Italy's National Cybersecurity Perimeter mandating PKI-based access control and certificate-based authentication for strategic organizations operating within the national cyber perimeter.
The Perimetro di Sicurezza Nazionale Cibernetica (Law 133/2019, implemented via DPCM 2021) establishes Italy's national cybersecurity perimeter. It identifies strategic entities — both public and private — whose ICT systems and networks must meet enhanced security requirements to protect national interests.
The ACN (Agenzia per la Cybersicurezza Nazionale) oversees compliance, requiring certificate-based authentication, encrypted communications, and rigorous access control for all systems within the perimeter. Entities must notify incidents within 6 hours and undergo security assessments for ICT procurement.
As Italy aligns with the EU NIS2 Directive transposition, the Perimetro framework continues to evolve, reinforcing the critical role of PKI infrastructure in securing the nation's most strategic digital assets.
Public and private organizations whose ICT systems are critical to national security are formally identified and included within the cybersecurity perimeter.
Entities must maintain a comprehensive inventory and classification of all ICT assets, networks, and systems operating within the perimeter.
Mandatory implementation of technical and organizational security measures for all ICT systems and networks within the cybersecurity perimeter.
Entities must notify CSIRT Italia of security incidents within 6 hours of detection, requiring rapid response capabilities and real-time monitoring.
ICT products and services procured by perimeter entities must undergo security evaluation by the CVCN (Centro di Valutazione e Certificazione Nazionale).
All perimeter systems must enforce certificate-based authentication and encrypted communications for access control to strategic ICT resources.
Italy enacts the foundational law establishing the National Cybersecurity Perimeter, defining the framework for identifying strategic entities.
DPCM published in February 2020 listing the criteria for identifying entities and ICT systems within the perimeter.
DPCM of June 2021 defines mandatory security measures for perimeter systems, including certificate-based authentication requirements.
The Agenzia per la Cybersicurezza Nazionale becomes fully operational, overseeing compliance and incident response for the perimeter.
Ongoing alignment of perimeter requirements with the EU NIS2 Directive transposition into Italian law, strengthening cross-border consistency.
The Perimetro directly impacts how strategic entities manage their PKI infrastructure and digital certificates. Here are the critical areas:
All perimeter systems must enforce certificate-based authentication, requiring robust certificate issuance, management, and validation processes.
TLS/mTLS certificates must secure all communications between entities within the perimeter, ensuring data confidentiality and integrity at the national level.
Every ICT asset within the perimeter must be identifiable via device certificates, enabling inventory tracking and security assessment compliance.
Security assessment requirements demand full certificate lifecycle traceability — from issuance to revocation — with audit trails for ACN inspections.
ICT asset certificate inventory — Horizon discovers and catalogs all certificates across perimeter systems, providing the comprehensive ICT asset visibility required for compliance.
Rapid incident response — Automated certificate management ensures certificates can be revoked and reissued within the 6-hour incident notification window.
Sovereign PKI infrastructure — Stream delivers a national-grade PKI with CA/RA/VA/TSA capabilities, HSM integration, and ANSSI certification for sovereign security requirements.
ACN policy enforcement — Built-in policy engine enforces certificate standards aligned with ACN security measures, ensuring continuous compliance.
