laboratories are expressly required to support—the function of “verifying the security conditions and the absence of known vulnerabilities” of strategic assets included in the National Cybersecurity Perimeter (PSNC) as defined by Decree-Law 105/2019, as well as ensuring the security of their supply chains.

Secondly, the aforementioned DPCM 92/2022 further reinforces the strategic importance of LAPs. Specifically, Article 9, paragraph 5 identifies “reasons concerning national security” as grounds for denying accreditation. Paragraph 6 further emphasizes the consideration of foreign citizens or companies within the ownership structure as factors affecting accreditation. Even limiting the analysis to these few but significant regulatory elements, it is clear that the legislator’s intention is to create technologically advanced hubs in Italy, limiting foreign capital presence, to support the authority in verifying companies’ compliance with security measures regarding ICT assets—those assets deemed strategic because they are essential for “the performance of essential state functions or the provision of essential services” (DPCM 99/2022, Art. 1, paragraph 1, letter g).

 

Operational Scope and Certifications for LAPs

As mentioned, once accredited, the LAP assists the CVCN in evaluating the security of ICT products, services, and systems of entities included in the PSNC.

When a laboratory assesses products and/or services within the PSNC, it must operate according to strict and clear principles, among which confidentiality and impartiality stand out, as required by the ISO/IEC 17025 standard. This international standard is considered a cornerstone of LAP operations, to the extent that it is incorporated into the Italian regulatory framework (Art. 8, DPCM 92/2022).

Telsy LAP 3In an era where every vulnerability can become a gateway for cyberattacks—with potentially enormous and complex impacts to manage, let alone resolve—ensuring confidentiality and impartiality reflects responsibility and commitment to the public interest. These principles are not merely regulatory obligations but constitute the ethical and operational foundation of a credible digital security system.

The principle of confidentiality requires that all technical, design, and operational information obtained during testing activities be handled with the highest level of protection. Laboratories often access critical details about software, devices, or architectures which, if disclosed, could compromise the entire national infrastructure. Safeguarding this data is not a mere formality but a concrete measure to prevent vulnerabilities and external threats, which are increasingly frequent given the current geopolitical context.

Similarly, the principle of impartiality ensures that assessments are entirely independent of economic, political, or relational interests. Even in the presence of commercial relationships with evaluated entities, the laboratory must demonstrate that no influence compromises the objectivity of its assessments. In other words, there must be no conflict of interest capable of altering the outcomes of testing activities or undermining the reliability of technical judgments.

 

Conclusions

In conclusion, a company that successfully completes the accreditation process and operates a LAP holds a prominent market position, as these laboratories concretely enhance digital and certification capabilities aimed at achieving complete technological autonomy.

For a company, owning a LAP is synonymous with technological advancement dedicated to cybersecurity protection, as well as regulatory compliance ensured through research and development of solutions that keep pace with the digital world’s demands, all within a highly complex regulatory framework.

 

 

The authors

Erica Onorati, Law Graduate from LUISS Guido Carli University in Rome with a thesis in civil law entitled “The renegotiation clauses,” focusing on the analysis and applicability of renegotiation in contractual matters. She then obtained an Executive Master’s Degree from the Il Sole 24 Ore Business School in Cybersecurity and Data Protection, focusing on the analysis of strategies to protect corporate assets and prevent cyber risks. Specializing in the civil law profile, she has delved into topics related to contractual and non-contractual liability and corporate and commercial law. After several experiences gained in the legal field in corporate contexts as a corporate lawyer, she currently holds the position of Legal Supervisor in Telsy, with a focus centered on the management of corporate contracts, legal advice provided to the business lines involved in the various areas of corporate operations, extraordinary transactions, and corporate secretarial work.

Niccolò Francesco Terracciano, law student at LUISS Guido Carli University in Rome, he has gained experience in non-profit associations, having the opportunity to deepen his knowledge related to commercial law and business consulting. Currently, he holds the position of Legal Specialist in Telsy where he is developing, in the corporate field, the theoretical knowledge learned during his studies in civil, corporate and new technology law.

Marco Rosafio, Law Graduate from the LUISS Guido Carli University in Rome with a thesis in bankruptcy law; he has obtained, at the same University, a Level II Master’s Degree in Business Law. He has collaborated with a law firm working in the areas of business contracts, corporate law and litigation. Currently, he holds the position of Legal Assistant in Telsy, delving into the same issues within the corporate context.

Alessio De Simone, Law graduate from Roma Tre University with an experimental thesis in criminal law titled “Anti-Mafia Asset Prevention Measures”, specialized in prosecutorial strategies in this field. He later completed a second-level Master during the School of Specialization for Legal Professions. This academic path led to an internship at the Anti-Terrorism division of the Public Prosecutor’s Office, completed with positive evaluations. He currently serves as Liaison Officer for the CVCN at Telsy’s Accredited Testing Laboratory.

Aurora Avignoni, Criminology graduate from the University of Greenwich, London, later completed a Master’s in Cyber Intelligence and Strategic Protection of the National System, focusing on national security and the protection of strategic information. Over the years, she developed cross-disciplinary expertise in data protection at leading consultancy firms. She currently serves at Telsy as a Specialist in Golden Power and the National Cybersecurity Perimeter and is responsible for security at the Futuring Technology Center, Telsy’s Accredited Testing Laboratory, recognized by the National Cybersecurity Agency (ACN).