Italy Adopts the First National AI Law in Europe Complementing the EU AI Act

October 29, 2025

On 10 October 2025, Law No. 132/2025 (the “Italian AI Law”) entered into force, making Italy the first EU Member State to introduce a dedicated and comprehensive national framework for artificial intelligence (“AI”).

The law references the AI Act (Regulation (EU) 2024/1689) and grants the government broad powers to implement its principles and establish detailed operational rules. It also sets out the institutional structure responsible for overseeing AI in Italy, mandating to specific authorities the promotion, coordination, and supervision of this strategically important sector.

Key innovations introduced by the Italian AI Law include:

  • designation of national authorities responsible for supervising the AI sector;
  • recognition of copyright protection for works created with the aid of AI tools, provided that they constitute the product of the author’s own intellectual effort;
  • explicit extension of Text and Data Mining exceptions to AI systems, provided that the right to “opt out” is respected and access to the data sources is lawful;
  • establishment of new criminal offences related to the use of AI and the intellectual property protection.

Although the Italian AI Law was first drafted before the AI Act was enacted, it is intended to align with the broader European framework. Much will depend on forthcoming delegated decrees, which will be crucial in defining its practical effect and alignment with EU rules, as the law currently presents interpretative ambiguities that may require further legislative or judicial clarification.

1. The Italian AI governance model: operational criteria and broad legislative delegations

The Italian AI Law establishes a national regulatory framework that will interact with European legislation, in particular the AI Act.

The AI Act adopts a risk-based approach to regulating AI, categorising AI systems by risk level and imposing progressively stricter requirements based on the severity of those risks. The Italian legislation is intended to serve as a complementary framework to the EU regime, addressing regulatory areas left to the discretion of Member States.

In line with this objective, the Italian legislator has clarified that the Italian AI Law:

  • is to be interpreted and applied in accordance with the AI Act (Article 1(2));
  • does not introduce any new obligations beyond those already established under the AI Act (Article 3(5)).

Unlike the AI Act, which provides for a gradual implementation and will become binding over time, several provisions of the Italian AI Law are already in force and fully applicable. Accordingly, particular attention should be paid to the Italian AI Law, whose immediately effective provisions raise both practical and interpretative uncertainties, as well as questions about their consistency with EU law.

1.1 Legislative delegations and implementation of the AI Act: a discipline in the making

Although the AI Act is directly applicable across the EU, its implementation will also rely on the Italian AI Law, which vests the Government with the power to adopt one or more legislative decrees to define crucial aspects of the sector.

Pursuant to Article 16, the Government is required to outline the legal regime governing AI system training activities. This includes setting out the rights and obligations of entities engaged in such activities, introducing both appropriate protective measures, including the possibility to obtain early injunctive measures, and an effective sanctions regime.

Additionally, pursuant to Article 24, the Government is tasked with undertaking a broad legislative exercise to align national law with the AI Act and to redefine the regulatory framework across a range of sectors.

This will entail both supportive measures to facilitate the socio-economic transition towards AI (such as promotion of digital literacy and development of training programmes) and targeted legal interventions addressing both substantive and procedural aspects of the existing regulatory regime.

One of the more significant developments will be the introduction of rules governing civil liability in the context of AI related activities, specifically addressing liability for the unlawful development or use of AI systems. The Government is also specifically requested to establish effective precautionary and sanctioning measures to prevent the dissemination of content unlawfully generated by AI, and procedures for its removal.

The intervention in the area of civil liability may result in a major innovation. While the precise contours are yet to be defined, potential approaches include strict liability regimes, joint and several liability, and mandatory insurance for developers and/or users of AI systems. In addition, Article 24(5)(d) requires the Government to address procedural and evidentiary rules regarding civil proceedings, taking into account the information asymmetry that often exists between claimants and the suppliers, developers or users of complex AI systems.

The Government has twelve months to adopt the relevant legislative decrees. However, the Italian AI Law prescribes shorter timeframes for certain measures. For example:

  • the Ministry of Health must, within 120 days, regulate the simplified processing of personal data for research and experimentation purposes, including through AI and machine learning systems (Article 9);
  • the Ministry of Labour must, within 90 days, establish the Observatory on the adoption of AI in the world of work (Article 12).

Moreover, although without a specific deadline, AGENAS (i.e., the National Agency for Regional Healthcare Services) is empowered to issue guidelines on data anonymisation and the generation of synthetic data in the healthcare sector (Article 8).

1.2 National authorities for AI

The Italian AI Law identifies the national authorities responsible for supervising and enforcing both domestic AI legislation and the AI Act. More broadly, it defines the institutional framework for the governance of the AI sector in Italy.

Under Article 20 the Agenzia per l’Italia Digitale (“AgID”) and the Agenzia per la Cybersicurezza Nazionale (“ACN”) are designated as the national AI authorities, without prejudice to the roles of Banca d’Italia, CONSOB and IVASS as surveillance authorities for the banking, financial, and insurance markets (see AI Act, Article 74(6)).

AgID is entrusted with responsibilities relating to the promotion of AI development, as well as the notification, assessment, accreditation and monitoring of conformity assessment bodies.

ACN is tasked with the supervision of AI systems, including powers of inspection and sanction. It will also act as a market surveillance authority and serve as the single point of contact with EU institutions. The forthcoming legislative decrees will be crucial in this context, as they are expected to formally confer to these authorities the specific sanctioning powers envisaged, inter alia, by the AI Act.

These designations have attracted criticism since the publication of the draft legislation. The decision to assign such pivotal functions to governmental agencies – as opposed to independent administrative authorities – has raised concerns about the ability of such agencies to ensure an adequate level of institutional independence. The same issue was also highlighted by the European Commission in its detailed opinion C(2024)7814 (the “Opinion”), which emphasised the need for the national supervising authorities under the AI Act to enjoy full functional and operational independence, to the extent granted, for example, to the Garante per la protezione dei dati personali (“Data Protection Authority”).

1.3 Support measures for market participants and framework for public-private collaboration

The Italian AI Law underscores the strategic importance of AI for the national economy. Article 5 expressly identifies AI as a driver of economic growth and national competitiveness, emphasising the importance of fostering a fair, secure and competitive market in the sector.

In this context, the Italian AI Law introduces a series of measures aimed at supporting the entrepreneurial ecosystem and promoting public-private collaboration in the development and deployment of AI technologies, although the full scope of such measures will become clearer following the adoption of the legislative decrees.

Pursuant to Article 19, the Prime Minister’s Office is tasked with developing a National Strategy for Artificial Intelligence, which must be updated and approved at least every two years. The objective of the strategy is to facilitate strategic public-private partnerships and to promote state-funded research programmes. Its implementation will be coordinated by an ad hoc committee, chaired by the Prime Minister.

Further, Article 5 also sets out certain criteria which, without prejudice to the requirement of consistency with EU law[1], will guide public e-procurement platforms in selecting AI system and model providers. In particular, the Italian AI Law provides that preference shall be given to suppliers meeting specific localisation, resilience, and transparency requirements, including:

  • localisation and processing of strategic data in data centres located on the national territory;
  • implementation of disaster recovery and business continuity procedures in data centres located on the national territory;
  • application of robust security and transparency standards in the training and development of generative AI applications.

Moreover, the Italian AI Law authorises public investments of up to EUR 1 billion, to be made in accordance with the National Artificial Intelligence Strategy, with the aim of supporting Italian companies operating in the fields of AI, cybersecurity and instrumental technologies (including 5G, mobile edge computing, and Web 3). Such investments are to be made through equity and quasi-equity participation in the venture capital of:

  • innovative small and medium-sized enterprises (SMEs) with high development potential based in Italy, with a focus on seed financing, start-up financing, early-stage financing and scale-up financing;
  • other companies with high development potential and highly innovative characteristics to promote the development of national technology champions.

2. Fundamental principles: centrality of the human being and data protection

The Italian AI Law begins by setting out a series of overarching principles that establish the foundation of the national regulatory system. Consistent with the European model, and subject only to the exemption for national security and defence – where specific guidelines will be issued – the legislation places the respect of fundamental rights and constitutional freedoms at its core and emphasises the need to prevent harmful or distortive applications of AI technologies.

In particular, Article 3, mandates that research, experimentation, development and use of AI systems must respect human dignity, personal data protection, transparency and non-discrimination. Importantly, central to the Italian AI Law is the autonomy and decision-making power of the individual. This principle reflects the anthropocentric approach of the AI Act and is a defining feature of the Italian framework, that introduces a general prohibition on the delegation of decision-making to automated processes, affirming that human will must not be fully replaced.

Article 4 sets out additional principles governing the use of personal data and the protection of information pluralism. It prohibits the use of AI systems in ways that compromise freedom, pluralism or impartiality of information. Data processing must comply with the criteria of lawfulness, fairness and transparency set out in Regulation (EU) 2016/679 (“GDPR”), and AI systems must be designed and operated in accordance with these requirements.

The legislation also imposes enhanced transparency obligations for entities using AI systems in the provision of their services. Article 4 provides that data processing disclosures relating to the use of AI systems must be drafted in clear and plain language, enabling users to understand the associated risks and, where appropriate, to object to such processing. This will require an assessment and possibly a revision of existing privacy notices, where appropriate, to ensure compliance with the new transparency standards

The legislation provides specific safeguards for minors, introducing protections that go beyond those set out in the GDPR. For individuals under the age of 14, access to AI systems and the related processing of data is subject to parental consent. Minors aged between 14 and 18 may provide consent to such data processing independently, provided that the relevant information is easily accessible and readily comprehensible.

Nonetheless, several legal uncertainties remain. For example, the practical application of the right to erasure under Article 17 of the GDPR raises complex questions where personal data is used to train AI systems. This and other issues will be addressed by future legislative measures and/or implementation activities.

3. Sector-specific regulation

The Italian AI Law extends beyond the harmonised framework established by the AI Act by introducing sector-specific regulatory measures that apply irrespective of the risk classification of the AI systems concerned. In particular, the legislation identifies a number of strategically significant sectors – such as healthcare, public administration, the judiciary, and employment – in which it imposes additional requirements aimed at reinforcing human oversight and outlining the responsibilities of system operators. However, in its Opinion, the European Commission raised concerns regarding this departure from the AI Act’s risk-based model. It cautioned that the imposition of additional regulatory constraints on AI systems not designated as high-risk could contribute to fragmentation within the EU internal market for AI.

3.1 Health and scientific research

In healthcare, Article 7 permits the use of AI for prevention, diagnosis, and treatment, while making clear that responsibility for therapeutic decisions remains with the physician. In line with the law’s human-centred approach, this provision reaffirms the principle of personal professional liability and prevents algorithmic automation from supplanting clinical judgement, drawing a clear line against automating medical decision-making.

Within this framework, the Italian legislator has also adopted safeguards that exceed those of the AI Act by imposing stricter transparency standards. While the AI Act requires disclosure of the use of automated systems but does not oblige providers to explain a model’s internal logic or justify the expected benefits, Italy mandates broader and more rigorous disclosure in healthcare: patients must be informed not only when AI systems are used, but also of the diagnostic and therapeutic benefits and the decision-making logic underpinning them.

The legislator has also addressed scientific research in healthcare, introducing significant innovations compared to Legislative Decree No. 196/2003 (the “Privacy Code”).

Recognising the important public interest served by the processing of personal data by public and private non-profit entities for research and the testing of AI systems for medical purposes, those entities are not required to obtain consent. For the same purposes and entities, secondary use of data (i.e., processing for purposes other than those for which the data were originally collected) is likewise permitted, subject to a simple notice requirement, provided the data contain no direct identifiers – except where knowing the data subjects’ identities is unavoidable without undermining the protection of their health.

A supervisory regime under the Data Protection Authority is established: the Authority must be notified at least 30 days before any processing or re-use of data begins and may issue a prohibition order.

Finally, Article 8 authorises – subject to prior notice to the data subject – the processing of personal data for anonymisation, pseudonymisation, or data synthesis when carried out for purposes related to the development of AI systems for healthcare.

In light of these changes, the provisions governing the processing of personal data must be read together with the rules that have long been in force.

3.2 Public Administration

Another strategically regulated area is public administration. Under the Italian AI Law, public bodies may adopt AI systems solely for decision support, organisational tasks, and simplification –never to replace the responsibility of the competent authority or official. This approach safeguards institutional accountability by ensuring that automated processes do not determine decisions with direct effects on citizens’ rights.

Consistent with the transparency requirements that govern administrative action – and in keeping with the law’s human-centred approach – public administrations are bound by the obligation in Article 14(2) to ensure stakeholders can both “knowability” and “traceability” regarding the operation and use of the AI systems employed in their activities.

3.3 Labour

Articles 12 and 13 restrict the use of AI in the liberal professions and, more broadly, in the workplace, underscoring that deploying such technologies must not amount to substituting human performance in ways that undermine workers’ dignity or safety.

4. Copyright in the AI era: general principles and text and data mining

The Italian AI Law introduces major updates to copyright, aligning Law No. 633/1941 (the “Copyright Law”) with challenges posed by emerging digital technologies.

The reform follows three main lines: (i) reaffirming the primacy of the human author in works created with the aid of AI systems; (ii) promoting technological development by extending text and data mining (“TDM”) exceptions to AI systems (provided the so-called opt out is respected); and (iii)strengthening enforcement by introducing new criminal offences for TDM violations (see Section 5 below).

Specifically, the Italian AI Law:

  • amends Article 1 of the Copyright Law to clarify that works created with the assistance of AI systems are eligible for copyright protection only where they result from a substantial human intellectual contribution;
  • introduces Article 70-septies, extending the TDM exception to reproductions and extractions carried out through AI models and systems, including generative AI;
  • amends Article 171 by adding a new letter a-ter to paragraph 1, establishing criminal penalties for violations of TDM rules, including when committed through AI systems (see Section 5 below).

4.1 AI-assisted works

The reform firmly embraces an anthropocentric view of creativity: copyright protects works of human ingenuity only. Protection may extend to works made with AI tools, but only where the human author has contributed substantially and creatively.

This policy aligns with Italian and European case law on originality and authorship, with U.S. guidelines, and with the Berne Convention’s founding principles (1886), which tie copyright to intellectual creation as an expression of the author’s personality.

4.2 Text and Data Mining (TDM)

Alongside the issue of the protectability of AI-assisted works, the Italian AI Law introduces Article 70-septies, which expressly regulates TDM activities carried out by means of artificial intelligence models and systems, including generative ones.

This provision permits the reproduction and extraction of text or data from works or materials lawfully available online or in databases through AI models and systems – including generative AI –provided these activities comply with Articles 70-ter and 70-quater (introduced by Legislative Decree No. 177/2021 implementing Directive (EU) 2019/790, the “Copyright DSM Directive”). In particular, Article 70-ter authorises TDM when performed by research organisations or cultural heritage institutions for scientific purposes, while Article 70-quater permits TDM for any purpose, including commercial use, unless the rights holder has expressly reserved their rights (so-called opt-out mechanism).

5. Criminal Law Provisions on AI

The Italian AI Law also introduces major criminal-law innovations to bolster the legal system’s response to new threats posed by digital technologies. The intervention follows two tracks: first, the creation of new criminal offences; second, the introduction of aggravating circumstances tied to the use of AI.

In particular, the Italian AI Law:

  • creates a new offence – “Unlawful dissemination of content generated or altered with artificial intelligence systems” (Article 612-quater of the Criminal Code) – punishable by one to five years’ imprisonment. It applies to anyone who, without consent, provides, publishes, or disseminates images, videos, or audio recordings that have been falsified or altered using AI and are likely to mislead as to their authenticity, thereby causing unjust harm. The rule targets the surge in deepfakes that damage reputation and moral freedom. The offence requires the injured party’s complaint for prosecution, unless it is linked to another offence subject to prosecution ex officio, or if it is committed against an incapacitated person or a public official in with the exercise of their duties;
  • supplements copyright legal framework by amending Article 171(1) of the Copyright Law to add letter a-ter, which criminalises reproductions or extractions of text or data from works or materials available online or in databases in breach of Articles 70-ter and 70-quater, including when carried out through AI systems. The goal is to curb unauthorised scraping and abusive text/data mining (for example, in cases where the rights holder has exercised their right to opt out);
  • indirectly expands the scope of copyright offences by revising the definition of “intellectual works” in Article 1 of the Copyright Law to include works created with the aid of AI. As a result, Article 171-ter – which penalises anyone who, for profit or personal use, duplicates, reproduces, transmits, or publicly disseminates a work in violation of copyright – now also covers such AI-assisted works;
  • introduces a new general aggravating circumstance (Article 61, no. 11-decies of the Criminal Code), applicable to all offences, which increases the penalty by up to one third where the use of AI systems constituted an insidious means, impeded public or private defence, or worsened the consequences of the offence;[2]
  • amends other offences by adding AI-specific aggravating factors, namely:
    • attacks on a citizen’s political rights (Article 294 of the Criminal Code), where the penalty is increased if the deception that wholly or partly prevents the exercise of a political right is carried out using AI; and
    • market rigging (Article 2637 of the Civil Code) and market manipulation (Article 185 of Legislative Decree 58/1998), where penalties are increased if the offence is committed through AI systems.

6. AI and corporate liability under Legislative Decree No. 231/2001

The Italian AI Law does not directly amend the quasi-criminal liability regime for entities under Legislative Decree 231/2001 (“Decree 231”). However, the new criminal law provisions have indirect effects on corporate liability – particularly with regard to the need to update organisational models.

In particular, although the general aggravating circumstance for offences committed using AI (Article 61, no. 11-undecies of the Criminal Code) applies only to natural persons who commit the predicate offence, the fact that AI can facilitate criminal conduct must be addressed at the compliance and prevention level, as it may increase a company’s risk exposure and result in a stricter assessment for sanctioning purposes.

Further changes stem from the expanded definition of “intellectual works” set out in Article 1 of the Copyright Law, which now includes works created with the aid of AI. Because Article 25-novies of Decree 231 lists all violations of Article 171-ter of the Copyright Law as predicate offences, unlawful conduct involving these “new” works now falls within the scope of corporate liability. Consequently, companies may be held liable when such violations – such as unlawful duplication, dissemination, or reproduction for profit – are committed by an employee or a senior manager for the benefit or in the interest of the entity.

In such cases, companies may face a fine of up to maximum EUR 774,685 and – in the most serious cases – the disqualifying measures provided under Decree 231 for up to one year. These include:

  • disqualification from conducting business;
  • suspension or revocation of authorisations, licences, or concessions instrumental to the offence;
  • a ban on contracting with the public administration;
  • exclusion from grants, financing, contributions, or subsidies (and possible revocation of those already awarded);
  • and a prohibition on advertising goods or services.

By contrast, the new offences introduced by the Italian AI Law – “Unlawful dissemination of content generated or altered with artificial intelligence systems” (Article 612-quater of the Criminal Code) and unlawful reproduction or extraction of copyright-protected data via AI (Article 171(1)(a-ter) of the Copyright Law) – have not been added to the list of predicate offences under Decree 231.

In light of these developments, organisations should evaluate whether to update their compliance models and internal protocols — both formally (to incorporate the new aggravating circumstances and other relevant changes) and substantively. In particular, companies may need to revise their risk assessments to account for new scenarios arising from the use of AI in business processes, and accordingly strengthen internal controls and preventive measures.

A company already compliant with Decree 231 may have existing controls – designed for other offences– that also prove effective against the newly introduced ones (e.g., copyright violations). Even so, it is advisable for companies to assess whether additional safeguards are needed to mitigate risks arising from the intentional or uncontrolled use of AI systems. These should include protocols and procedures that ensure the traceability, accountability, and oversight of decisions involving AI technologies.

7. Legislative delegation to the Government in the area of criminal law

The criminal-law framework concerning the use of AI is still evolving and will extend beyond the measures outlined so far. The Italian AI law has granted the Government a broad delegation to intervene in areas of substantive and procedural criminal law, as well as on corporate liability.

In particular, the Government is tasked to:

  • introduce new criminal offences, including those punishable for negligence, targeting failures to adopt safety measures in the design, production, and professional use of AI where such omissions create a concrete risk to life, individual or collective safety, or national security;
  • define criteria for imposing criminal liability on natural persons and legal entities for AI-related offences, taking into account the actual level of control exercised over the systems;
  • regulate the use of AI systems in pre-trial investigations;
  • amend existing substantive and procedural rules to coordinate and rationalise the overall framework.

The implementation of this broad delegation will be particularly significant, especially if new offences are introduced that expand the list of predicate offences relevant under Decree 231.

In a regulatory environment where technology, compliance, and criminal law are increasingly intertwined, companies will need to integrate AI governance into their organisational models and risk management systems, ensuring alignment on both technical and legal fronts.

8. Conclusions

The Italian AI Law represents a landmark regulatory development, whose full impact will only become clear once its implementation is completed. Indeed, the Government has been granted wide-ranging powers under Articles 16 and 24, requiring it to issue implementing decrees within twelve months of the Italian AI Law coming into force.

The practical impact of the new Italian legislation on the development and use of AI will largely depend on these implementing measures, which must nonetheless avoid compromising the uniform application of the AI Act. Given the rapid pace of technological evolution, these regulatory developments will require close and ongoing monitoring to ensure timely adaptation and practical consistency across sectors.

[1] Particularly with regards to the prohibition on imposing restrictions on the freedom of establishment and the freedom to provide services within the EU based on nationality or residence (unless justified on grounds of public policy or public security).

[2] It is worth noting that the provision was originally introduced as Art. 61, no.11-decies thereby duplicating an existing numbering. The numbering was subsequently corrected on 17 October 2025