Italy Adopts Artificial Intelligence Law: Key Points for Legal Teams
Italy's artificial intelligence law was signed on September 23, 2025 and enters into force on October 10, 2025. It complements the EU Artificial Intelligence Act and should be interpreted in line with the EU Act's rules and definitions (Article 1(2)). Below is a concise briefing for in-house counsel and compliance leaders.
Relationship with the EU AI Act
The Italian AI Law operates as a complement to the EU AI Act. Definitions, obligations, and scope follow the EU framework, so your internal governance should map to EU AI Act terminology first, then layer Italy-specific rules on top.
Reference text: EU AI Act (EUR-Lex).
Competent Authorities
Two national authorities are designated (Article 20):
- Agency for Digital Italy (AgID) as the notifying authority, responsible for procedures around notification, assessment, accreditation, and monitoring of notified bodies.
- National Cybersecurity Agency (ACN) as the market surveillance authority, responsible for supervision and enforcement.
Healthcare and Scientific Research
The law authorizes secondary use of personal data, including special categories of data, stripped of direct identifiers, for public interest and not-for-profit scientific research to develop AI systems for disease prevention, diagnosis, treatment, and drug/therapy development-without obtaining new consent (Article 8).
- Transparency can be satisfied by publishing a privacy notice on the controller's website.
- Controllers must communicate the processing to the Italian data protection authority (Garante), including information relevant to GDPR Articles 24, 25, 32, and 35, and must expressly identify any processors.
- Processing may start 30 days after the communication if the Garante does not issue a blocking measure.
Authority site: Garante (Italian DPA).
Employment
Employers must inform workers about any AI systems and tools used in the workplace and must ensure appropriate employee training (Article 11). Review worker notices, policies, and collective agreements where relevant.
Minors
Parental consent is required for access to AI technologies and related processing for minors under 14. Minors aged 14 to under 18 may consent if information is easily accessible and comprehensible (Article 4(4)). Ensure consent flows and notices reflect these thresholds.
Copyright
Works created with the aid of AI tools can be protected if they result from the author's intellectual contribution. Text and data mining of lawfully accessed online works and databases via AI models, including generative AI, is permitted, subject to copyright rules and rights holders' opt-out (Article 25). Update IP policies and opt-out handling accordingly.
Key Changes Compared to Previous Drafts
- No localization mandate: A prior proposal to require public-sector AI servers to be located in Italy was removed. Instead, public bodies are recommended to prefer solutions that localize and process "strategic" data in Italian data centers when selecting e-procurement suppliers (Article 5(1)(d)).
- No special labeling rule for AI-generated news: The draft provision was omitted. General transparency requirements under the EU AI Act apply.
Delegation of Authority to the Government
Within 12 months of entry into force, the Government is delegated to adopt further measures, including to (i) align the national framework with the EU AI Act; (ii) assign supervisory, inspection, sanctioning, and other administrative powers to AgID/ACN; (iii) define comprehensive rules on data, algorithms, and mathematical methods used to train AI; (iv) set rules for investigative and policing uses of AI; and (v) update civil and criminal penalties.
Action Checklist for Legal and Compliance Teams
- Map obligations across the EU AI Act and the Italian AI Law; update your AI governance register accordingly.
- For research use cases, implement the Article 8 pathway: de-identification, website notice, Garante communication with GDPR Articles 24/25/32/35 details, and a 30-day wait protocol.
- Update employment notices and training programs to cover any AI tooling used with workers.
- Refresh consent flows and age gates to meet the under-14 parental consent rule and the 14-17 informed consent standard.
- Revise IP and data mining policies: define "AI-assisted authorship" review, manage rights holders' opt-outs, and ensure lawful access verification.
- For public-sector engagements, prepare vendor responses on data center location for "strategic" data and document risk justifications.
- Monitor forthcoming Government measures assigning powers to AgID/ACN and setting law enforcement AI rules; adjust compliance playbooks on release.
Key Dates
- September 17, 2025: Final Senate approval.
- September 23, 2025: Law signed.
- October 10, 2025: Entry into force.
- Within 12 months from entry into force: Government to adopt further implementing measures.
Your membership also unlocks:
