AI laws and regulation in Italy

High.

Law No. 132/2025 on Provisions and delegations to the Government regarding artificial intelligence.

It sets out principles governing research, testing, development, adoption and application of Artificial Intelligence (“AI”) systems and models in Italy. The law promotes correct, transparent and responsible use of AI from an anthropocentric perspective, with a view to seizing opportunities it offers in different sectors, such as:

• Health industry (digital health, disabilities, electronic health records)
• Labour
• Public Administration
• Judicial activity
• Algorithms

Data protection: The EU General Data Protection Regulation (GDPR) applies to AI systems processing personal data, including rules on automated decision-making and profiling. 

Product safety and liability: The EU General Product Safety Regulation apply where AI is integrated into products or services. 

Cybersecurity and operational resilience:  

The EU NIS2 Directive and the EU Cyber Resilience Act (CRA) establish cybersecurity requirements for digital products, including AI-powered devices and software. 

DORA: The EU Digital Operational Resilience Act (DORA) applies to financial entities operating in Italy, setting requirements for managing ICT risks, including risks arising from AI systems in financial services. 

Copyright and IPR: The EU copyright rules (including the TDM exception) are relevant for AI training data and outputs. 

Sectoral rules: Specific laws apply to AI in finance (e.g., KWG, ZAG), healthcare, transport, and employment, often supplementing EU-level requirements. 

These frameworks cover sectors such as critical infrastructure, medical and health technologies, education, employment, financial services, biometrics, law enforcement, justice, and online platforms.

Article 20 of Law No. 132/2025 designates as Italian competent Authorities on AI matters and enforcement:

• Agency for Digital Italy (“AgID”) is responsible for promoting innovation and the development of AI, defines procedures and performs functions and tasks relating to the notification, assessment, accreditation, and monitoring of entities responsible for verifying the compliance of AI systems, in accordance with national and European Union legislation.
• National Cybersecurity Agency (“ACN”) is responsible for the supervision, including inspection and sanctioning activities, of AI systems, in accordance with national and European Union legislation and for the promotion and development of AI in relation to cybersecurity profiles.

AgID and ACN, each within their respective areas of competence, shall ensure the establishment and joint management of sandboxes for the development of AI systems that comply with national and EU legislation, after consulting with the Ministry of Defence on aspects relating to dual-use AI systems and the Ministry of Justice on artificial intelligence models and systems applicable to judicial activities.

1. The Italian Data Protection Authority, has a website section dedicated to AI containing Measures, Guidelines and Decision adopted on AI matters (link: https://www.garanteprivacy.it/temi/intelligenza-artificiale).

Among them can be listed:

• Guidance to Protect Personal Data from Web Scraping, in which the Authority suggests a number of concrete measures to be adopted, such as:
  • the creation of reserved areas, accessible only upon registration, so as to remove data from public availability;
  • the inclusion of anti-scraping clauses in the terms of service of websites;
  • the monitoring of traffic to web pages, so as to identify any abnormal flows of incoming and outgoing data;
  • the implementation of specific measures against bots using, among others, the technological solutions made available by the same companies responsible for web scraping (e.g.: intervening on the robots.txt file).

Measures are not mandatory and data controllers shall assess, based on the principle of accountability, whether to implement them to prevent or mitigate, in a selective manner, the effects of web scraping, taking into account a number of elements such as the latest technology developments and the costs of implementation, in particular for SMEs.

• Decalogue for the provision of national health services through artificial intelligence systems whose key principles are:
  • transparency of decision-making processes;
  • automated decisions supervised by humans;
  • non-discriminatory algorithms.

2. Also, Italian Ministries and Authorities are adopting guidelines on the employment of AI in specific sectors:

• Guidelines for the Introduction of AI in Schools and Institutions (Annex to DM No. 166, 09/08/2025) published by the Ministry of Education. The document provides operational guidelines and reference principles to assist schools in the informed and safe adoption of AI - based technologies, enhancing their potential to support teaching, digital innovation, and organizational processes.
• Guidelines for the Implementation of Artificial Intelligence in the Workplace contained in Decree No. 180 of December 17, 2025, published by the Ministry of Labor and Social Policies.
  The Guidelines are aimed at promoting the informed adoption of AI in work contexts, protecting employees’ rights, encouraging sustainable innovation, and ensuring compliance with current regulations.
• Draft Guidelines for the adoption of AI in Public Administration, pursuant to the Prime Ministerial Decree of January 12, 20204, containing the “Three-year plan for information technology in public administration 2024-2026” are adopted by AgID and subjected to public consultation. The adoption process is ongoing.
• Guidelines for the Safe Development of Artificial Intelligence promoted by the UK's National Cyber Security Center have been signed by ACN. The document is intended for all system providers that use AI, whether created from scratch or built on services or tools provided by others. It is recommended reading for data scientists, developers, executives, decision-makers, and risk analysis managers.

N/A.

According to Law No. 132/2025 the Italian Government has to adopt, within twelve months of the date of entry into force of the law, several legislative and ministerial decrees in order to: 

• establishing of an Observatory on the adoption of AI in the labour context, at the Ministry of Labour (Article 12);
• define a comprehensive regulation on the use of data, algorithms, and mathematical methods for training AI systems without additional obligations, in areas subject to Regulation (EU) 2024/1689 (Article 16);
• promote and develop initiatives aimed at enhancing artificial intelligence as a resource for strengthening national cybersecurity, including through collaboration agreements with private entities—however named—as well as through forms of public-private partnership (Article 18);
• definition and updating of the National Strategy for AI, and the establishment of a Committee to coordinate the activities of institutions, bodies, and foundations operating in the field of digital innovation and AI (Article 19);
• transpose European provisions into domestic law, ensuring effective regulatory coordination between supranational legislation and existing Italian regulations (Article 24);
• regulating specific cases of unlawful use and development of AI systems (Article 24);
• defining powers (supervision, inspection and sanctioning) of national competent authorities (Article 24).;
• organization adjustments in sectors governed by particularly detailed regulations, such as banking, financial, insurance, and payment services (Article 24);
• development of literacy and training courses aimed at both the general public and professionals in sectors most exposed to the use of artificial intelligence systems (Article 24);
• strengthening science, technology, engineering, and mathematics (STEM) subjects and artistic activities within school curricula, encouraging an interdisciplinary approach that combines technological innovation and creativity (Article 24);  
• use of AI systems in Police work (Article 24);  
• adapt the national penalty system to the requirements of the AI Act (Article 24).

• Law No. 132/2025  https://www.normattiva.it/uri-res/N2Ls?urn:nir:stato:legge:2025-09-23;132
• Draft Guidelines for the adoption of AI in Public Administration https://www.agid.gov.it/sites/agid/files/2025-02/Linee_Guida_adozione_IA_nella_PA.pdf
• Guidelines for the Introduction of AI in Schools and Institutions
• EU AI Act - Questions and Answers