Italy’s Implementation Status
Italy has emerged as the EU’s leader in national AI legislation. On 23 September 2025, Law No. 132 (Legge 23 settembre 2025, n. 132) was signed into law after receiving final approval from the Italian Senate on 17 September 2025. The law entered into force on 10 October 2025, making Italy the first EU member state to adopt comprehensive national AI legislation complementing the EU AI Act.[1][2]
Law 132/2025: Key Characteristics
The Italian AI Law was designed to work in harmony with the EU AI Act rather than create additional compliance burdens:
- Complementary framework: Relies entirely on EU AI Act definitions without imposing obligations beyond those established at EU level
- Core principles: Establishes transparency, proportionality, security, data protection, and non-discrimination as foundational principles
- Human autonomy: Preserves human decision-making autonomy as a central tenet across all AI applications
- Sector-specific guidance: Provides detailed provisions for healthcare, employment, public administration, and justice
Regulatory Integration
Italy’s approach creates an integrated compliance model combining the EU AI Act with GDPR, the NIS2 Directive, and existing sector-specific rules. The goal is to translate general European provisions into verifiable operational controls—exactly the kind of evidence-based compliance GLACIS enables.[6]
National Competent Authorities
Article 20 of Law 132/2025 establishes Italy’s governance structure for AI oversight, creating a dual authority model with specialized sector coordination:
AgID — Agenzia per l’Italia Digitale
Role: Notifying Authority
- → Promotion of AI development and adoption across Italy
- → Notification, assessment, and accreditation of conformity assessment bodies
- → Monitoring of accredited notified bodies
- → Development of national AI standards and guidelines
ACN — Agenzia per la Cybersicurezza Nazionale
Role: Market Surveillance Authority & EU Liaison
- → Market surveillance and inspections of AI systems
- → Single point of contact with EU institutions and AI Office
- → Enforcement actions and sanctions for non-compliance
- → Cybersecurity oversight for AI systems
Sector-Specific Regulators
Role: Specialized Market Surveillance
- → Bank of Italy: Banking and payment systems AI oversight
- → CONSOB: Securities and investment AI surveillance
- → IVASS: Insurance sector AI regulation
Independence Considerations
The European Commission, in its detailed opinion C(2024)7814, emphasized that national supervising authorities under the AI Act must enjoy full functional and operational independence. The decision to assign pivotal AI governance functions to governmental agencies (AgID, ACN) rather than independent administrative authorities has raised questions about institutional independence that may be addressed in future implementing decrees.[3]
Implementation Timeline
Italy’s implementation aligns with EU AI Act deadlines while adding national-specific milestones. Organizations operating in Italy must track both frameworks:
Italy + EU AI Act Implementation Timeline
| Date | Milestone | Scope | Status |
|---|---|---|---|
| Aug 1, 2024 | EU AI Act Entry into Force | All EU member states | COMPLETE |
| Feb 2, 2025 | Prohibited AI Practices Ban | Article 5 prohibitions | ACTIVE |
| Aug 2, 2025 | National Authorities Designated | AgID, ACN established | COMPLETE |
| Aug 2, 2025 | GPAI Compliance | General purpose AI models | ACTIVE |
| Oct 10, 2025 | Italy Law 132/2025 Enters Force | Italian national AI law | ACTIVE |
| Aug 2, 2026 | High-Risk AI Compliance | Full Annex III requirements | 8 MONTHS |
| Oct 2026 | Italy Implementing Decrees | Technical standards, guidance | 10 MONTHS |
| Aug 2, 2027 | Medical AI Extended Deadline | Medical device AI systems | 20 MONTHS |
Italian National AI Strategy
The Strategia Italiana per l’Intelligenza Artificiale 2024-2026 was published by AgID in July 2024, just days after the EU AI Act’s official publication. Developed by a 14-member expert committee, the strategy provides the policy context within which Law 132/2025 operates.[4]
Four Strategic Pillars
1. Research & Innovation
- • €500 million allocated in 2024 for 150 new AI professorships
- • Strengthening AI research infrastructure
- • Public-private research collaboration
2. Public Administration
- • AI adoption for service delivery efficiency
- • National pilot projects with scalability focus
- • Streamlined administrative processes
3. Enterprise Support
- • SME-focused AI adoption programs
- • Financial incentives and training
- • Manufacturing and production optimization
4. Education & Training
- • AI literacy across educational levels
- • Workforce reskilling initiatives
- • Ministry of Education AI guidelines
The strategy explicitly prioritizes anthropocentric and sustainable AI, placing human needs at the center while promoting ethical practices. This philosophy directly aligns with the EU AI Act’s fundamental rights protections and Italy’s emphasis on human decision-making autonomy in Law 132/2025.[4]
High-Risk AI in Italian Markets
Italy’s economy has distinct characteristics that shape which AI applications most commonly trigger high-risk classification under Annex III. Understanding sector-specific risk profiles is essential for Italian organizations:
Manufacturing & Industry
Italy’s manufacturing sector—including automotive, machinery, and textiles—forms the backbone of the economy. AI applications vary in risk classification:
- • High-risk: AI safety components in machinery (Annex I), automated quality control affecting product safety
- • High-risk: Worker monitoring and performance evaluation systems (Annex III, Category 4)
- • Minimal risk: Predictive maintenance, inventory optimization, production scheduling
Healthcare (Sanità)
Law 132/2025 provides specific healthcare provisions. AI is permitted as a support tool but cannot be used to discriminate or decide access to treatment:
- • High-risk: Diagnostic AI, treatment recommendation systems, patient triage
- • High-risk: AI medical devices requiring CE marking under MDR
- • Critical: Human clinicians remain responsible for final decisions
Banking & Financial Services
Supervised by Bank of Italy, CONSOB, and IVASS respectively. Italian financial institutions face strict requirements:
- • High-risk: Creditworthiness assessment and loan approval (Annex III, Category 5)
- • High-risk: Insurance risk assessment and pricing
- • Limited risk: Customer service chatbots (transparency obligations only)
Fashion & Luxury Goods
Italy’s world-renowned fashion and luxury sector increasingly uses AI, with varying risk classifications:
- • High-risk: AI-powered hiring and workforce scheduling in retail
- • Limited risk: AI-generated marketing content (deep fake labeling required)
- • Minimal risk: Design assistance, trend prediction, supply chain optimization
Public Administration (Pubblica Amministrazione)
Law 132/2025 includes specific provisions for government AI use:
- • High-risk: AI for benefit eligibility, immigration processing, public service access
- • High-risk: Justice sector AI for case research (judicial authority AI oversight)
- • National security exemption: AI for defense and security (outside civilian AI Act scope)
Article 12 Logging Requirements
Article 12 of the EU AI Act mandates automatic recording of events (logs) throughout high-risk AI system operation. For Italian organizations, this requirement interfaces with existing data protection obligations under GDPR and the Garante’s oversight:
Article 12 Core Requirements
- 1 Traceability: Logging capabilities must ensure traceability of AI system functioning throughout its lifecycle
- 2 Appropriate level: Logging depth must be proportionate to the intended purpose of the high-risk system
- 3 Record content: Input data periods, reference databases, and persons involved in verification must be logged
- 4 Security & retention: Logs must be protected by appropriate security measures and retained for periods appropriate to intended purpose
Italy-Specific Logging Considerations
Italian organizations must navigate logging requirements within the broader Italian regulatory context:
- GDPR integration: Log data containing personal information triggers GDPR obligations. Data minimization principles apply—log only what’s necessary for traceability.
- Garante notification: If AI logging involves personal data processing, relevant activities must be communicated to the Garante within prescribed timeframes.
- Sector-specific retention: Banking (Bank of Italy), insurance (IVASS), and healthcare sectors may have additional log retention requirements beyond the AI Act.
- ACN access: As market surveillance authority, ACN may request access to logs during inspections. Logs must be available and interpretable.
How GLACIS Helps with Article 12
GLACIS provides cryptographic evidence that your Article 12 logging controls execute correctly. Rather than policies stating you will log AI decisions, GLACIS generates tamper-evident attestations proving your logging infrastructure actually captures required events. This evidence-based approach satisfies Italian regulators who increasingly demand operational proof—not just compliance documentation.
Sector-Specific Requirements
Law 132/2025 provides detailed guidance for AI deployment in key Italian sectors:
Healthcare (Sanità)
- AI permitted as a support tool for clinical decision-making
- AI cannot be used to discriminate or decide access to treatment
- Human clinicians remain responsible for all final treatment decisions
- Medical AI devices require CE marking under Medical Device Regulation (MDR)
Employment (Lavoro)
- Employers must inform workers about AI systems used in the workplace
- Employers must ensure appropriate training for employees on AI tools
- Article 12 establishes a National Observatory for AI employment impact monitoring
- AI may improve working conditions, safety, and productivity when implemented responsibly
Minors (Minori)
- Under 14: Parental consent required for AI access and related data processing
- Ages 14-18: Minors may consent if information is easily accessible and comprehensible
- Aligns with GDPR Article 8 and Italian data protection law
Garante Coordination
The Garante per la protezione dei dati personali (Italian Data Protection Authority) plays a critical role in AI oversight through its GDPR powers. Under Law 132/2025, the Garante retains all authority over personal data processing that underlies AI activities:[6]
Prior Notification Requirements
Certain AI-related processing activities must be communicated to the Garante, including information relating to GDPR Articles 24 (controller responsibility), 25 (data protection by design), 32 (security), and 35 (DPIA). Processing may commence 30 days after notification unless the Garante issues a blocking measure.
Research Processing
Public and private non-profit AI research is classified as being of significant public interest, allowing personal data processing without consent. However, ethics committee approval and Garante notification are still required.
GDPR Principles Apply
All AI data processing must comply with GDPR principles: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. AI systems must be designed and operated accordingly.
Dual Compliance Requirement
Organizations operating AI systems in Italy face dual compliance obligations: the EU AI Act (enforced by ACN) and GDPR (enforced by the Garante). Non-compliance with either can result in separate penalties. Article 22 GDPR (automated decision-making) remains particularly relevant for high-risk AI systems making decisions affecting individuals.
Conformity Assessment Pathway
AgID serves as Italy’s notifying authority, responsible for accrediting conformity assessment bodies. The conformity assessment pathway depends on your AI system’s classification:
Internal Control (Self-Assessment)
Available for most high-risk systems:
- • Technical documentation per Annex IV
- • Quality management system implementation
- • Post-market monitoring plan
- • EU declaration of conformity
- • CE marking affixation
Notified Body Assessment
Required for specific systems:
- • Biometric identification systems
- • Medical AI devices under MDR
- • Products under EU harmonization legislation requiring third-party assessment
Cost: €10,000-€100,000 | Timeline: 3-12 months
AgID is currently establishing the notified body accreditation framework. Organizations requiring notified body assessment should monitor AgID announcements for accredited bodies in Italy. Cross-border recognition allows using notified bodies accredited in other EU member states.
Enforcement & Penalties
ACN (Agenzia per la Cybersicurezza Nazionale) serves as Italy’s primary enforcement authority for the AI Act. Penalties follow the EU framework:
Italy AI Act Penalty Structure
| Violation Type | Maximum Fine | Enforcing Authority |
|---|---|---|
| Prohibited AI practices | €35M or 7% global revenue | ACN |
| High-risk system non-compliance | €15M or 3% global revenue | ACN / Sector regulators |
| GPAI model non-compliance | €15M or 3% global revenue | ACN / EU AI Office |
| Transparency violations | €7.5M or 1% global revenue | ACN |
| GDPR violations (AI-related) | €20M or 4% global revenue | Garante |
Important: Penalties from ACN (AI Act) and the Garante (GDPR) can stack. An AI system that processes personal data in violation of both frameworks faces potential fines under each regulation. For Italian SMEs, proportionality principles apply, but penalties remain substantial.
Compliance Roadmap for Italian Organizations
With the August 2026 high-risk deadline eight months away, Italian organizations must act now. This roadmap integrates EU AI Act requirements with Italy-specific considerations:
Italy EU AI Act Compliance Roadmap
AI System Inventory & Italian Context (Month 1)
Catalog all AI systems across your Italian operations. Classify each per Annex III risk categories. Identify sector-specific requirements (healthcare, banking, employment). Map systems to relevant Italian authorities (ACN, Garante, Bank of Italy, CONSOB, IVASS). Document which systems involve personal data processing requiring Garante notification.
GDPR Integration Assessment (Month 1-2)
For AI systems processing personal data, verify GDPR compliance foundations: legal basis, DPIA completion, data protection by design. Prepare Garante notifications for AI-related processing activities. Align AI governance with existing privacy program. Ensure Article 22 GDPR compliance for automated decision-making.
Risk Management & Article 9 Implementation (Month 2-4)
Establish continuous risk management per EU AI Act Article 9. Identify foreseeable risks in Italian deployment context. Evaluate risks through post-market monitoring. Implement mitigation measures aligned with Italy’s human-centric principles. Integrate with existing ISO 42001 or NIST AI RMF frameworks where implemented.
Article 12 Logging Implementation (Month 3-6)
Implement automated logging capabilities ensuring traceability throughout system lifecycle. Configure logging depth appropriate to intended purpose. Ensure logs capture input data periods, reference databases, and personnel involved. Implement tamper-evident log protection with appropriate retention. Generate cryptographic evidence that logging controls execute correctly—exactly what GLACIS provides.
Conformity Assessment & Documentation (Month 4-7)
Prepare technical documentation per Annex IV. Establish quality management system per Article 17. For internal control pathway: complete self-assessment, prepare EU declaration of conformity. For notified body pathway: engage AgID-accredited notified body or cross-border body 6+ months before deadline. Prepare for CE marking affixation.
Post-Market Monitoring & Italian Coordination (Ongoing)
Implement post-market monitoring tracking performance and incidents. Establish serious incident reporting to ACN per Article 73 (15-day deadline). Maintain documentation and update as systems evolve. Monitor AgID/ACN announcements for implementing decrees (expected by October 2026). Prepare for market surveillance inspections. Coordinate with sector regulators as applicable.
Critical insight: Italy’s implementing decrees are expected within 12 months of Law 132/2025 (by October 2026). However, the EU AI Act high-risk deadline is August 2026—organizations cannot wait for Italian guidance. Build compliance infrastructure now using EU-level requirements, then adapt as Italian specifics emerge.
Frequently Asked Questions
Who is the national competent authority for the EU AI Act in Italy?
Italy has a dual authority model. AgID (Agenzia per l’Italia Digitale) is the notifying authority, responsible for accrediting conformity assessment bodies. ACN (Agenzia per la Cybersicurezza Nazionale) is the market surveillance authority, responsible for enforcement, inspections, and sanctions. The Garante retains GDPR oversight for AI-related personal data processing. Sector regulators (Bank of Italy, CONSOB, IVASS) supervise AI in their respective domains.
Does Italy’s Law 132/2025 create new compliance obligations beyond the EU AI Act?
No. Law 132/2025 was explicitly designed to complement the EU AI Act without imposing additional obligations. It relies entirely on EU AI Act definitions and provides sector-specific guidance (healthcare, employment, public administration) rather than new requirements. The law’s value is in clarifying how EU requirements apply in the Italian context and establishing the national governance structure.
How does the Garante interact with AI Act enforcement?
The Garante retains all GDPR powers over personal data processing underlying AI activities. For AI systems processing personal data, organizations face dual compliance: AI Act (ACN enforcement) and GDPR (Garante enforcement). Certain AI-related processing requires Garante notification, with a 30-day waiting period before processing may commence. Violations can result in separate penalties from each authority.
What are Italy’s implementing decrees and when are they expected?
Law 132/2025 mandates that implementing decrees providing technical standards and detailed guidance be adopted within 12 months of entry into force—by October 2026. These decrees will address specifics left undefined in the framework law. However, the EU AI Act high-risk deadline (August 2026) arrives before this guidance, so organizations must proceed using EU-level requirements.
How does Italy support SMEs with AI compliance?
Italy’s AI Strategy 2024-2026 prioritizes support for SMEs, which form the backbone of Italian industry. The strategy includes financial incentives, training programs, and collaborative research initiatives. Public authorities actively support AI adoption for production optimization and human-machine interaction. Proportionality principles in enforcement should provide some relief for smaller organizations, though compliance obligations remain.
Can I use AI for employment decisions in Italy?
Yes, but with significant requirements. AI for recruitment, task allocation, performance monitoring, promotion, or termination decisions is classified as high-risk under Annex III (Category 4). Law 132/2025 requires employers to inform workers about AI systems used in the workplace and ensure appropriate training. The National Observatory monitors AI’s employment impact. Human oversight per Article 14 is mandatory.
References
- [1] Cleary Gottlieb. "Italy Adopts the First National AI Law in Europe Complementing the EU AI Act." October 2025. clearygottlieb.com
- [2] A&O Shearman. "Law No. 132: Italy’s Leadership in National AI Regulation." October 2025. aoshearman.com
- [3] Linklaters. "Italy – A Pioneering National Framework to Complement the EU AI Act." September 2025. linklaters.com
- [4] Agenzia per l’Italia Digitale (AgID). "The Italian Strategy for Artificial Intelligence 2024-2026." July 2024. agid.gov.it
- [5] European Union. "Regulation (EU) 2024/1689 of the European Parliament and of the Council." Official Journal of the European Union, July 12, 2024. EUR-Lex 32024R1689
- [6] Hogan Lovells. "Italy’s AI Law: The Good, the Bad…and the Actual Substance." October 2025. hoganlovells.com
- [7] Jones Day. "Italy Leads the Way in Shaping National AI Legislation Within the EU." October 2025. jonesday.com
- [8] White & Case. "AI Watch: Global Regulatory Tracker - Italy." 2025. whitecase.com
- [9] EU Artificial Intelligence Act. "Overview of All AI Act National Implementation Plans." 2025. artificialintelligenceact.eu
- [10] IAPP. "Italy Becomes First EU Member State to Pass an AI Law." October 2025. iapp.org