AuditXYZ

Compliance Framework

AgID Cloud Security Qualification for Public Administration

AgID/ACN cloud qualification is required for cloud services serving Italian public administration. This guide covers qualification levels, security requirements, and the path to serving Italian government clients.

$25,000–$150,0003–9 monthsAudit Required2023 (transferred to ACN oversight)
Request a ConsultationSee process
Issuing BodyAgenzia per l'Italia Digitale (AgID) / Agenzia per la Cybersicurezza Nazionale (ACN)
First Published2018-06-01
Latest Version2023 (transferred to ACN oversight)
Typical Cost$25,000–$150,000
Typical Timeline3–9 months
Audit RequiredYes
Audit FrequencyQualification valid for a defined period. Continuous compliance monitoring required with periodic requalification.
Geographyitaly, european-union

AgID: Italy Cloud Security Qualification Guide

Italy's cloud qualification framework, originally established by AgID (Agenzia per l'Italia Digitale) and now overseen by ACN (Agenzia per la Cybersicurezza Nazionale), defines the security and compliance requirements that cloud services must meet to serve Italian public administration. As part of Italy's national cloud strategy and digital transformation agenda, the framework ensures that government data is hosted on qualified, secure infrastructure.

What AgID Cloud Qualification Covers

The framework classifies public administration data into three categories: ordinary, critical, and strategic. Each category maps to specific qualification levels (QI1 through QI4) with progressively stringent security, availability, and data sovereignty requirements. Strategic data — including data critical to national security — requires the highest qualification levels with strict Italian or EU data residency.

Qualification requirements cover information security management (aligned with ISO 27001), service continuity and disaster recovery, data portability and interoperability, compliance with Italian and EU data protection regulations, and transparency about infrastructure and supply chain.

Who Needs AgID/ACN Qualification

Cloud service providers (IaaS, PaaS, SaaS) seeking to serve Italian public administration entities must obtain the appropriate qualification level. This includes both Italian and international cloud providers. The framework applies to central government, regional authorities, municipalities, public healthcare entities, and publicly funded organizations. Italy's Cloud First policy directs public entities to adopt qualified cloud services, creating significant market demand.

Implementation Approach

Determine the target qualification level based on the data classification your service will handle. Assess your current compliance against the qualification requirements. Obtain prerequisite certifications — ISO 27001 is typically required for higher qualification levels. Prepare the qualification application with supporting documentation including security policies, service level commitments, and architecture descriptions. Submit through the ACN qualification portal and respond to any assessment findings.

Cost Considerations

Qualification costs range from $25,000 for lower-level qualifications with simple services to $150,000 for strategic-level qualifications requiring extensive security controls and Italian data residency. International cloud providers may face additional costs for establishing Italian or EU infrastructure. The investment provides access to Italy's public sector digital transformation spending, which totals billions of euros under the National Recovery and Resilience Plan.

Get the AgID starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

iso-27001c5enscsa-ccm

Get matched with a AgID auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

C5
Framework
C5 is the German BSI's cloud computing compliance criteria catalogue. This guide covers the 17 control domains, Type 1 and Type 2 reports, and how C5 attestation supports German and EU cloud markets.
View
CSA CCM
Framework
The CSA Cloud Controls Matrix is the leading cloud security control framework. This guide covers CCM v4 domains, STAR assessment levels, and how to use CCM for cloud security governance.
View
ENS
Framework
ENS is Spain's mandatory security framework for public sector information systems. This guide covers system categorization, security measures, certification requirements, and compliance for cloud providers.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View