Latest from Italy, updates in the APT landscape, multiple vulnerabilities exploited ITW

Phishing and ransomware in Italy, notified data breaches, new spyware attacks

 View all
Legal

The role of ISO certifications in ACN cloud qualification: security and quality for the Public Administration

Since these are internationally recognized standards that define benchmark requirements for management systems across various fields and operational sectors, certifications issued by the International Organization for Standardization (ISO) carry importance that is not merely recommended for companies but often effectively mandatory, creating a bridge between globally established standards and nationally adopted requirements.

In this context, among the sectors affected by ISO standards is the use of Cloud services by the Italian Public Administration, which has undergone a profound transformation following the entry into force of the Regulation on Digital Infrastructures and Cloud Services for Public Administrations, adopted by the National Cybersecurity Agency (ACN) through Director’s Decree No. 21007/2024. This regulation places service qualification at the core of ensuring security, reliability, and quality of such services.

 

The role of ISO certifications in ACN cloud qualification

The creation of shared technical and quality standards aimed at harmonizing business practices within the international community dates back to the end of the Second World War, with the establishment of the International Organization for Standardization (ISO), tasked with defining and issuing ISO standards.

The purpose of these standards can also be inferred from the etymology of the term “ISO,” which, contrary to common belief, is not merely an acronym but derives from the Greek word isos (ἴσος), meaning “equal,” highlighting the goal of international uniformity and harmonization.

These standards do not concern only highly technological sectors but also cover many aspects of everyday life. For example, in the medical field, with regard to quality and effectiveness assurance for medical devices and healthcare products, ISO standards establish internationally uniform design and manufacturing criteria for medical equipment, aligning legal commercialization requirements across relevant markets and adopting a risk assessment and risk management approach throughout the entire product lifecycle.

In addition, with regard to road traffic safety, international standards define specifications for mobile driver’s licenses (mDLs), setting requirements for secure storage and simplified ID verification, with multiple functional implications — from identity checks during hotel check-in to the opening of bank accounts — based on interoperability across different legal systems, as well as security and scalability in the storage of processed personal data.

ISO standards also address highly topical issues such as the promotion of a corporate organizational culture grounded in Diversity & Inclusion. These standards encourage both public and private organizations to adopt recruitment and human resource models based on social sustainability, balancing the diverse interests of various stakeholders. Furthermore, in order to ensure employee wellbeing — with particular attention to workers’ psychological needs — ISO certifications promote organizational structures capable of balancing business productivity requirements with employees’ personal needs, taking into account the so-called human factor.

Another sector deeply shaped by ISO standards is the digital sector, particularly cloud infrastructures. With the entry into force of the Regulation on Digital Infrastructures and Cloud Services for Public Administrations (Director’s Decree No. 21007/2024, effective as of August 1, 2024), compliance with ISO standards has become essential for organizations intending to interface with the Public Administration by offering cloud services. This is because service qualification has become a central element in ensuring uniformity, security, reliability, and service quality. In line with the strategic objectives identified by the Authority for the adoption of these standards, service providers have implemented continuous monitoring and improvement mechanisms (Plan-Do-Check-Act), necessary for maintaining their accreditation with ACN.

In this context, certifications play a role that is not merely recommended but often effectively mandatory for organizations, creating a bridge between globally established standards and national regulatory requirements. Today, certifications can no longer be considered a simple added value; instead, they serve as essential evidence to demonstrate that companies comply with the technical and organizational requirements set by ACN and thus obtain the qualification level required to operate and interface with the Public Administration.

logo ACNIn particular, ACN has identified as central the certifications related to Service Management (ISO/IEC 20000) and Business Continuity (ISO 22301). In the Cloud and IT sector, several ISO certifications have become pillars of compliance with the highest levels of best practices. These include ISO/IEC 27001 for Information Security Management Systems (ISMS), ISO/IEC 27017 and ISO/IEC 27018 for the provision and use of cloud services in compliance with GDPR principles, ISO/IEC 20000-1 for Service Management Systems (SMS) concerning the quality of delivered IT services, and ISO 22301 for Business Continuity Management Systems (BCMS) in disaster recovery management.

The ACN Regulation also defines different qualification levels (QC1–QC4 for private providers and AC1–AC4 for public operators), depending on data classification as ordinary, critical, or strategic. For higher qualification levels, ACN requires possession of multiple ISO certifications. For example, for QC2 and above, ISO/IEC 20000 (Service Management) certification is required, while for QC3 and above, ISO 22301 (Business Continuity) certification is also required.

In conclusion, the ACN Regulation has not only formally defined the role of ISO certifications by identifying their characteristics and functions, but has effectively institutionalized them, transforming these standards from market benchmarks into regulatory prerequisites for organizations and service providers seeking access to the Italian Public Administration cloud market. This approach has significant practical implications: it raises the required national cybersecurity threshold and promotes cloud adoption based on standards of excellence and transparency, which are essential for the country’s secure digital transformation.

 

For other articles related to cybersecurity legislation, please refer to the Legal category in the Telsy blog.

The authors

Erica Onorati, Law Graduate from LUISS Guido Carli University in Rome with a thesis in civil law entitled “The renegotiation clauses,” focusing on the analysis and applicability of renegotiation in contractual matters. She then obtained an Executive Master’s Degree from the Il Sole 24 Ore Business School in Cybersecurity and Data Protection, focusing on the analysis of strategies to protect corporate assets and prevent cyber risks. Specializing in the civil law profile, she has delved into topics related to contractual and non-contractual liability and corporate and commercial law. After several experiences gained in the legal field in corporate contexts as a corporate lawyer, she currently holds the position of Legal Supervisor in Telsy, with a focus centered on the management of corporate contracts, legal advice provided to the business lines involved in the various areas of corporate operations, extraordinary transactions, and corporate secretarial work.

Federico Severoni is a Senior professional with over six years of experience in Governance, Risk and Compliance (GRC), specializing in critical infrastructures and the ICT sector. He currently serves as a Quality and GRC Specialist at Telsy S.p.A. (TIM Group). A certified Lead Auditor for ISO 27001 and ISO 9001 standards, he has led compliance processes for an Accredited Testing Laboratory recognized by the National Cybersecurity Agency (ACN). He holds an MBA and specialized training in IT Management from SDA Bocconi.

Federica Lucrezia Romeo, graduated in Law from La Sapienza University in Rome with a thesis in criminal law entitled “Risk nexus and interruption of the causal relationship in the most recent jurisprudential developments,” which earned her an internship at the Public Prosecutor’s Office in Frosinone. Previously, she worked as a lawyer and currently holds the position of Legal Specialist at Telsy.

Niccolò Francesco Terracciano, law student at LUISS Guido Carli University in Rome, he has gained experience in non-profit associations, having the opportunity to deepen his knowledge related to commercial law and business consulting. Currently, he holds the position of Legal Specialist in Telsy where he is developing, in the corporate field, the theoretical knowledge learned during his studies in civil, corporate and new technology law.