MIMIT and Cyber 4.0: The Cybersecurity Awareness Program for PAs, a piece of the National Cybersecurity Strategy

Cyber 4.0, April 15, 2024

The Ministry of Enterprise and Made in Italy (MIMIT) and Cyber 4.0 together for a major cyber security training and awareness initiative for the top levels of the Italian Public Administration (PA).

The initiative, which is part of the framework of actions in charge of MIMIT in the context of the National Cybersecurity Strategy, aims to provide basic notions on the framework of national and international cyber threats, regulatory, normative and policy aspects, best practices in risk management, both of the respective organizations and staff, and finally the broader framework of the Strategies and the role that the relevant Ministry has.

The courses were launched in 2023, with a series of seminars aimed at MIMIT General Managers, co-designed and delivered by Cyber 4.0 and some of its academic partners (Sapienza and Luiss Universities), and with the participation of the National Cybersecurity Agency (ACN).

The interest aroused by this initial implementation has led other public administrations to request the development and delivery of similar training courses for their top management, with the aim of promoting basic cybersecurity knowledge and skills in their respective directorates general.

Therefore, in coordination with MIMIT, the Center has developed, starting in April 2024, an extensive training program that already involves some central PAs:

• the Ministry of the Interior, and in particular the National Fire Department, in April;
• The Ministry of Economy and Finance, and in particular the State General Accounting Office, in May;
• the Ministry of Environment and Energy Security, in June.

Other administrations would follow in the months that followed, reflecting a growing awareness, including at apex levels, of the risks associated with the increased cyber threat in the national and international landscape, and the resulting regulatory proliferation at the European level.

In particular, Italy in 2022 saw an increase in cyberattacks of 169% over the previous year, confirming a further increase of 65% in 2023.

Similar trends have also been seen at other European Union member states, making a joint response to the problem urgent. Starting this year, the European cybersecurity regulatory agenda includes a tight schedule that will see several directives and regulations come into effect.

This changing scenario, exacerbated by exogenous factors such as geopolitical tensions and the push toward pervasive digitization, implies an increasing involvement of public institutions.

In fact, these will be called upon to play a key coordinating role, not only in passive fulfillment of European regulations, but also in response to the direct mandates set forth in the National Cybersecurity Strategy.

It is therefore increasingly necessary to define a training and awareness program coordinated at the Country System level that is able to provide practical support to Public Administrations in a short time. The initiative promoted by MIMIT, and co-organized by Cyber 4.0, has as its main objective precisely to respond to this need by promoting a top-down process of awareness raising starting from the general directorates.

Covering topics ranging from major cyber threats to the regulatory framework, from cyber risk management to the principles of cyber hygiene, the seminar series offers a capacity building and upskilling program aimed at increasing the knowledge and awareness of directors general in specific areas of cybersecurity. A special focus will be devoted to the specific role that the administrations involved will be called upon to play in the context of regulatory adjustments and within the National Cybersecurity Strategy.

Among the most relevant aspects, some topics, such as fulfillments related to the “Network and Information Security 2” (NIS-2) Directive and the “National Cyber Security Perimeter” (PSNC), will cross-cuttingly cover all administrations involved. While specific insights will be devoted within individual courses to sector directives and regulations such as the “Digital Operational Resilience Act” (DORA), the “Cyber Resilience Act” (CRA), “theArtificial IntelligenceAct” (AI Act) and the “Critical Entities Resilience” (CER) Directive.