The European Union has issued two key directives to enhance the protection and resilience of critical infrastructure: Directive () / and Directive () / (). These regulations aim to ensure the safety of personnel essential to the functioning of society and the economy, yet they address different aspects of threats.

The directive was implemented in Italy through Legislative Decree No. on , 2023, published in the Official Gazette, focusing on the operational continuity of critical subjects. However, Directive No. ( ) was implemented through Legislative Decree No. on , 2023, adopting a multi-risk approach aimed at enhancing the security of information and cyber systems against various threats, not only cyber threats but also physical and environmental threats such as theft, fire, floods, interruptions, and even partially, telecommunications and electricity, as well as general unauthorized physical access.

Directive () /: Operational Continuity Directive () /, issued in Italy, Legislative Decree No. /, aims primarily to ensure the operational continuity of critical infrastructure in sectors such as energy, transportation, healthcare, water, and public administration. This directive establishes a legal framework to prevent, mitigate, and manage physical or environmental risks that could impair the provision of essential services.

Primary Objective:

• Prevention and Resilience: This directive establishes a unified framework to prevent and mitigate disruptions that may affect the provision of essential services, with a particular focus on physical risks such as natural disasters, terrorist attacks, and climate change.
• Managing Interdependencies: Europe's critical infrastructures are increasingly interconnected and interdependent. Disruptions in one sector can have cascading effects on others, making a comprehensive approach to preventing service interruptions essential;
• Resisting Natural and Environmental Threats: This directive involves enhancing the ability to withstand natural and environmental threats, promoting preventive measures and recovery plans, with the aim of ensuring that critical entities can continue to operate even in the event of catastrophic incidents.
• Scope of Application: This directive covers a wide range of sectors, including critical physical infrastructure such as energy, transportation, healthcare, food, drinking water, and other sectors that provide essential services to society.

Directive () / () on the security of information and network systems, implemented under Legislative Decree No. /, focuses on protecting information and network systems from various threats by adopting a multi-risk approach. This means that the directive is not limited to preventing cyber threats but also considers other physical and environmental threats that may affect the security and functionality of network systems.

Primary Objective:

• Integrated Risk Management: Requires key entities to implement technical and organizational measures not only to prevent and mitigate cyber-attacks but also to protect information systems from physical threats such as theft, fire, flood, power, or connectivity disruptions.
• Multi-Risk Approach: The uniqueness of the directive lies in its comprehensive coverage of threats to computer and network systems, including cyber threats (such as malware or ransomware) and non-cyber threats, such as physical damage to structures hosting network infrastructure services or disruptions;
• Event Reporting and Management: The core of this directive is the obligation of entities to promptly report incidents, ensuring coordinated and effective responses among Member States to address incidents at both national and cross-border levels;
• Applicable Scope: Extend its coverage beyond traditional areas associated with critical infrastructure to include advanced digital domains such as cloud services, domain management, trust services, and electronic communication service providers;

The main goal of parallelism between two instructions:

• Instruction: Ensure the continuity of operations (business continuity) for critical entities in the presence of physical and natural threats (such as disasters or physical attacks). The focus is on maintaining the provision of essential services even during major crises.
• Instruction: Enhance the security of information and cyber systems through a multi-risk approach considering both cyber and physical threats. The goal is to make systems that underpin essential services more secure, protecting them not only from cyber-attacks but also from physical events such as theft or natural disasters.

Types of Risks Faced:

• Instructions: Address physical and environmental threats that may impact physical infrastructure and the ability to provide essential services, such as terrorist attacks, sabotage, or natural disasters.
• Instruction: Address the wide range of multi-hazard risks faced by information systems, including both cyber and non-cyber threats (such as theft, fire, flood, or power outages), to safeguard the integrity and availability of networks;

Measures and Actions:

• Instruction: Develop operational resilience and physical continuity requirements for critical infrastructure, and implement preventive and recovery measures to address physical threats;
• Instruction: Introduce a multi-risk cybersecurity approach, protecting systems from various threats (whether cyber or physical) through risk management measures and resilience planning.

Scope of Application:

• Instruction: Cover primarily industries that include critical infrastructure entities, such as energy, transportation, healthcare, and food, with a focus on business continuity (attachment).
• Instruction: Cover a wide range of digital domains, such as cloud services and digital platforms, and adopt a comprehensive approach to protect information systems from various physical and cyber risks (Attachment---)

Instructions () / and Instructions () / () complement each other, addressing the protection of critical infrastructure and essential services from two complementary perspectives. Focusing on operational continuity in the presence of physical threats, it ensures that critical entities continue to operate even under adverse conditions. With its multi-risk approach, it aims to protect information and network systems from a broader range of threats, including those that are not strictly cyber threats. These regulations together provide a comprehensive vision for addressing the current security and resilience challenges in Europe.