Logo dell'Agenzia per la cybersicurezza nazionale
Agenzia per la cybersicurezza nazionale

Italy’s Cloud Strategy

The Italian Cloud Strategy contains the guidelines for the migration to the qualified cloud of the Public Administration. It was published in September 2021 and implemented by the Department for Digital Transformation of the Presidency of the Council of Ministers and the National Cybersecurity Agency (ACN).

The strategy responds to three main challenges: ensuring the country's technological autonomy, guaranteeing control over data and increasing the resilience of digital services. Consistent with the objectives of the National Recovery and Resilience Plan, the document outlines a defined path to accompany approximately 75 per cent of Italian Public Administrations in migrating their data and IT applications to a qualified cloud environment.

Through the cloud-first approach, the aim is to guide and foster the secure, controlled and complete adoption of cloud technologies by the public sector, in line with privacy protection principles and the recommendations of European and national institutions. In this way, digital infrastructures will be more reliable and secure and the Public Administration will be able to respond in an organised manner to cyber attacks, guaranteeing continuity and quality in the use of data and services.


The implementation of the strategy envisages the adoption of a regulation by the Agenzia per l'Italia Digitale (Agency for Digital Italy), aimed at defining criteria and operational steps for its adoption by Italian administrations.

Following the provisions of the Regulation, on 18 January 2022 ACN, in agreement with the Department for Digital Transformation, prepared:

  • The model for the preparation of the list and classification of Public Administrations' data and services
  • Further characteristics of cloud services and qualification requirements

The three strands of the strategy

The Italian Cloud Strategy is developed according to three guidelines that will guide entities in the choices to be made with respect to the various solutions for migration to the cloud:

The classification of data and services

The purpose of the classification of data and services is to define a process for classifying data according to the damage that their compromise could cause to the country's system (strategic, critical and ordinary). The result of the classification makes it possible to standardise and guide the process of migration to the PA Cloud.

The classes are:


Data and services whose compromise could have an impact on national security.


Data and services whose compromise could have an impact on the maintenance of functions that are relevant to society, health, security and the economic and social well-being of the country.


Data and services the compromise of which would not result in the interruption of state services or, in any case, in a prejudice to the economic and social well-being of the country.