AI Watch: Global regulatory tracker - Italy (UPDATED)

Laws/Regulations directly regulating AI (the "AI Regulations")

Currently, there are no specific laws, statutory rules, or regulations in Italy that directly regulate AI. As for all EU Member States, the EU AI Act will be Italy's central general and cross-sectoral AI legislation. However, Italy is expected to enact its own AI regulation, which is currently debated at the Parliament.

There are currently no sector-specific laws specifically regulating AI in Italy.

Status of the AI Regulations

The EU AI Act is addressed separately here.

As noted above, there are no laws or regulations in Italy that directly regulate AI. However, on March 20, 2025, the Senate (upper house of the Parliament) approved at first reading the bill entitled "Provisions and Delegations to the Government Concerning Artificial Intelligence" (the "AI Bill").¹ The timeline remains uncertain, as - despite being a Government-sponsored initiative - the AI Bill still lacks full political consensus.

The AI Bill sets out regulatory criteria and general principles designed to balance the relationship between the opportunities offered by new technologies and the risks associated with their misuse. The Council of Ministers does not consider that there is any risk of overlap with the EU AI Act. Rather, the AI Bill "complements the regulatory framework in those areas falling within the scope of nationa law, taking into account that the EU AI Act is based on a risk-based architecture related to the use of artificial intelligence".²

Other laws affecting AI

The Italian Data Protection Authority (DPA) adopted on May 20, 2024, a Notice on the use of web-scraping for the purpose of training AI models and contrasting the misuse of personal data.³

Moreover, the DPA has had a specific organizational unit dedicated to artificial intelligence in place since 2021. In a statement of March 25, 2024, the Chairman of the DPA indicated that the DPA possesses the necessary competence and independence to implement the EU AI Act, in line with the objective of ensuring a high level of protection on fundamental rights.⁴ Furthermore, Italian courts and regulators have begun to interpret existing laws with regard to AI.⁵

Additionally, there are various laws that do not directly seek to regulate AI, but may affect the development or use of AI in Italy, such as:

• The GDPR and the Italian Data Privacy Code (Legislative Decree no. 196/2003)
• EU and Italian competition law (Articles 101 and 102 TFEU and Law no. 287/1990)
• The Italian Consumer Code (Legislative Decree no. 206/2005) Intellectual property laws that may also affect several aspects of AI development and use

Definition of "AI"

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. Accordingly, no definition of AI is currently recognized through Italian national legislation.

In response to the observations made by the European Commission in its opinion C(202)7814, which noted that the proposed definitions of the AI Bill were not consistent with those in the EU AI Act, the current version of the AI Bill approved by the Senate refers to the definitions set out in the EU AI Act.

Territorial scope

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. Accordingly, there is no specific territorial scope at this stage.

The AI Bill is set to apply to the development and deployment of AI systems and AI model within the Italian territory.

Sectoral scope

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. Accordingly, there is no specific sectoral scope at this stage.

The Italian Data Protection Authority has, nevertheless, issued guidance on the use of AI in several fields, such as:

• Data protection when AI is used in healthcare services (the so called "initiative medicine")⁶
• Facial recognition for law enforcement purposes^{7 8}
• The tax risks from the point of view of combating tax evasion⁹
• The reform of Electronic Health Record and the establishment of the Health Data Ecosystem (EHS)
• The Decalogue for the Implementation of National Health Services through AI Systems¹⁰

Finally, the DPA carried out control activities on the so-called gig economy on the topic of deepfakes¹¹ and smart assistants.¹²

With regard to the AI Bill. The legislative text is set to apply to the following sectors:

• National health service and healthcare
• Scientific research
• Labor conditions
• Intellectual professions
• Public administration and judicial system
• Delegations to the Government
• AI and Copyright
• Amendments to the Code of Civil Procedure and to the Penal Code
• Use of AI for the strengthening of national cybersecurity

Compliance roles

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. However, according to a 2019 judgment, algorithmic decision-making in administrative procedures must account for:

• Transparency regarding the existence of an automated decision and information on the logic used
• Human involvement in the decision, if the decision produces legal effects concerning or significantly affecting a person
• Ensuring non-discrimination through implementing adequate technical and organizational measures¹³

Under Articles 3 to 6 of the AI Bill, the development and implementation of AI systems must respect fundamental rights enshrined in the Italian Constitution and EU law and be based on the principles of transparency, proportionality, safety, protection of personal data, confidentiality, accuracy, non-discrimination, gender equality and sustainability.

Core issues that the AI Regulations seek to address

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. Nevertheless, Italy's highest administrative court has sought to address the issues relating to transparency, human oversight and non-discrimination in a 2019 judgement relating to algorithmic decision-making in administrative procedures.¹⁴

The Italian government also released the National AI Strategy (2022-2024), which identifies three areas of action, namely: (i) to strengthen expertise and attract talent in order to develop an AI ecosystem; (ii) to increase funding for advanced research in AI; (iii) to encourage the adoption and the application of AI, both in public administration (PA) and in productive sectors in general.¹⁵ The Italian government has also stressed the need to ensure, inter alia, greater clarity with respect to coordination with sector regulations, in particular banking and insurance. It also proposed a system of self-assessment by the companies of AI systems, through guidelines or a repository of examples, and supported the definition of burdens and obligations along the value chain of AI systems, especially for SMEs.

Risk categorization

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. Accordingly, there is currently no risk categorization of AI in Italy, except for those that are introduced by the EU AI Act.

The AI Bill does not elaborate a different risk categorization than that of the EU AI Act.

Key compliance requirements

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. Nevertheless, and as noted above, Italy's highest administrative court indicated that key compliance requirements relate to transparency, human involvement, and non-discrimination.

The AI Bill relates to some specific sectors, as outlined above.

Regulators

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. As such, the regulation of AI is, for the time being, left to pre-existing regulators. Notably, the Italian Data Protection Authority has already intervened to regulate two AI companies for breaches of data protection regulation.

In compliance with the designation of AI supervisory authorities required by the EU AI Act, the AI Bill designates the national authorities responsible for AI:

The Agency for Digital Italy (AgID), which will act as the notifying authority with functions related to the accreditation and supervision of entities tasked with assessing AI systems' conformity. AgID will also be responsible for promoting innovation and the development of artificial intelligence.

The National Cybersecurity Agency (ACN), which is identified as the supervisory authority and the lead authority for the use of AI in cybersecurity.

Nevertheless, the designation of AgID and ACN - both governmental authorities - appears to overlook the concerns raised by the European Commission in its reasoned opinion (C(2024) 7814), which recalled that competent authorities must possess the same level of independence required under Directive (EU) 2016/680 for data protection authorities involved in law enforcement, migration management, justice administration, and democratic processes. The AgID and the ACN are not "independent" authorities, i.e., they are politically and financially dependent from the Presidency of the Council of Ministries. Therefore, they lack the independence of the Italian DPA or the Italian Competition Authority. Currently, the parliamentary majority proposed to amend the provision as to refer also the "coordinating role" of the Italian DPA, the Italian Competition Authority and the Italian Communication Authority. Further amendments on the designation of the supervisory authority may be expected.

In any event, the designation of the authorities is without prejudice to the sectoral competences of other regulatory authorities such as the Bank of Italy, the Italian Security and Exchange Commission (CONSOB) and the Italian Insurance Supervisory Authority (IVASS).

Enforcement powers and penalties

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. The EU AI Act will establish the powers and penalties available to regulators of AI, but that detail is not discussed here.

In the interim, enforcement powers and penalties are set out in pre-existing legislation. The Italian Data Protection Authority, for example, has already used the enforcement powers at its disposal in several cases.

The AI Bill allows the government to adopt decrees defining the sanctioning power of the designated AI authorities.

1 Bill of the Senate No. S.1146 "Disposizioni e deleghe al Governo in materia di intelligenza artificiale", available here. https://www.senato.it/service/PDF/PDFServer/BGT/01449288.pdf
2 Press release of the Council of Ministers No. 78 of April 23, 2024, available here. https://www.governo.it/it/articolo/comunicato-stampa-del-consiglio-dei-ministri-n-78/25501
3 Decision of May 20, 24 of the Italian DPA, available here.
4 Statement of March 25, 2024, of the President of the DPA, who submitted observations to the Presidents of the Italian Senate and Chamber of Deputies and to the Prime Minister after the final approval of EU AI Act.
5 For instance, the Italian Supreme Court (Corte di Cassazione) has ruled on the principles governing the lawful use of artificial intelligence systems involving the processing of biometric data: Italian Supreme Court, judgement No. 12967 of May 13, 2024.
6 The Garante's guidance on data protection when AI is used in healthcare.
7 See here.
8 See here.
9 DPA's opinion no. 452 of December 22, 2021.
10 Decalogue of October 10, 2023.
11 Vademecum on deepfake as of December 2022.
12 DPA's Advice on Smart Assistants, as of March 2021.
13 See Consiglio di Stato sez. VI, 13/12/2019, decision no. 8472.
14 See Consiglio di Stato sez. VI, 13/12/2019, decision no. 8472.
15 See the National AI Strategy (2022-2024). In terms of AI regulation, the National AI Strategy calls for a radical update in terms of: (i) strengthen the AI research base and associated funding; (ii) promote measures to attract talent; (iii) improve technology transfer process; (iv) increase the adoption of AI among business and PA, fostering the creation of innovative companies. The recent National AI Strategy also aims to align all IA policies related to data processing, aggregation, sharing and exchange, as well as to data security, with the National Cloud Strategy and with ongoing initiatives at the European level, starting with the European Data Strategy and the recent proposals for a Data Governance Act and a regulation on artificial intelligence.

[View source.]