Military Objective or Civilian Object? The Italian National Cybersecurity Agency’s Status in Case of Armed Conflict

The increasing reliance of States on cyber infrastructure for both civilian and military purposes has generated renewed debate on the protection of such infrastructure under international humanitarian law (IHL). The Italian National Cybersecurity Agency (Agenzia per la Cybersicurezza Nazionale, ACN), established to safeguard national cyber resilience, plays a critical role in the defense of Italy’s digital domain.

This post examines whether, and under what circumstances, ACN infrastructure and objects could be legitimate military objectives in the event of an armed conflict. The analysis considers the legal framework defining ACN’s status, the applicable norms of IHL in case of armed conflict, the organization of cyber operations in Italy, and the international legal framework for cyber warfare.

To contextualize Italy’s approach, the post also includes a comparative analysis of the mandates and institutional status of other national cybersecurity agencies—the French Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), the German Bundesamt für Sicherheit in der Informationstechnik (BSI), and the American Cybersecurity and Infrastructure Security Agency (CISA)—to assess whether their protection under IHL is analogous to that of the ACN.

Legal Status of the ACN under Italian Law

Italy established the ACN by Law Decree No. 82/2021 for the protection of national interests in the field of cybersecurity, as well as national security in cyberspace. It operates as the national authority for cybersecurity. It is responsible for defining strategic guidelines, coordinating public and private sector efforts in protecting information systems, and managing the National Cybersecurity Perimeter. The Agency also plays a key role in incident prevention and response and acts as the primary contact point with European Union institutions, NATO structures, and international partners in the field of cybersecurity.

Prior to the adoption of that legislation, the institutional architecture for cybersecurity in Italy was markedly different. The governance of cyberspace was concentrated almost entirely within the intelligence services, under the coordination of the Department of Information for Security. Strategic direction, operational responses, and the protection of national information systems fell within a security–intelligence framework, with limited institutional separation between intelligence and broader resilience activities. The establishment of the ACN marked a significant shift in policy, transferring many functions from the intelligence community to a dedicated civilian agency and creating a more transparent and structured framework for national cyber governance.

The law also provides for the assignment of military personnel to the ACN, who retain their military status during such service. This arrangement means that, while the Agency is institutionally civilian, some of its members may remain subject to military discipline and may maintain operational links with the armed forces. Moreover, ACN’s mandate includes resilience functions that are purely civilian in nature—such as protecting hospitals, financial systems, and public utilities—but also encompasses activities that may intersect with national defense.

The Definition of Military Objective under IHL

IHL, as codified in Article 52(2) of Additional Protocol I to the Geneva Conventions, defines military objectives as those objects which, “by their nature, location, purpose, or use, make an effective contribution to military action, and whose destruction, capture, or neutralization, in the circumstances ruling at the time, offers a definite military advantage.” Civilian objects are protected from attack unless they meet these criteria. The principle of distinction, which obliges parties to a conflict to distinguish between civilian objects and military objectives, remains one of the cornerstones of IHL. Customary international law reflects this same principle, as recognized in the International Committee of the Red Cross Study on Customary IHL.

The application of these rules to cyber infrastructure means that a civilian agency such as the ACN is protected unless its functions or operations meet the threshold for qualification as a military objective.

ACN Functions and Potential Military Relevance

In its everyday functions, the ACN performs tasks that are civilian in nature, including ensuring the resilience of critical national infrastructure, coordinating national responses to cyber incidents and managing relations with international cybersecurity partners. Certain operational scenarios could put the Agency’s infrastructure to use for military operations though. If, during an armed conflict, the ACN were to provide direct technical support to military cyber operations, assist in defending military command-and-control systems, or engage in offensive cyber measures coordinated with the armed forces, it could be seen as being used to make an effective contribution to military action.

The Legislative Decree No. 138/2024, which transposed the European Directive 2022/2555 (NIS2 Directive), explicitly distinguishes the ACN and the Ministry of Defense as competent authorities in case of large-scale cyber or critical infrastructure crises. The designation depends on the type of crisis: ACN is competent for civilian and national critical infrastructure resilience; while the Ministry of Defense assumes responsibility for crises directly affecting the defense of the State. This clear allocation reinforces the distinction between civilian and military responsibilities in national cyber governance.

While the incorporation of military personnel does not change ACN’s civilian nature, their presence may facilitate closer integration with military structures. ACN’s mandate includes resilience functions that are purely civilian but also encompasses activities that may intersect with national defense. Even though the military personnel assigned to the ACN retain their military status, a Decree of the President of the Council of Ministers regulates the terms and conditions for the employment of personnel from the Ministry of Defense within the ACN. In particular, the Decree provides for two frameworks: the first concerns a contingent that assumes the functions of the Agency’s civilian staff, in which case they are subject to the Agency’s personnel regulations (Article 5); the second concerns a contingent that is hierarchically subordinate to the Chief of Defense General Staff and functionally subordinate to the Director General of the Agency (Article 8).

In both circumstances, the characterization of their status as “combatants” is not clear-cut, since, while formally belonging to the armed forces, they operate within a civilian entity and under its functional authority. While this question of the status of persons is distinct from the question whether ACN infrastructure qualifies as a military objective, who works on ACN operations may be relevant to assessing whether such activities amount a “use” under Article 52(2) and render ACN infrastructure a military objective.

Comparative Perspective – International Cybersecurity Agencies

To better understand ACN infrastructure’s potential status in armed conflict, it is useful to compare it with other national cybersecurity agencies with similar mandates. The French ANSSI operates under the French Prime Minister and is responsible for protecting critical infrastructure, coordinating national cybersecurity policy, and responding to cyber incidents. While ANSSI collaborates closely with military and intelligence services, it is institutionally civilian and would only be considered a military objective if its use or purpose makes an effective contribution to military action.

Germany’s BSI advises and protects government and critical IT infrastructure, while offensive or military cyber activities are handled by the Bundeswehr or the intelligence services; BSI personnel are fully civilian.

Similarly, in the United States, the CISA, operating under the Department of Homeland Security, secures federal civilian networks, coordinates protection of critical infrastructure, and provides incident response guidance. Offensive cyber operations remain the remit of U.S. Cyber Command and CISA personnel have no military status.

Across these three countries, national cybersecurity agencies generally perform civilian resilience functions and their protection under IHL remains intact unless they are used or their purpose is to effectively contribute to military operations. In this regard, the ACN appears largely comparable. However, the retention of military personnel within the ACN gives it a potentially higher integration with armed forces, which could increase the likelihood that certain Agency functions or facilities would be considered military objectives in armed conflict.

Cyber Operations in the Italian Legal Framework

Italian law assigns responsibility for military cyber operations to the Ministry of Defense. This allocation of authority was made even clearer by Law Decree No. 50/2022, which amended the Code of Military Organization (Legislative Decree No. 66/2010). The amendment to Article 88 expressly includes cyberspace among the domains in which the armed forces are tasked with operating, alongside land, sea, air and space, while Article 37 of the Law Decree No. 115/2022 assigns to the intelligence services, under the direction of the Prime Minister, the authority to conduct offensive cyber operations for national security.

The Italian framework thus establishes a clear division of responsibilities: the armed forces, under the Ministry of Defence, conduct military cyber operations and defend national military networks; the intelligence services are entrusted with offensive cyber operations in the field of national security; the ACN, as a civilian authority, coordinates the national cybersecurity strategy, manages resilience and incident response, and ensures protection of critical infrastructure; and the Ministry of Interior, through the Postal Police and cyber security, enforces the law and represses criminal activities in cyberspace. While cooperation among these actors is foreseen, particularly in the event of a significant cyber crisis, each retains a distinct institutional mandate.

International Law Applicable to Cyber Operations

Cyber operations are subject to the same fundamental principles of IHL as kinetic operations, including distinction, proportionality, and the obligation to take precautions in attack. The Tallinn Manual 2.0, although not legally binding, provides useful interpretive guidance in this regard, noting that cyber infrastructure becomes a lawful target only when its use or purpose makes an effective contribution to military action and its neutralization offers a definite military advantage (see rule 100).

This interpretation is consistent with recent multilateral consensus reflected in the Final Report of the Open-Ended Working Group on Security of and in the Use of Information and Communications Technologies 2021–2025, adopted within the United Nations framework. The report reaffirms that international law, including the Charter of the United Nations, applies to the information communication technology environment and recognizes the continuing relevance of IHL principles to State behavior in situations of armed conflict involving cyber operations.

By underscoring the applicability of existing legal norms, the report reinforces the presumption of protection for civilian cyber entities, unless factual circumstances demonstrate they are effectively contributing to military operations. In addition, in 2021 Italy published its position on applicable international law to cyberspace in an effort to establish opinio juris in the matter, confirming that “IHL applies in cyberspace in the context of an international or non-international armed conflict.”

The ACN as a Potential Military Objective during an Armed Conflict: Cyber and Kinetic Attacks

The ACN, while primarily a civilian agency, may in certain circumstances perform functions that actively contribute to military operations in armed conflict. In such cases, its infrastructure could fall within the definition of a military objective. The qualification of ACN sites and systems as military objectives depends on the nature, purpose, and use of its activities at the relevant time.

During an armed conflict, the distinction between civilian and military status becomes critical in evaluating the lawfulness of attacks. If the ACN is performing only civilian resilience functions, it retains its status as a civilian object and cannot be lawfully targeted under IHL. In this context, cyber operations against it that cause temporary disruption or minor interference, without physical destruction, injury, or serious impairment of military capabilities, would generally not constitute an attack under IHL. Such operations might be regulated under domestic or criminal law. Conversely, if the ACN’s physical or cyber infrastructure effectively contributes to military operations, its status may shift to that of a military objective. Cyber operations that significantly impair the Agency’s ability to support military action, producing effects equivalent to destruction or serious operational disruption, are attacks that must comply with the principles of distinction, proportionality, and precautions in attack.

Similarly, a kinetic attack against ACN facilities during armed conflict would be lawful only if the Agency is performing functions or has the purpose of performing functions that make an effective contribution to military operations. Such attacks must nonetheless respect proportionality, which prohibits attacks against military objectives that are “expected to cause incidental loss of civilian life, injury to civilians, damage to civilian objects, or a combination thereof, which would be excessive in relation to the concrete and direct military advantage anticipated”. Importantly, the mere presence of military personnel within the ACN does not automatically render the Agency’s infrastructure a military target; only activities—uses or purposes—that effectively contribute to military operations would justify targeting.

In evaluating proportionality, consideration must also be given to the wider consequences of disrupting the ACN’s civilian infrastructure. The Agency’s coordination and resilience role underpins essential services such as hospitals, financial systems, and utilities. Even attacks targeting military-related functions could indirectly affect these civilian systems, highlighting the importance of carefully balancing anticipated military advantage against potential civilian harm. This perspective reinforces the central obligation to protect civilian components, even when the ACN’s status temporarily may shift due to operational involvement in conflict.

Under this framework, the ACN is ordinarily a civilian institution protected under IHL. Cyber and kinetic attacks would be lawful only if the ACN would be operationally involved in military activities.

Conclusion

From an IHL perspective, the ACN occupies a nuanced position within Italy’s national cybersecurity architecture. Its civilian mandate in resilience and infrastructure protection generally places it outside the scope of lawful military targeting. However, if the Agency’s structures or systems were to effectively contribute to military operations, they could be considered legitimate military objectives. Any attacks, whether cyber or kinetic, must comply with the IHL principles of distinction, proportionality, and precautions in attack, and must focus strictly on functions directly supporting military action.

Finally, this analysis underscores the continued importance of interrogating the relevance of IHL, particularly at a time when the rules of war are often challenged or disregarded. Examining the legal status of entities like the ACN reminds us that even in armed conflict, rules exist and respecting them is crucial to limit harm to civilians and maintain the highest standard of humanity during warfare.

***

Adriano Iaria possesses long-standing expertise in the field of international humanitarian law and new technologies. 

The views expressed are those of the author, and do not necessarily reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense. 

Articles of War is a forum for professionals to share opinions and cultivate ideas. Articles of War does not screen articles to fit a particular editorial agenda, nor endorse or advocate material that is published. Authorship does not indicate affiliation with Articles of War, the Lieber Institute, or the United States Military Academy West Point.

Photo credit: Adi Goldstein via Unsplash