What is AI regulation in Italy?
AI regulation: countries and regions
Italy's AI rules are set by a national AI law (Legge 132/2025) and by the EU AI Act. The Italian law (in force from Oct 2025) adopts human-centric and transparency principles and covers specific sectors (e.g. health, labour, finance). It sets up a governance structure (AgID and the National Cybersecurity Agency) and mandates risk assessments for high-risk AI. Italy also enforces data privacy on AI: its data-protection authority (Garante) has acted against services like ChatGPT, DeepSeek and Clothoff to address privacy and safety concerns.
What this means
Italy has introduced a comprehensive AI framework. In September 2025, the Italian Parliament passed Law 132/2025 on artificial intelligence. This is the first national AI law in the EU and it was written to align closely with the EU AI Act. The law sets out broad principles - for example, AI must be used in a "human-centric" and transparent way - and applies rules to important areas like healthcare, employment and public services.
Alongside this law, the EU's AI Act (an EU-wide regulation from 2024) applies in Italy, so Italian AI users and providers must meet both national and EU requirements. The Italian framework names specific authorities (AgID and the National Cybersecurity Agency) to manage AI notifications, conformity checks and oversight. The Italian data-protection agency (Garante) also reviews AI tools under privacy law. For example, the Garante temporarily blocked ChatGPT in 2023 and later required OpenAI to add user disclosures and opt-outs. Similar enforcement actions have targeted new generative-AI apps like DeepSeek and Clothoff to protect Italians' data and rights.
Why it matters
AI regulation matters in Italy because any organisation developing or using AI must follow these rules or face penalties. The new law creates legal duties for AI developers and users - such as risk assessments, documentation and user information - especially for high-risk AI (e.g. diagnostic tools or credit scoring). Sectoral regulators (finance, healthcare, labour) can inspect compliance. Italy also criminalises certain AI abuses (like harmful deepfakes). Compliance is a business issue: Italy is backing innovation (a EUR 1bn fund for AI startups), but companies must still build trust by respecting rights and safety.
Separately, under EU and Italian privacy law, AI products that handle personal data must safeguard privacy. The Garante's early actions on ChatGPT and other AI services show that Italian and EU data-protection rules are enforced with AI use in mind. Firms that ignore these rules risk fines, legal action or technology bans.
How it works
National AI Law (Legge 132/2025)
Italy's national AI law (passed 23 Sept 2025) took effect on 10 Oct 2025. It codifies principles for AI (human-centred, transparent, non-discriminatory) and expressly aligns with the EU AI Act. The law covers many domains - from healthcare to labour, public administration, finance and creative industries - and requires safeguards (e.g. human oversight and traceability) in each. It also creates new obligations: for example, providers must label AI-generated content as synthetic, ensure training data respects privacy, and assess risks for high-risk AI systems. Certain acts are criminalised, such as the illicit dissemination of AI-generated "deepfake" images or videos (a new offence in Italy's criminal code).
EU AI Act and Italian Alignment
The EU AI Act (Regulation 2024/1689) is a Europe-wide law that classifies AI systems by risk and sets rules accordingly. It is directly applicable in Italy, and Law 132/2025 explicitly defers to it. Italy's law even states it will not impose obligations beyond those of the EU regulation. In practice, this means Italian high-risk AI systems (as defined by the EU lists) will need to undergo EU-style conformity assessment and registration. Italy can add some sector-specific rules (e.g. thresholds for healthcare AI or credit-scoring tools) via delegated decrees, but these cannot conflict with the EU standards. Italian authorities are preparing these details: for example, regulations will set exact lists of high-risk AI in Italy and penalties for breaches.
Governance and Authorities
The Italian law assigns AI oversight roles to specific agencies. The Digital Italy Agency (AgID) is the designated AI authority for notifications, approvals and innovation promotion. The National Cybersecurity Agency (ACN) serves as market surveillance and inspection authority for AI systems. These bodies coordinate with sectoral regulators (like the Central Bank, CONSOB for markets, IVASS for insurance) on AI issues. A national AI strategy must be drawn up every two years by the Presidency of the Council (Dept. of Digital Affairs) with input from AgID and ACN, and reported annually to Parliament. This governance framework aims to balance promoting AI (including a EUR 1bn fund for AI startups and SMEs) with protecting rights and security.
Data Protection and Privacy Oversight
AI regulation in Italy is closely linked with data-protection law. The Garante (Italy's data-privacy watchdog) treats AI systems as any data processor: they must have a legal basis, conduct privacy impact assessments, and protect personal data. The Garante has signalled that generative AI raises data privacy risks, and it has used its GDPR powers to act quickly. For instance, in early 2025 the Garante ordered the chatbot DeepSeek blocked in Italy due to inadequate user data protection. It also provisionally banned the Clothoff "deep nude" image app to stop unlawful personal data processing. In 2023-24 the Garante investigated ChatGPT, ultimately requiring OpenAI to implement stronger transparency and opt-out measures (a EUR 15m fine was later annulled by the Court of Rome on 18 March 2026, on jurisdictional grounds rather than on the merits). These actions show that even before the new law's details are all set, existing privacy and consumer rules are being enforced against AI services.
Liability and Enforcement
Under Italy's AI law, violations can trigger administrative and criminal sanctions. Delegated decrees (forthcoming) will set specific fines for breaches (aligned with the EU Act for high-risk non-compliance) and outline inspection procedures. New criminal provisions target AI misuse: for example, fabricating or distributing "deepfake" content that harms individuals now carries a prison term. In parallel, ordinary civil and administrative liability rules apply: companies may be liable for harm caused by unsafe or biased AI. Sector regulators (banking, finance, health) will apply their own enforcement powers to AI in their industries. The EU AI Act also provides for strong penalties (up to millions of euros) for illegal "unacceptable risk" AI. Italy's authorities have already shown willingness to enforce: beyond Garante's data-protection actions, the ACN (cyber agency) will have the power to audit AI system security and suspend risky deployments.
Examples
**Health-tech company:** A startup in Milan developing an AI diagnostic tool must follow Italy's AI law by ensuring doctors make final decisions and data subjects' privacy is safeguarded. For instance, if the AI suggests treatments, the final choice must rest with a human doctor (reflecting the law's "anthropocentric" principle). The system would likely be "high-risk" under EU rules (since it affects health), so the company needs to perform risk assessments, keep detailed logs, and have the AI validated by accredited assessors before use. It must also comply with medical-data rules under GDPR.
**Financial institution:** A bank using AI for loan approvals will treat that AI as a high-risk system. Under EU and Italian rules, the bank must document the AI's design, demonstrate it does not discriminate, and label any automated recommendation to loan officers. If the AI misbehaves (e.g. unfairly rejects applications), the bank could face scrutiny from Italy's banking regulator and penalties for broken obligations. The bank's compliance team will need to follow any ACN inspections or AgID guidelines on AI in finance.
**App developer (generative AI):** A company launching an AI-based image or chatbot service accessible to Italians will watch Garante's guidance closely. It must provide clear privacy notices and allow people to opt out of having their personal data used to train the AI. The app must prevent minors from using adult-oriented AI features (as OpenAI added age checks). If the service generates synthetic content, the developer should label it as AI-generated. These steps ensure compliance with Italian privacy enforcement and transparency expectations. Failure could lead to orders to halt the service (as happened with DeepSeek and Clothoff) or GDPR penalties.
Common misunderstandings
- *"Italy's AI law creates new rules beyond the EU AI Act."* Not really - the law explicitly says it won't add stricter requirements than the EU regulation. Italy's law largely mirrors the EU Act's risk-based approach, though it does add some local rules (e.g. a deepfake offence) and sector guidance.
- *"ChatGPT and similar tools are banned in Italy."* That's a misunderstanding. Italy briefly suspended ChatGPT in 2023 over privacy issues, but it was reopened after OpenAI made changes. The law does not outlaw generative AI; it requires that providers respect privacy, age checks and transparency. So AI tools can operate if they meet legal standards.
- *"AI regulation in Italy is just about data protection or ethics."* No - it covers much more. The new law introduces AI-specific duties (like mandatory impact assessments for high-risk AI, conformity checks, and synthetic content labelling) and even criminalises certain abuses (e.g. harmful deepfakes). These go beyond general data protection or existing tech rules.
- *"Only Italian companies must comply with Italy's AI law."* In practice, any AI system placed on the Italian market or used there must comply, whether the provider is Italian or not. Since the EU AI Act applies to providers serving EU users, foreign AI firms must meet Italy's (and EU's) requirements for Italian users.
- *"The new law is already fully enforceable."* Not yet - Law 132/2025 enters into force Oct 2025, but many details depend on future executive decrees. Until those are issued, authorities use existing laws (like GDPR) and EU rules to govern AI. Therefore, companies should prepare now but watch for specific implementing rules to come.
Risks and boundaries
The AI law sets a national framework, but it has limits. It does not override the EU AI Act (instead it aligns with it). The EU Act itself is a regulation; Italy cannot opt out of it. Some national aspects remain unsettled: for example, the exact list of high-risk AI systems for Italy will be defined by later decrees. Until then, the EU lists apply. The law delegates many technical rules to the Government (for example on labelling formats and fines), so businesses must stay alert for those details.
In practice, data protection (GDPR) and consumer laws still apply to AI. Any AI system mishandling personal data can trigger GDPR enforcement (as seen with ChatGPT, DeepSeek and Clothoff). However, Italy's AI law is broader - covering safety, transparency, and sector rules - and introduces new criminal liabilities. Some uncertainty remains on how courts will interpret the new provisions (e.g. what counts as "illicit deepfake"). Also, Italy's enforcement of AI rules is still developing: some early cases (OpenAI's fine) were later overturned, showing that legal boundaries are still being tested. Organisations should treat the law as real and prepare, but also watch legal and regulatory developments in 2026.
Finally, it's important to note what the law isn't: it does not require AI firms to share proprietary code or algorithms. It isn't a broad "AI police" in day-to-day operations. It targets specific practices: high-risk applications, data misuse, and sectors like healthcare and finance. So using AI for harmless tasks (like basic chatbots with no personal data) won't usually trigger special rules. The main risk is for AI that affects people's rights or safety.
What to do next
Organisations and AI teams in or serving Italy should start by mapping their AI systems against the new rules. Determine which systems might be "high-risk" (healthcare diagnostics, recruitment tools, financial trading, etc.) and be ready to conduct impact assessments and conformity checks. Assign responsibility internally for AI governance, and liaise with compliance and legal teams about upcoming obligations.
Set up transparency practices now: label any synthetic content, update privacy notices for AI training data, and implement opt-out mechanisms as needed. Establish age-verification if your AI could appeal to minors (as Italy requires under-13 blocks). Engage with Italy's data-protection authority or legal counsel to ensure GDPR compliance in AI services.
Monitor the implementation process: new rules and fines will be published in the coming months. In the meantime, stay tuned to guidance from AgID, ACN and sector regulators. For example, AgID is expected to issue technical guidelines ("linee guida") on how to document AI processes. Consider joining EU initiatives (like the voluntary AI pact) to align with best practices before formal compliance is required.
Finally, if your organisation operates in multiple EU countries, align your overall AI compliance to meet both EU and Italian expectations simultaneously. Keep an eye on Italy's AI strategy reports and parliamentary reviews, as they will signal enforcement trends. By proactively adapting your AI governance, you can avoid sanctions and benefit from Italy's innovation incentives (like the EUR 1bn fund).
FAQs
What is Italy's Law 132/2025 on AI?
It's a national statute (approved Sept 2025) that establishes Italy's domestic AI framework, setting out AI principles and rules. It comes into force on 10 October 2025. The law is meant to fit with the EU AI Act, and it covers areas like healthcare, employment, public services and digital rights.
How does the EU AI Act affect Italy?
The EU AI Act is a binding regulation for all EU states, including Italy. Italy's law expressly conforms to the EU Act, meaning Italian AI rules largely mirror the EU's. High-risk AI systems in Italy will have to comply with the EU criteria (risk assessment, notifications, etc.). Italy's government will fill in local details by decree, but cannot contradict the EU law.
Which authorities enforce AI laws in Italy?
The law designates the Digital Agency (AgID) and National Cybersecurity Agency (ACN) as the national AI authorities. They handle notifications, conformity checking, and inspections. Sector regulators (e.g. Bank of Italy, CONSOB, health authorities) still supervise AI in their fields. For data privacy issues, the Garante (data protection authority) enforces GDPR against AI systems.
Are there specific obligations for generative AI (like ChatGPT) in Italy?
While the law doesn't single out generative AI by name, it requires that AI systems be transparent and safe. In practice, Italy's Garante has required generative tools to let users opt out of data training and ensure age verification. Companies deploying chatbots or image generation in Italy should provide clear notices about data use and check user ages, following the Garante's guidance.
What happens if an AI tool violates Italy's new AI law?
Penalties will depend on the specific violation. Fines and corrective orders are expected under the delegated rules (aligned with EU fines for high-risk AI non-compliance). Criminal penalties apply for certain offences (e.g. illegal deepfakes). Separately, GDPR fines can apply if the AI misuses personal data. Enforcement can come from national authorities (AgID/ACN) or sector supervisors, and violations may require stopping the AI's use until fixed.
Does Italy's AI law replace GDPR?
No. GDPR and data-protection rules still fully apply. The AI law adds AI-specific obligations (like risk documentation and disclosure of synthetic content) on top of existing privacy, consumer, safety and other laws. In fact, the first enforcement cases in Italy involved applying GDPR to AI services (e.g. ChatGPT and DeepSeek).
Are non-Italian AI providers affected by Italy's rules?
Yes, if they offer AI products or services to Italian users. The EU AI Act covers providers outside the EU who market AI in the EU. Likewise, GDPR applies to any company processing EU residents' data. So an AI firm abroad must comply with the AI Act and GDPR requirements to legally serve Italy.
When will companies need to comply?
The national law is effective from 10 Oct 2025, but many details will be set by later decrees (expected within a year of the law's passage). However, the EU AI Act's basic obligations begin when it came into force (Aug 2024), with full requirements phasing in (especially for high-risk AI). In the meantime, following GDPR and any published guidelines is essential.