EU AI ACT and Italy as the First Actor:

Author: Negar Modirrousta (Head of Compliance)

Introduction:

Italy has become the first EU member state to pass a comprehensive law governing artificial intelligence, setting penalties for harmful uses of the technology, such as deepfake creation, and restricting access for minors. Prime Minister Giorgia Meloni’s right-wing administration described the new legislation aligned with the EU’s flagship AI Act as a pivotal step in shaping how AI is applied within the country. The law seeks to ensure AI is “human-focused, transparent and safe,” while supporting “innovation, cybersecurity, and privacy protection.”

Under the new rules, anyone found guilty of distributing harmful AI-generated or manipulated content could face between one and five years in prison. Harsher punishments are foreseen for crimes such as fraud or identity theft carried out with AI tools. Transparency and human oversight will also be reinforced in workplaces and across sectors including healthcare, education, justice, and sports.

Children under 14 will require parental consent to use AI systems. On copyright, AI-assisted works will be recognized as protected if they stem from genuine human creativity, while AI-based text and data mining will be limited to non-copyrighted content or research conducted by accredited institutions.

Alessio Butti, undersecretary for digital transformation, said the legislation “places innovation within the boundaries of the public interest, guiding AI toward growth, rights, and full protection of citizens.” Enforcement will fall to the Agency for Digital Italy and the National Cybersecurity Agency, following a year-long parliamentary debate.

Meloni has repeatedly stressed the need for an “Italian path” to developing and regulating AI, calling the technology “the greatest revolution of our time.” However, she insists it can only reach its potential within an ethical framework that safeguards human rights and needs.

The law also earmarks up to €1 billion (£870m) from a state-backed venture capital fund to support AI, cybersecurity, and telecommunications companies though critics note this is modest compared with the massive investments underway in the US and China.

Despite a complex historical backdrop and widespread international resistance to regulation, Italy has become the first EU country to approve a national law complementing the EU Artificial Intelligence Act.

The Senate vote 17 Sept. concluded a process that began 23 April 2024, with the presentation of a bill that then passed through both houses of Parliament on several occasions. The law now consists of 28 articles that address, from a strategic and operational point of view, some of the most critical issues facing the country in the unstoppable rise of AI technologies.

Having defined the framework of general principles, the law devotes specific attention to crucial sectors such as work, health and justice. It also regulates the use of AI by minors and intervenes on the level of sanctions through criminal protection. The ball is now in the court of companies and public bodies that must comply with the provisions of the law.

It is too early to fully assess the effects and scope of this law, especially considering that several implementing measures are expected in the coming months. However, it is possible to reflect on a number of points. Internationally, Italy is in a privileged position as the first country to adopt a national regulatory framework governing the development, adoption and governance of AI systems. The new law aligns with and implements provisions of the AI Act and interacts with the EU General Data Protection Regulation and national regulations on the protection of personal data. 

The Italian law also attempts to introduce forms of simplification and innovation. This is the case, for example, in the health care sector with the scientific research and experimentation provisions in the development of AI systems. This further demonstrates that even with provisions it is possible to support markets, to the detriment of those even those at the highest levels of government like former Prime Minister Mario Draghi who continue to think deregulation or even laissez-faire are the only possible ways to ensure the EU and the country’s development and competitiveness.

Data economy regulations exist not only to protect the fundamental rights and freedoms of citizens but also to support innovative companies and processes. Of course, this requires the accurate and consistent application of the rules. It also demands a decisive investment strategy not only towards companies that must comply with the law, but also in support of those enforcing it.

The authorities starting with the new national authorities designated for AI under the new law, namely the Agency for Digital Italy and the Agency for National Cybersecurity, but also the independent authorities, in particular, the data protection authority, the Garante, which will continue to deal with AI within its remit must now, more than ever, be supported and strengthened.

This is because Italy’s system will be able to reap AI’s greatest human and economic benefits through constructive and collaborative dialogue between businesses and authorities. This dialogue must be built and approached openly, without fear and with courage. This law is not a goal, but a starting point: The ability to transform this technology into a catalyst for collective well-being will now depend on the ability to grasp and support the balance between rules and innovation.

National governance system

The AI law, which is pending formal publication in the Italian Official Gazette, outlines a composite national governance system, introducing new bodies and assigning new powers to certain national authorities.
As in previous versions of the law, the Agency for Digital Italy and the National Cybersecurity Agency were assigned to be the national authorities for AI. The ACN will monitor the adequacy and security of systems and have legal authority over inspections; the AgID will manage notifications and promote safe use cases for citizens and businesses.

The Interministerial Committee for Digital Transition has been tasked with approving the national strategy for AI every two years, prepared and updated by the Presidency of the Council of Ministers responsible for technological innovation and digital transition and in agreement with the national authorities, the Minister for Enterprises and Made in Italy, the Minister of Universities and Research, and the Minister for Defense.

The Observatory on the Adoption of Artificial Intelligence Systems in the World of Work has also been set up at the Ministry of Labor. It is tasked with monitoring the impact of AI on the labor market.

In the health sector, the National Agency for Regional Health Services has been given the power to establish and update guidelines for anonymization procedures and the creation of synthetic data, subject to the opinion of the Garante.

The Garante retains all powers relating to data processing under the GDPR and national laws, which, as is well-known, form the basis of all AI activities.

Server location

The final text of the AI law confirms the possibility of installing AI systems on servers located outside the EU, both for public and private use. This initiative ensures greater flexibility and continuity in the use of cloud infrastructure while upholding highest standards of security and data protection.

However, the provision directing public administration using e-procurement platforms to give preference to AI system and model suppliers that guarantee the localization and processing of strategic data in data centers located in Italy remains in effect. This also applies to suppliers whose disaster recovery and business continuity procedures are implemented within data centers located in Italy.

Workplace 

When using AI to support production, organizational, and management processes, the AI law requires employers and clients to ensure that such technologies are used in a manner that respects the confidentiality and physical and mental integrity of workers and the security of personal data. The AI law requires AI systems to comply with the principles of equal treatment, avoiding all forms of discrimination. It also refers to the requirement to inform workers of the use of AI in the cases and in the manner referred to in Article 1-bis of Legislative Decree No. 152 of 26 May 1997.

Health care sector

With regard to scientific research and experimentation for developing AI systems in the health care sector, the AI law declares that the processing of personal and special categories of data by various public and private entities is of significant public interest. The obligations to inform patients have also been simplified, providing for the possibility of secondary use of data, including health data, without the need to obtain a second consent, for scientific research purposes, provided that de-identification measures are applied.

Furthermore, without prejudice to the obligation to provide information, the AI law legitimizes the reuse of personal and health data to apply anonymization, pseudonymization or synthesis mechanisms. This is permitted provided the processing is done for the aforementioned purposes of scientific research or for the planning, management, control and evaluation of health care.

AI and minors

The AI law introduces specific protections for minors under the age of 14, for whom access to AI systems and the processing of related personal data may only take place with the prior consent of those exercising parental responsibility. In this way, protection is not limited to access to systems but explicitly extends to the processing of personal data associated with the use of AI, requiring companies to obtain formal authorization for both activities.

Criminal profiles

Finally, this law introduces new violations and aggravating circumstances. In particular, the AI Act focuses on transparency obligations for artificially generated content and introduces a prison sentence “for anyone who causes unjust damage to others by sending, delivering, transferring, publishing or disseminating images or videos of people or things generated or altered using artificial intelligence systems, designed to mislead as to their authenticity.”

Next steps

The approval of this important law represents a new dimension that organizations should consider in their AI governance and compliance programs.

It is therefore essential to plan and implement certain strategic measures, particularly in light of the upcoming AI Act deadlines. In this regard, organizations should consider proceeding with the following activities:

• Launch a multi-level training program to fulfill the AI literacy requirement for employees and collaborators, applicable since 2 Feb., in line with the European Commission’s recent guidance.
• Map all AI systems in use and their use cases, including references to relationships with suppliers and any associated risks.
• Conduct an assessment of each system/use case’s compliance with the AI Act and implement the related requirements in line with the deadlines of the European law, taking into account the national regulatory framework.
• Establish and define the internal AI governance structures through a specific policy.
• Implement an AI procurement toolkit to regulate relations with AI system suppliers incorporating particularly in the case of general-purpose AI the recent measures taken by the Commission.
• Develop an AI-use policy governing the use of AI tools by employees and collaborators.

The EU Artificial Intelligence Act (AI Act) is the world’s first comprehensive law to regulate artificial intelligence across the European Union. It entered into force on 1 August 2024, and its provisions will gradually apply in stages. The law aims to ensure that AI respects safety, democracy, and fundamental rights, while also encouraging innovation and trust in AI technologies.

At its core, the Act takes a risk-based approach, classifying AI systems into different categories of risk.

1. Unacceptable risk AI includes systems that seriously violate fundamental rights, such as government-run social scoring, manipulative AI that exploits vulnerable groups, or real-time biometric surveillance in public spaces (with limited exceptions). These uses are strictly banned.
2. High-risk AI covers systems that can significantly affect health, safety, or rights. Examples include AI used in critical infrastructure, medical devices, education, hiring, or law enforcement. These systems must comply with strict requirements: developers and providers must use high-quality and representative data, implement risk management systems, ensure human oversight, document testing, and perform conformity assessments before deployment.
3. AI with specific transparency obligations includes tools like chatbots or AI-generated content. Here the law requires users to be informed that they are interacting with AI, and synthetic or manipulated content must be clearly labelled as such.
4. Minimal-risk AI, such as spam filters or video game AI, falls largely outside the scope of the law, with only voluntary codes of conduct encouraged.

The law imposes obligations not only on AI providers (those who develop and place systems on the market) but also on deployers (those who use AI systems). Providers of general-purpose AI models (like large language models) must supply documentation, summaries of training data, and information for downstream users. If such models present “systemic risks,” additional duties apply, such as large-scale adversarial testing, risk mitigation, and incident reporting. Deployers of high-risk AI must ensure proper oversight, use systems according to instructions, and monitor performance to detect harmful behavior.

Enforcement comes with heavy penalties. The most serious violations, such as deploying banned AI practices or failing to comply with data quality requirements, can result in fines of up to €35 million or 7% of global turnover (whichever is higher). Lesser violations still carry substantial penalties.

The timeline for application is phased. The Act entered into force on 1 August 2024. From 2 February 2025, prohibited AI practices and AI literacy obligations apply. From 2 August 2025, rules for general-purpose AI models become binding. By 2 August 2026, obligations for most high-risk AI systems take effect. Finally, by 2 August 2027, additional rules for high-risk systems embedded in regulated products will apply.

The Act also establishes a governance framework. Each Member State must designate national authorities to supervise compliance and enforce rules, while the European Commission has created an AI Office to oversee general-purpose AI models and coordinate enforcement. An EU-level AI Board and scientific advisory groups will provide guidance and technical expertise.

The regulation has important implications. Companies that develop or use AI will face compliance costs, particularly those involved with high-risk or general-purpose AI systems. Transparency rules may require disclosing how systems were trained or labelling AI outputs, which could raise concerns around intellectual property. The law applies extraterritorially, meaning non-EU companies offering AI in the EU must also comply. And since many obligations rely on technical standards that are still being defined, businesses will need to adapt quickly as guidance and codes of practice are published.

Conclusion:

Italy’s new national AI law complements and implements the EU AI Act it doesn’t replace the EU Regulation (which is directly applicable across member states) but adds national rules, designates Italy’s enforcement authorities, and fills gaps left to Member States (e.g., specific sanctions, sectoral details, child protections, sandboxes). Italy is the first EU Member State to pass such a complementary national AI law.

Quick background, what each instrument is:

• EU AI Act (Regulation (EU) 2024/1689) is an EU regulation: it was published in 2024, entered into force 1 Aug 2024, and contains staged application deadlines (e.g. obligations for general-purpose AI, high-risk systems). As an EU regulation it is directly binding on Member States and businesses across the EU.
• Italy’s AI Law (Law No. 132 of 23 Sept 2025) is a national statute that Italy has adopted to complement the EU AI Act by (a) setting national enforcement architecture, (b) specifying rules in areas where the EU Act allows Member-State detail, and (c) adding national offences, penalties and support measures. Italy’s law is the first example in the EU of a Member State proactively legislating at national level to sit alongside the EU Regulation.

How they relate, the legal & practical interaction:

1. Hierarchy / primacy: the EU AI Act (a regulation) takes legal precedence where it applies. Italian national measures must not conflict with the Regulation; they can only supplement it where the EU text explicitly allows (e.g., designation of national authorities, certain public-interest exceptions, procedural or sanctioning details).
2. Designation of national authorities & enforcement roles: Italy’s law formally assigns the national AI oversight roles (notifying/accrediting authority, market-surveillance/supervisory authority). Reports identify AgID (Agency for Digital Italy) and the National Cybersecurity Agency (ACN) as the main national authorities for different functions (conformity assessment / sandboxing / surveillance / sanctions). Those national authorities will be the counterparts to EU-level coordination bodies and will enforce both EU and national obligations.
3. Filling gaps the EU left to Member States: the EU Act leaves certain matters for national law (e.g., some public-order exceptions, criminal sanctions for particularly harmful AI misuse, age limits/parental consent measures, details on public-procurement rules, and organization of sandboxes). Italy’s law covers many of these areas (deepfake misuse, child protections, IP/data-mining rules, €1bn fund for AI projects, etc.). Where Italy imposes stricter or more specific rules in legally permitted areas, Italian rules will apply within Italy alongside the EU Regulation.
4. Cooperation with GDPR and sectoral regulators: both the EU Act and Italy’s law interact with the GDPR and existing sectoral regulators (finance, telecoms, healthcare). Italy keeps existing bodies (e.g., Bank of Italy, Consob) involved for sectoral oversight; data-protection matters still fall mainly under the Garante and GDPR. The practical effect is a multi-authority enforcement landscape where coordination is essential.

Practical implications (for businesses, public bodies, researchers in Italy)

1. Expect two layers of compliance: EU AI Act requirements + Italy’s national rules in areas the national law covers. Compliance programmes should map obligations to both texts and identify the competent Italian authority for notifications and conformity assessments.
2. Conformity assessment and market surveillance will be managed via national notified/accredited bodies (AgID plays a central role in notifying/accrediting), so product approvals and documentation processes may involve new Italian procedures.
3. Sanctions & criminal provisions: Italy’s law introduces national offences and criminal penalties for certain AI misuse (e.g., harmful deepfakes), so legal risk assessments must include criminal as well as administrative exposure.
4. Sandboxes & innovation support: Article 57 of the EU Act requires Member States to set up at least one AI regulatory sandbox; Italy’s law sets a framework for national sandboxes and a funding commitment to support AI projects – a practical channel for testing under regulatory supervision.

Compliance Checklist: EU AI Act vs. Italy’s AI Law

1. Governance & Authorities

–    EU AI Act

1. Art. 59-63: Member States must designate competent authorities and notify the Commission.
   1. European AI Office created at EU level for coordination.
2. Italy
   1. AgID (Agency for Digital Italy) = notifying authority for conformity assessment.
   1. ACN (National Cybersecurity Agency) = market surveillance & enforcement.
   1. National Coordination Hub for AI oversight created.

2. High-Risk AI Systems

–     EU AI Act

1) Art. 6-51: Risk classification, conformity assessments, CE marking, quality management, data governance, human oversight, transparency.

2) Art. 43: Conformity assessment by notified bodies.

• Italy
  • Italian-accredited bodies under AgID will perform conformity assessments.
  • Mandatory registration of high-risk systems with Italian authority.

3. General-Purpose AI (GPAI) & Foundation Models

–    EU AI Act

1. Arts. 52–55: Transparency duties for GPAI providers (e.g., documentation, model cards).
   1. Extra obligations for GPAI with “systemic risk.”
2. Italy
3. Adds disclosure duties when GPAI is used in public administration.
4. National reporting requirements for training-data sources (to complement EU data obligations).

4. Prohibited Practices

–    EU AI Act

Art. 5: Bans social scoring, exploitative subliminal techniques, real-time remote biometric ID (with narrow exceptions), etc.

• Italy

Adds criminal penalties for malicious deepfakes, harmful biometric misuse, and certain AI uses against minors.

5. Transparency & User Rights

–     EU AI Act

Art. 52: Transparency duties (deepfake disclosure, chatbot disclosure).

• Italy

Mandatory watermarking of deepfakes in Italy. 

Stricter child protection measures (ban on certain AI profiling under 18).

6. Regulatory Sandboxes

–    EU AI Act

Art. 57: Member States must establish at least one sandbox for innovators.

• Italy
  • Establishes national AI sandbox run by AgID & ACN.
  • €1bn fund for AI projects, with preferential access for sandbox participants.

7. Sanctions & Enforcement

–   EU AI Act

Art. 71: EU-level administrative fines (up to €35m or 7% global turnover).

–   Italy

1. Criminal penalties for intentional harmful AI misuse.
   1. National administrative fines (complementing EU fines).

Conclusion: EU AI Act & Italy’s First National AI Law

The EU AI Act establishes the first comprehensive, directly applicable AI regulation at EU level, ensuring uniform rules for risk-based classification, transparency, and enforcement across all Member States.

Italy’s Law No. 132/2025 represents the first national adoption and complement to the EU AI Act. Rather than replacing EU rules, it:

1. Implements the EU Act domestically by designating Italian supervisory authorities (AgID, ACN).
2. Fills gaps where the EU Act leaves discretion to Member States (e.g., enforcement structure, criminal penalties, sandboxes).
3. Adds stricter national safeguards, particularly on deepfakes, minors’ protection, and public administration use.
4. Supports innovation with funding and a national sandbox framework.

Together, the EU AI Act and Italy’s national law create a dual-layer regulatory framework:

1. EU-wide uniform rules (risk classification, high-risk conformity, GPAI transparency).
2. Italy-specific obligations (criminal sanctions, PA requirements, national reporting, deepfake watermarking).

Italy’s move marks a precedent within the EU, showing how Member States may supplement the Regulation with local rules and enforcement. For businesses and public entities operating in Italy, compliance requires integrating both EU and Italian obligations into governance, technical, and legal processes.

Aryatech assists companies in understanding and complying with this framework by providing practical, business-oriented legal support. Our multidisciplinary team combining expertise in technology law, dispute resolution, intellectual property, and regulatory compliance works alongside your business to ensure legal security, operational efficiency, and strategic advantage in this new AI regulatory landscape.

Sources:

1) www.advantlaw.com/news/italy-has-its-law-on-artificial-intelligence
2) www.reuters.com/technology/italy-enacts-ai-law-covering-privacy-oversight-child-access-2025-09-17
3) www.hrpolicy.org/insight-and-research/resources/2025/hr_workforce/public/09/italy-passes-first-national-ai-law-in-the-eu
4) www.digitalinformationworld.com/2025/09/italy-sets-national-ai-rules-first-in.html
5) www.ddg.fr/actualite/italy-adopts-a-national-law-on-artificial-intelligence-law-no-1146-b-2025
6) www.eudigitallaw.com/italy-adopts-comprehensive-ai-law