Clarification on Logging Policies for Authentic Sources (Fonti Autentiche) #1003
Description
Context:
The document "16. Politiche Generali di Conservazione dei Log" defines "Entità Organizzative" as Wallet Providers, Credential Providers, and Relying Parties. However, based on the implementation details for Regions ("dettagli implementativi per l’Avviso PA digitale 2026"), Authentic Sources (Fonti Autentiche) play a critical role by providing the official data used by Credential Issuers to generate Electronic Attestation of Attributes (EAA).
Problem:
There is a lack of explicit mention of Authentic Sources within the logging and retention policies in Chapter 16. Since Authentic Sources are required to comply with IT-Wallet Technical Specifications, it is unclear whether:
- They are implicitly included under the "Entità Organizzative" umbrella.
- They should follow the same 12-month retention period as other providers.
- They should be explicitly listed or excluded to avoid regulatory ambiguity regarding GDPR accountability.
Proposed Change:
- Clarify if Authentic Sources are considered "Entità Organizzative" for the purpose of log management.
- If so, consider adding a specific section (e.g., 16.1.5) or updating the general definitions to explicitly include them, ensuring alignment with ISO/IEC 27001 requirements for auditing and incident response.
- Define if the "12-month" general retention rule applies to the logs of the API endpoints exposed by Authentic Sources on the PDND platform.
Impact:
This clarification is essential for Regional and Provincial Authorities (Soggetti Attuatori) responsible for exposing EAA data via APIs, as they must ensure formal compliance with security audits and DTD (Department for Digital Transformation) inspections.