Back to all posts
AI & Technology
8 min read

Client Newsletter: Italian AI Law

Published on
October 10, 2025
Contributors
Tanya Malik
Senior Counsel, Policy & Social Impact
Michela Bellani
Associate
Share

Italy Takes the Lead - First AI Law in the EU, Coming into Force on 10 Oct 2026

TLDR Highlights

  • On September 17, 2025, Italy approved its first domestic legislation addressing artificial legislation, Law No. 132/2025 (the AI Law), which enters into force today, 10 October 2025.
  • Following the guidance of, and in compliance with, the EU AI Act, Italy sets a benchmark, establishing national governance through regulatory bodies – the Agency for Digital Italy (AgID) and the National Cybersecurity Agency (ACN), sectorial guardrails, disclosure duties (healthcare, employment, public sector, judicial), criminal penalties (e.g. for harmful deepfake distribution), parental consent for under-14s, and copyright rules.
  • No additional rules beyond what is outlined in the EU AI Act are introduced, offering consistency to firms in the region.
  • Italy’s law as an early compliance pilot. Proactively aligning governance, documentation, and disclosure processes with Italy’s new standards can help mitigate enforcement risk and position firms as credible actors in an evolving regulatory landscape.

Context

On September 17, 2025, the Italian Senate passed the country’s first dedicated law on Artificial Intelligence (Law No. 132/2025), making Italy the first EU Member State to adopt a national statute implementing and localizing the EU AI Act.  

Italy’s approach is meant to complement the EU AI Act by setting out national safeguards and governance tools. The EU AI Act remains the foundation for compliance, but businesses in Italy will need to consider how to comply the specific obligations introduced by this new law. To provide certainty, the legislation prevents the Government from imposing requirements that go beyond those foreseen in the EU AI Act. Failure to comply may expose to administrative, civil or criminal sanctions, once implementing decrees define the liability framework and enforcement measures.  

Who Is Impacted?

Providers and deployers of AI systems in Italy, specifically, any entity (company, public authority, individual) that develops, places on the Italian market, operates, or uses AI systems within Italy will generally fall within scope. The law may also capture foreign providers whose systems are used in or target Italian users.

Beyond the EU AI Act baseline, the AI Law includes sector-specific disclosure:

  • Healthcare / medical / diagnostics / therapeutic AI systems
  • Public administration / judicial system
  • Employment / workplace settings
  • Intellectual professions / regulated professional services (legal, medical, accounting, etc.)

Key Provisions and Strategic Considerations

Criminal Liability for AI-related Harm

  • The law empowers the Government to establish civil, criminal and administrative liability rules for damage caused by AI systems. The implementing decrees are expected to include provisions that better protect harmed parties – potentially requiring AI providers or deployers to demonstrate proper conduct when incidents occur, with criteria linked to the EU AI Act risk classifications.
  • Considerations:
    • Integrate AI oversight into compliance programs, including documented monitoring and incident-response procedures.
    • Review contractual frameworks to define accountability, audit rights, data-handling obligations, and notification duties.
    • Apply enhanced diligence for AI used in sensitive sectors such as healthcare, employment, and public administration.
    • Maintain thorough records of AI system design, training data, and deployment to demonstrate responsible conduct if harm or misuse occurs.

Criminal Responsibility for AI misuse

  • The law establishes new criminal liability for misuse of AI i.e. the unlawful dissemination of manipulated or AI-generated content (such as deepfakes) and increased penalties when AI is used to commit fraud, identity theft, or other offences. Those convicted may face 1 to 5 years’ imprisonment if “unjust harm” results1. Because of these new offences, companies should review their compliance and risk-control systems – governed by Legislative Decree 231/2001 on corporate liability – to ensure AI-related risks are properly managed.
  • Considerations:  
    • Establish formal escalation protocols to coordinate with law enforcement or regulatory authorities if manipulated content is identified.
    • Adopt clearly articulated policies for handling AI-generated media, including detection, labeling, and ethical usage guidelines.

Protection of Minors

  • Users under 14 may only access AI systems with parental consent.
  • Considerations:  
    • Design age-verification mechanisms into systems.
    • Incorporate child-safety considerations into system architecture.

Copyright

  • Copyright protection applies only to works where there is demonstrable human creative input, even when created with the assistance of AI tools. Works generated solely by AI systems are not protected.  Further, Article 25 amends Italy’s Copyright Act (Law 633/1941) to codify that protection applies to works “created with the aid of artificial intelligence” only if they are the result of the author’s intellectual effort, not those generated solely by AI.
  • Considerations:  
    • Document the human creative contribution in any AI-assisted project (e.g. prompt choices, edits, conceptual direction).
    • Maintain records of training data provenance (sources, licensing, rights) to demonstrate lawful use of materials in AI training.

Professional Services

  • AI may be used to support, not replace, professional judgment. Engagement letters must disclose if and where AI is used, including data handling and safeguards; accountability remains with the professional2.
  • Recomended actions:  
    • Adjust client documentation.
    • Keep human oversight central.
    • Confirm the reliability of AI-assisted output.

Workplace

  • AI used in the workplace must comply with principles of transparency and human oversight, in line with Italian labor rules and privacy principles. Employers must notify workers when AI systems are deployed in hiring, evaluation, monitoring, or task assignment.
  • Recomended actions:  
    • Review any tools used for productivity scoring, keystroke or behavioral monitoring.
    • Align policies and procedures with works council processes, retention schedules, and Data Protection Impact Assessments DPIAs.

Public Administration and Judiciary

  • Administrative and judicial uses must ensure explainability and human final decision-making; procurement will demand AI risk documentation and deployment monitoring.
  • Considerations:  
    • Prepare conformity files (design rationale, transparency reports, risk assessments) to support procurement or regulatory review.
    • Retain testing evidence (simulation, stress tests, scenario validation).
    • Plan for post-deployment monitoring and performance auditing in public tenders or judicial systems.

How the New Law Relates with the EU AI Act

The EU AI Act remains the binding framework across all EU Member States, setting out detailed technical and operational rules for AI systems based on a risk-based approach. Italy’s law does not replace it but acts as a framework law, outlining national principles and delegating the Government to issue implementing decrees.

Key aspects to note

  • Scope and detail: the EU AI Act provides technical requirements (risk management, transparency, human oversight), while the Italian law focuses on ethical and strategic priorities such as sovereignty and data localization.
  • Timing: the EU AI Act follows a phased schedule from 2024 to 2027, the Italian law applies in full from October 10, 2025, but defers many specifics to future decrees.
  • Sanctions: the EU AI Act already sets strict penalties (up to €35 million or 7% of global turnover), the Italian law leaves the definition of national sanctions to future decrees.
  • Governance: Italy designates two national independent authorities – ACN for supervision and enforcement, and AgID for promotion and development – which may lead to overlap in practice.

Implication: Italian companies must treat the EU AI Act as the primary source of compliance, while monitoring upcoming Italian decrees that may introduce additional national obligations and enforcement mechanisms.

Noema Insights

We’re helping organizations implement the new obligations arising from Italy’s AI Law, while ensuring continuing compliance with the EU AI Act, by specifically:

  • Assessing applicability of Italian provisions to your operations and sector.
  • Providing guidance on copyright and data provenance issues related to AI training and creative workflows.
  • Monitoring the upcoming decrees implementing the law and advising on their practical impact.

Related posts

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

View all
Category
5 min read

Blog title heading will go here

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim...
Read more
Category
5 min read

Blog title heading will go here

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim...
Read more
View all

Your Needs are

Our Priority

We handle every inquiry with confidentiality and discretion.
We look forward to hearing about your case.

Get in touch