News

On June 28, 2024, the Italian Government approved Law No. 90, titled “Provisions on the Strengthening of National Cybersecurity and Cybercrimes”, to enhance national cybersecurity measures and increase the prevention and punishment of cybercrimes.

What are cybercrimes?

Cybercrime can be defined as an illegal activity that exploits information technology and digital networks to commit crimes that harm individuals, businesses and institutions.

Different types of conduct can be traced back to cybercrimes. The most common include:

• Hacking: unauthorized access to computer systems or networks.
• Phishing: fraud via deceptive emails or websites aimed at stealing personal data.
• Malware: disseminating harmful software such as viruses, ransomware, and spyware.
• Cyberstalking: online harassment or threats.
• Cyber espionage: the collection of confidential information by unauthorized entities.
• DoS: Denial of Service, which involves overloading a system to make it inaccessible to legitimate users.

Cybercrimes and their impact on corporate reputation

Cybercrimes can cause significant reputational damage to businesses. A cyberattack, such as a data breach, can result in the theft of sensitive information or patents, undermining the trust of clients, suppliers, and business partners.

The consequences of such crimes are not limited to reputational damage: in addition to harming the company’s image, they can lead to customer loss or decreased sales. Furthermore, companies affected by cybercrimes often face high costs for crisis management and for improving cybersecurity measures.

Cybersecurity and cybercrimes: what’s new in Law No. 90 of June 28, 2024

Law No. 90 of June 28, 2024, is divided into two sections: the first (Articles 1 to 15) addresses new developments in cybersecurity, while the second (Articles 16 to 23) introduces several amendments regarding cybercrimes and the coordination of responses to attacks on computer or telematic systems.

In detail, the new provisions in the first section of Law No. 90/2024 aim to:

• Expand the range of entities required to notify relevant cybersecurity incidents.
• Improve the methods and timing of responses by the obligated entities when notified by the National Cybersecurity Agency of specific vulnerabilities.
• Establish cybersecurity structures within Public Administrations, with a designated point of contact for the National Cybersecurity Agency.
• Ensure that Public Administrations adopt cryptographic solutions in line with the guidelines of the National Cybersecurity Agency.
• Grant the National Cybersecurity Agency the authority to conduct inspections and impose penalties.
• Regulate public contracts for IT goods and services used for strategic national interests.

The numerous amendments introduced by the second section of Law No. 90/2024 include:

• Increased penalties under Article 615-ter of the Criminal Code (unauthorized access to a computer or telematic system).
• Increased penalties under Article 615-quater of the Criminal Code (unauthorized possession, dissemination, and installation of equipment, codes, and other means to access a computer or telematic systems).
• Repeal of Article 615-quinquies of the Criminal Code (unauthorized possession, dissemination, and installation of equipment, devices, or software to damage or disrupt a computer or telematic system).
• Increased penalties under Article 617-bis of the Criminal Code (unauthorized possession, dissemination, and installation of equipment and other means to intercept, obstruct, or disrupt telegraphic or telephone communications or conversations).
• Increased penalties under Article 617-quater of the Criminal Code (unlawful interception, obstruction, or disruption of computer or telematic communications).
• Increased penalties under Article 617-quinquies of the Criminal Code (unauthorized possession, dissemination, and installation of equipment and other means to intercept, obstruct, or disrupt computer or telematic communications).
• Increased penalties under Article 617-sexies of the Criminal Code (forgery, alteration, or suppression of the content of computer or telematic communications).
• Introduction of Article 623-quater of the Criminal Code (mitigating circumstances), providing for reduced penalties when the offense is of minor significance and reducing penalties by half to two-thirds for those who act to prevent further consequences of the criminal activity.
• Amendment of Article 629 of the Criminal Code (extortion), including paragraph 3 to cover actions under cybercrimes.
• Increased penalties under Article 635-bis of the Criminal Code (damage to computer data, information, and programs) and the amendment of paragraph 2.
• Comprehensive amendment of Article 635-ter of the Criminal Code (damage to public or publicly significant computer data, information, and programs).
• Increased penalties under Article 635-quater of the Criminal Code (damage to a computer or telematic systems) and amendment of paragraph 2.
• Introduction of Article 635-quater1 of the Criminal Code (unauthorized possession, dissemination, and installation of equipment, devices, or software to damage or disrupt a computer or telematic system).
• Comprehensive amendment of Article 635-quinquies of the Criminal Code (damage to publicly significant computer or telematic systems).
• The introduction of Article 639-ter of the Criminal Code (mitigating circumstances) provides for reduced penalties when the offense is of minor significance and reduces penalties by half to two-thirds for those who act to prevent further consequences of criminal activity.
• Amendment of Article 640 of the Criminal Code (fraud), with the inclusion of paragraph 2-ter, covering offenses committed through computer or telematic tools capable of concealing the perpetrator’s or another person’s identity (so-called computer fraud).
• Various amendments to the Code of Criminal Procedure and Article 24-bis of Legislative Decree No. 231/2001 (cybercrimes and unlawful data processing), with increased penalties for the entity.

In light of these new provisions and amendments introduced by Law No. 90/2024, it is clear that cybersecurity and cybercrime issues are becoming increasingly central today. Therefore, individuals and businesses should seek advice from competent legal professionals to understand potential risks and protect themselves effectively in out-of-court settlements and, if necessary, in court.