Minimum ICT Security measures

A padlock icon connecting computer screens around a digital globe, symbolizing network security

The Agency for Digital Italy (AgID) has launched an awareness-raising initiative to make public administrations aware of the countermeasures to be adopted in order to minimise potential economic and reputational damage, in full alignment with the provisions of the Three-Year Plan for Information Technology in Public Administration.

In light of the increasing risks, the Agency for Digital Italy (AgID) has issued the Minimum ICT Security Measures for Public Administrations, with the aim of identifying the technological, organisational and procedural measures to be adopted in order to counter the most common and frequent threats to their information systems.

The document defines a set of technological, organisational and procedural controls known as Critical Security Controls (CSC), as well as three levels of implementation. The minimum level is the one with which every public administration, regardless of its nature and size, must necessarily comply or bring itself into compliance.

The higher levels represent more advanced stages capable of providing more comprehensive levels of protection. These levels should be adopted immediately by organisations that are more exposed to risks (for example, due to the critical nature of the information processed or the services provided), and should also be regarded as improvement targets by all other organisations.

Three-Year Plan for Information Technology in Public Administration 2024–2026

Minimum ICT Security Measures for Public Administrations