Minimum ICT security measures for public administrations

The minimum ICT security measures issued by AgID aim at countering the most frequent cyber threats to the Italian public administration.

As of 31 December 2017, the percentage of PAs that have aligned themselves with the required measures can be verified on the dedicated dashboard.

What do the security measures consist in

The measures consist in technological, organisational and procedural controls, with three levels of implementation.

level 1: mandatory for every public administration

level 2: The minimum level is mandatory for each public administration

The subsequent levels require more complete protection systems. They concern organisations that are most exposed to risks due to the critical nature of the information processed or services provided.

The minimum measures also foresees public administrations’ access to early warning services to keep up- with new security vulnerabilities. In this regard, CERT-PA provides information services to all accredited administrations.

PA Responsibilities

The organisation, innovation and technologies manager (or a designated manager) is responsible for upgrading the security measures, as indicated in the DAC (Digital Administration Code (art. *** ).The executive manager responsible for the implementation of the measures must fill in and digitally sign the "Implementation form" attached to the Circular.

Regulatory references above in Link section

Download implementation forms