Big Cover - 2020-08-25T181432.313 (1)

Cloud Service Providers and Public Administration. How to obtain AgID certification

The cloud transformation is revolutionizing how public administration services are provided


The digital transformation of the Italian Public Administration (PA) is a very current issue.
Over the last few years, Italian institutions have regulated this area through a large number of interventions, such as the “Piano Triennale per l’Informatica nella Pubblica Amministrazione 2019 – 2021” (2019-2021 three-year IT plan for the Public Administration) from the Agenzia per l’Italia Digitale (Agency for Digital Italy). This document establishes one of the core principles of the Italian public administration’s digital transformation strategy, in other words “cloud first”: from 1 April 2019, public administration bodies which intend to define new projects must favor the adoption of cloud solutions over any other technology.

The possibility to remotely make use of software and hardware resources offered by a cloud provider involves numerous advantages in terms of system reliability, the quality of service provided, and cost savings – with the possibility of pay-per-use billing.

The adoption of cloud services represents the key to the digital transformation, allowing for a revolution in the supply of the Public Administration’s services.

Over the next few years, we can reasonably expect that non-cloud service providers will see ever-greater reductions in their PA market share, while Cloud Service Providers (CSPs) will be able to benefit from an interesting business opportunity – as long as they are able to guarantee compliance with the security standards defined by AGID and obtain the qualification required to perform such activities within the PA.

Cloud computing

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. [Definition from the National Institute of Standards and Technology (NIST)]

There are three types of services which can be supplied via cloud architecture: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service).

IAAS - Infrastructure as a Service. This type of service provides the user with hardware infrastructure, while the applications and the platform to be installed are defined and managed directly by the users, who may also be able to manage some network components (e.g. firewalls) in a limited manner.
PAAS - Platform as a Service. A programming interface is provided through which users can develop applications they have created themselves or purchased from third parties, using programming languages, libraries, services and tools supported by the provider. The customer does not manage or control the underlying cloud infrastructure, including the network, servers, OSs, memory etc., but has control over the applications and, where applicable, the configuration of the environments on which they are hosted.
SAAS - Software as a Service. This involves a fully-managed service in which the provider (CSP) is responsible for its provision, configuration, roll-out and maintenance (using their own or a third-party cloud infrastructure), leaving the user only to make use of the functionalities provided.

What is changing for suppliers of Public Administration bodies?

The “Piano Triennale per l’Informatica nella Pubblica Amministrazione 2019–2021” (2019-2021 three-year IT plan for the Public Administration) states that public administration bodies which wish to create a new project or develop a new service must favor the adoption of cloud computing over any other technology.

It has also been established that, from 1 April 2019, all providers of cloud services to the PA must be an approved infrastructure and services provider, that is a supplier able to guarantee the security requirements requested by AGID.

From this point on, therefore, PA bodies can only purchase IaaS, PaaS, and SaaS services approved by the Agency and published on the Cloud Marketplace.

For Cloud Service Providers with contracts in force as of 1 April 2019, this approval is not required – but if they do not hold it, it will not be possible for further cloud service supply contracts to be signed with the PA.

The approval criteria for cloud infrastructure and services which can be supplied to PA bodies are laid down by two AgID memoranda:

  • Memorandum no. 2/2018 establishes the criteria for approval of Iaas and Paas cloud services
  • Memorandum no. 3/2018 establishes the criteria for approval of Saas cloud services.

Approval Requirements

The AgID memoranda establish two types of requirements which must be met for approval: organizational requirements and specific requirements.

1. Organizational Requirements

These are a series of “high-level” and experience-based organizational requirements.

For example, the CSP must prove that:

  • They are able to handle “critical situations” (es. disaster recovery), to carry out tests on data integrity and recovery, where necessary.
  • The services offered are covered by an appropriate quality management system.
  • They have 24/7 customer support available.
  • They have formalized and adopted specific change management, configuration management, and incident management processes and procedures.
  • They are fully transparent in their contractual relationships.

2. Specific Requirements

The specific requirements relate to the following topics:

  • Security, privacy and data protection requirements   
    The CSP must hold certification to ISO/IEC 27001 (information security management system) extended with the controls of ISO/IEC 27017 (controls for cloud services) and ISO/IEC 27018 (guidelines for the protection of personal data in the cloud).
    The certification must have been issued by accredited certification body. 
  • Performance and scalability requirements      
    The CSP is required to declare the quality offered and the reliability of the service throughout its lifecycle.     
  • Interoperability and portability requirements   
    The approved services must allow for interoperability with other services of the same type, through the use of open standards and appropriate Application Programming Interfaces (APIs).          
    The Cloud Service Provider must ensure the PA is able to migrate its applications to another provider in a secure manner, guaranteeing it the possibility to extract and remove its data at any time.
  • Legislative conformity requirements    
    The Cloud Service Provider must provide the PA with the information and tools required to allow it to comply with Italian and European legislation within the scope of the use of the approved services and infrastructure. Particular importance is given to data protection regulations.   

In order to be able to have its services approved and to enter into contracts with the PA, a Cloud Service Provider must therefore carry out a series of activities which require a high level of specialization (management systems, technological solutions, and legal and compliance expertise).

The AgID qualification path

Lutech’s Advisory Team accompanies Cloud Service Providers along the qualification path, allowing them to optimize their efforts and channel the expertise required to receive AgID approval in a short timeframe.
Lutech’s professionals boast many years of experience in the various fields required to obtain this certification. They are people who belong to multi-disciplinary teams, with the background necessary to guarantee the best support possible to Cloud Service Providers who wish to obtain AgID qualification as CSP for the PA.  

Some of the activities required to obtain AgID qualification are:

  • Management of quality processes (ISO 9001)
  • Security management extended to all environments involving the infrastructure of cloud services (ISO/IEC 27001 certification extended to ISO/IEC 27017 and ISO/IEC 27018 controls)
  • Configuration and change management
  • Incident management and recovery of infrastructure following critical events
  • Management of regulatory compliance aspects

The time required to obtain the approval is closely linked to obtaining the certifications listed above and the implementation of the service subject to the approval.

As an example, for the purposes of checking the conformity of the environments put in place by the CSP for the supply of the services to the PA, Lutech’s Advisory staff carried out the following activities:

1. Assessment & Gap Analysis

This is the phase in which all information relating to the organization, the processes and the technological infrastructure of the CSP is gathered.  

A thorough check of the levels of maturity with respect to the requirements for AgID approval is made.

2. Remediation Plan

This is the phase in which the actions which allow the CSP to reach the levels of conformity required for approval are defined, taking into account the situation observed during the assessment and the specific organization requirements.

Analysis, assessment of the current maturity status and provision of remediation plans are performed using a proprietary tool developed by Lutech.

This tool allows a comparison to be made between the current conformity status, known as AS-IS, with the desired one which meets AgID requirements, identified as TO-BE.

The results relating to the 13 organizational requirements and 13 specific requirements are provided on the basis of the presence, absence or partial presence of the AgID requirements provided for and gathered during the assessment activities.

3. Design & Build

This phase involves detailed planning and implementation of all the organizational and procedural solutions required by the remediation plan which will allow AgID certification to be obtained.

4. Qualification & Optimization

In the final phase, the CSP is provided with support in obtaining approval, which will be issued following specific audits and checks on the requirements laid out in the memoranda. Continuing support and optimization services can also be provided for the IT, governance and compliance processes in line with the requirements of the contracting PA body.

Contact Lutech Advisory team and obtain AgID certification

Ti invitiamo a prendere visione dell' informativa marketing.

Inserire un valore
Inserire un valore
Inserire un'email valida
Inserire un numero di telefono valido
Inserire un valore
Inserire un valore
Inserire un valore

By clicking the "Confirm" button, I declare that I have read and understood the Marketing Disclaimer

I agree to receive commercial and promotional communications relating to services and products as well as information messages relating to marketing activities, as explained in the aforementioned Disclaimer

Per favore, seleziona la casella.

Si è verificato un errore, si prega di riprovare più tardi

Thank you for your interest!
We have received your contact request; we will be in touch shortly to further discuss your business requirements.


Vision & Trends on Digital Transformation