Paolo Galdieri : 23 September 2025 08:10
Cyberspace is no longer a marginal dimension but a true strategic operational domain. Its relevance is now comparable to that of land, sea, air, and space. Technological acceleration driven by Artificial Intelligence and widespread digitalization has transformed critical infrastructure, healthcare services, universities, and personal communications into permanent attack surfaces. In this scenario, the line between cybercrime, political activism, and state-sponsored threats has progressively blurred, giving rise to new forms of hybrid conflict.
In Italy, this transformation is reflected in the debate on the bill presented by Defense Committee Chairman Nino Minardo, which grants the Armed Forces an operational role beyond traditional warfare. The initiative is part of a process initiated by NATO, which since 2016 has recognized cyberspace as an operational domain. The urgency of the proposal stems from the exponential growth of cyber attacks targeting institutions, businesses, and citizens.
The bill introduces amendments to the Military Code, providing for the creation of an auxiliary reserve composed of former military personnel and the possibility of integrating highly specialized external expertise. These civilian personnel would support the military in digital operations and would be treated as equivalent to Armed Forces operators in some legal respects.
This is a choice that opens up innovative and at the same time complex scenarios. We are not faced with a simple outsourcing of services but with the creation of a new hybrid actor with a special justification. This institution, already envisaged for intelligence, allows for the exclusion of criminal liability for conduct carried out in institutional interests. Extension to the military domain and civilian figures, however, risks creating an area of opacity that is difficult to reconcile with the demands of transparency and the jurisdiction of ordinary judiciaries.
The context that prompted the legislator to propose this measure is clear. Between January 2023 and July 2024, Italy recorded over 19,000 cyber attacks, with an average of more than thirty per day. In the first six months of 2025, the National Cybersecurity Agency recorded a 53 percent increase compared to the previous year, with nearly three hundred and fifty incidents with confirmed impact.
The attacks primarily target the energy and water sectors, but also public administration, universities, and telecommunications. The ransomware attack that paralyzed the Lazio Region in 2021 remains a prime example of the country’s vulnerability and the potential impact of hybrid threats. Although not an act of war, the blockade of healthcare services and vaccination reservations produced effects comparable to those of a conventional military operation.
The bill inevitably sparks a debate on institutional coordination. Italy already has a single civilian authority, the National Cybersecurity Agency, tasked with preventing, mitigating, and certifying cybersecurity. The inclusion of the Armed Forces with operational functions even in peacetime raises the risk of a dual track that could replicate fragmentations experienced in the past.
Effective cyber defense, on the other hand, requires a unified strategy that defines roles and responsibilities without overlap. Defense can play a central role in the active response, while the Agency should retain its role in coordinating national resilience. Competitive rather than integrated governance risks weakening the overall system.
Western allies have already faced similar challenges. In the United States, US Cyber Command operates as a unified command with civilian oversight mechanisms and a consolidated accountability system. In the United Kingdom, GCHQ manages most operations while maintaining a clear separation between civilian and military duties.
The case closest to Italy is Germany, which established the Cyberspace and Information Command within the Bundeswehr. There, too, the issue of constitutional compatibility and parliamentary oversight remains open. The German experience demonstrates that a direct transfer of powers to the Ministry of Defense is insufficient to resolve the legal and democratic challenges of the cyber domain.
Strengthening response capacity is a strategic priority, but it cannot translate into a weakening of the rule of law. The granting of exceptional powers to specialized military and civilian personnel must be accompanied by a clear regulatory framework that defines the conditions, limits, and methods of intervention.
We also need to invest in skills through a joint cyber training center that brings together universities and industry and attracts talent with long-term tools. Transparency must remain a cornerstone even when operations require confidentiality. Parliamentary reporting cannot be a formal act but must translate into substantive oversight.
The Minardo bill represents a significant milestone in the evolution of national defense. Its relevance stems from the urgency of addressing growing threats that recognize neither borders nor declarations of war. But the real challenge for Italy is to build a cybersecurity architecture that is operationally robust, institutionally coherent, and democratically unassailable.
Only by overcoming fragmentation, defining clear rules and valorising skills, will it be possible to protect the country from hybrid wars without sacrificing civil rights and the constitutional principles that guarantee its cohesion.
Paolo Galdieri