Power Shift at the Top: Who Holds the Keys to Italy’s Critical Infrastructure Resilience?

When governments shuffle responsibilities, the public rarely notices. But behind closed doors in Rome, a silent power transfer could shape the safety of Italy’s most vital arteries - energy grids, hospitals, digital infrastructure, and more. As the European Union tightens the screws on critical infrastructure resilience, Italy has just shifted stewardship of its most sensitive regulatory levers from Undersecretary Alfredo Mantovano to Giovanbattista Fazzolari. The stakes? Resilience against cyberattacks, sabotage, and systemic breakdowns.

Fast Facts

• The Directive CER 2022/2557 sets new EU standards for critical infrastructure resilience.
• Italy implemented the directive via Legislative Decree 134/2024.
• On December 16, 2025, a DPCM formally transferred key regulatory powers from Undersecretary Mantovano to Undersecretary Fazzolari.
• Critical sectors affected include energy, digital infrastructure, transport, banking, water, food, and healthcare.
• Fazzolari will utilize a specialized office at Palazzo Chigi to oversee resilience strategy and coordination.

The Story Behind the Switch

On the surface, the December 2025 decree - published quietly in the Gazzetta Ufficiale - looked like routine bureaucracy. But for insiders, the transfer of critical infrastructure oversight from Alfredo Mantovano to Giovanbattista Fazzolari signals a new direction in Italy’s response to mounting threats against its essential services.

At the heart of this shift is the EU’s Directive CER 2022/2557, a sweeping mandate requiring member states to bolster the resilience of “essential service providers.” Italy responded with Legislative Decree 134/2024, mapping out national obligations across sectors as diverse as energy, water, food supply, healthcare, digital infrastructure, public administration, and even space.

The December DPCM (Decreto del Presidente del Consiglio dei Ministri) hands Fazzolari the levers, making him the new point man on policy, oversight, and emergency response for these critical sectors. His operational base? A high-level office embedded within the Secretariat General at Palazzo Chigi, tasked with supporting the national “single point of contact” for critical infrastructure resilience - a role established earlier in April 2025.

Why the change? Sources suggest two motives: to streamline Italy’s compliance with fast-evolving EU cybersecurity and resilience regulations, and to inject fresh energy into a domain facing rapidly escalating digital and physical threats. With ransomware gangs, nation-state hackers, and supply chain disruptions on the rise, the need for unified leadership has never been more urgent.

What’s at Stake?

The sectors under Fazzolari’s watch are the backbone of Italian society. A coordinated attack or systemic failure could cripple the nation - think power blackouts, hospital outages, or banking disruptions. The new regime is expected to tighten coordination between ministries, private operators, and intelligence agencies, ensuring that Italy not only meets EU requirements but is prepared for tomorrow’s threats.

The Road Ahead

The handover is more than administrative. It’s a test of Italy’s ability to adapt to a volatile threat landscape while navigating complex EU directives. As Fazzolari takes the helm, all eyes will be on whether this shift delivers the resilience Italian citizens - and the wider EU - demand.

WIKICROOK

• Directive CER 2022/2557: Directive CER 2022/2557 is an EU law requiring member states to strengthen and secure critical infrastructure sectors against various risks.
• DPCM (Decreto del Presidente del Consiglio dei Ministri): Il DPCM è un decreto italiano che regola l’attuazione di leggi, spesso usato per norme tecniche in ambito cybersecurity e privacy.
• Critical Infrastructure: Critical infrastructure includes key systems - like power, water, and healthcare - whose failure would seriously disrupt society or the economy.
• Resilience: Resilience in cybersecurity is the ability to quickly recover and adapt after cyberattacks, ensuring business continuity and stronger future defenses.
• Single Point of Contact: A single point of contact is the main coordinator for communications and responses during cybersecurity incidents, ensuring clarity and efficiency in crisis situations.