How does Italy's AI law affect manufacturing and industry?

Italy's AI Strategy 2024-2026 prioritizes support for manufacturing and SMEs, which form the backbone of Italy's economy. Public authorities actively support AI development for human-machine interaction, robotics, and production optimization. AI systems in manufacturing are generally minimal risk unless they serve as safety components in machinery, which may trigger high-risk classification under the EU AI Act's Annex I.

What are the penalties for EU AI Act non-compliance in Italy?

Penalties follow the EU AI Act framework: up to €35 million or 7% of global annual turnover for prohibited AI practices, €15 million or 3% for high-risk system non-compliance, and €7.5 million or 1% for transparency violations. ACN (National Cybersecurity Agency) is responsible for enforcement and sanctions in Italy.

How does Italy's Garante interact with AI Act enforcement?

The Garante (Italian Data Protection Authority) retains all powers over personal data processing under GDPR, which forms the basis of most AI activities. For AI systems processing personal data, organizations must comply with both the AI Act and GDPR. The Garante may require prior notification of AI-related data processing, with processing potentially delayed 30 days pending review.

GLACIS·EU AI Act series·IT Italy·Updated April 2026

The EU AI Act in Italy: Law 132/2025 and the August 2026 deadline.

Q: Who is the national competent authority for the EU AI Act in Italy?

Italy has established a dual authority model under Law 132/2025. AgID (Agenzia per l'Italia Digitale) serves as the notifying authority responsible for conformity assessment body accreditation. ACN (Agenzia per la Cybersicurezza Nazionale) serves as the market surveillance authority and single point of contact with EU institutions. The Garante retains authority over all personal data processing activities under GDPR.

Q: What is Italy's Law 132/2025?

Law No. 132 of 23 September 2025 is Italy's national AI law—the first comprehensive national AI legislation in the EU. It entered into force on 10 October 2025 and complements the EU AI Act with sector-specific provisions for healthcare, employment, public administration, and justice. The law does not create new obligations beyond the EU AI Act but provides detailed implementation guidance.

Italy became the first EU member state to enact a national AI law. Law 132/2025 entered into force on 10 October 2025, layering AgID (notifying authority), ACN (market surveillance and EU single point of contact) and the Garante (GDPR remit) on top of the directly applicable EU AI Act. This page is the General Counsel, CCO, CISO and DPO view of how Law 132/2025 fits the EU framework in April 2026 — and where the August 2026 deadline sits under the Digital Omnibus on AI.

Book the Agent Runtime Security Sprint Read the full EU AI Act guide →

General Counsel CCO CISO DPO

Feb 2025

Prohibited practices in force

Aug 2025

GPAI obligations live; AgID and ACN designated

10 Oct 2025

Law 132/2025 enters into force — first national AI law in the EU

Oct 2026

Italy implementing decrees due; high-risk obligations scheduled (Omnibus review)

What changed in April 2026

Italy’s Law 132/2025 (Legge 23 settembre 2025, n. 132) entered into force on 10 October 2025 — the first national AI law in the EU. It complements the EU AI Act with sector-specific provisions for healthcare, employment, public administration and justice, without imposing obligations beyond the EU framework.^[1][2][10]

The Digital Omnibus on AI moved into trilogue on 23 March 2026. Both Parliament (IMCO/LIBE) and the Council favour fixed deadlines: 2 December 2027 for stand-alone high-risk systems and 2 August 2028 for systems embedded in regulated products. Until adoption, 2 August 2026 remains the working baseline that AgID and ACN continue to communicate.

Italy’s implementing decrees — providing technical standards and detailed guidance — are due within 12 months of Law 132/2025 entering force, i.e. by 10 October 2026. The EU AI Act high-risk deadline arrives before this, so Italian operators are building against EU-level requirements first.

Executive summary

Italy is the first EU member state with a national AI law. Law 132/2025 (Legge sull’intelligenza artificiale) was passed by the Senate on 17 September 2025, signed on 23 September 2025, and entered into force on 10 October 2025. The law explicitly relies on EU AI Act definitions and adds sector-specific guidance — healthcare, employment, public administration, justice — rather than new substantive obligations.^[1][2]

Italy’s governance model is a triangle: AgID (Agenzia per l’Italia Digitale) is the notifying authority responsible for conformity-assessment-body accreditation; ACN (Agenzia per la Cybersicurezza Nazionale) is the market surveillance authority and EU single point of contact; Garante retains all GDPR oversight over AI-related data processing. Sector regulators — Bank of Italy, CONSOB, IVASS — supervise AI in banking, securities and insurance.^[3]

The practical compliance position in April 2026: continue to build against 2 August 2026 as the working baseline; assume the AgID / ACN / Garante triangle for governance; engage Bank of Italy, CONSOB or IVASS where the use case is sectoral; and watch both the Italian implementing decrees (due October 2026) and the Digital Omnibus on AI trilogue.

In this guide

01	Italy’s implementation status
02	National competent authorities — AgID, ACN, Garante
03	Implementation timeline and Omnibus framing
04	Italian national AI strategy
05	High-risk AI in Italian markets
06	Article 12 logging requirements
07	Sector-specific requirements
08	Garante coordination
09	Conformity assessment pathway
10	Enforcement and penalties
11	Compliance roadmap for Italian organisations
12	FAQ

Italy’s implementation status

Italy is the EU’s leader on national AI legislation. Law No. 132 (Legge 23 settembre 2025, n. 132) was signed on 23 September 2025 after final Senate approval on 17 September 2025. The law entered into force on 10 October 2025, making Italy the first EU member state with comprehensive national AI legislation complementing the EU AI Act.^[1][2][10]

Law 132/2025 — key characteristics

Characteristic	Detail
Complementary framework	Relies entirely on EU AI Act definitions; does not impose obligations beyond the EU framework.
Core principles	Establishes transparency, proportionality, security, data protection and non-discrimination as foundational principles.
Human autonomy	Preserves human decision-making autonomy as a central tenet across all AI applications.
Sector-specific guidance	Detailed provisions for healthcare, employment, public administration and justice.
Implementing decrees	Technical standards and detailed guidance due within 12 months — i.e. by 10 October 2026.

Regulatory integration

Italy’s approach combines the EU AI Act with GDPR, the NIS2 Directive and existing sector-specific rules. The goal is to translate general European provisions into verifiable operational controls — the kind of evidence-based compliance GLACIS produces.^[6]

National competent authorities — AgID, ACN, Garante

Article 20 of Law 132/2025 establishes Italy’s governance triangle: AgID notifying authority, ACN market surveillance, and Garante GDPR remit. Sector regulators (Bank of Italy, CONSOB, IVASS) supervise AI in their domains.^[3]

Authority	Role	Detail
AgID — Agenzia per l’Italia Digitale	Notifying authority	Promotion of AI development and adoption; notification, assessment and accreditation of conformity-assessment bodies; monitoring accredited notified bodies; national AI standards and guidelines.
ACN — Agenzia per la Cybersicurezza Nazionale	Market surveillance and EU liaison	Market surveillance and inspections; EU single point of contact with the AI Office; enforcement and sanctions; cybersecurity oversight for AI systems.
Garante — per la protezione dei dati personali	GDPR data protection	Retains all GDPR oversight over AI-related personal-data processing. AI processing personal data faces dual compliance: AI Act (ACN) and GDPR (Garante).
Bank of Italy	Banking and payment-systems AI	Sector market surveillance for banking AI.
CONSOB	Securities and investment AI	Sector market surveillance for capital-markets AI.
IVASS	Insurance-sector AI	Sector market surveillance for insurance AI.

Independence question

The European Commission’s detailed opinion C(2024)7814 emphasised that national supervising authorities must enjoy full functional and operational independence. Assigning pivotal AI governance to governmental agencies (AgID, ACN) rather than independent administrative authorities has raised institutional-independence questions that may be addressed in the October 2026 implementing decrees.^[3]

Implementation timeline and Omnibus framing

Italian organisations track two frameworks: the directly applicable EU AI Act, and Law 132/2025 plus its forthcoming implementing decrees. In April 2026 the picture is dual-framed: the original Act dates remain the working baseline, while the Digital Omnibus on AI proposes new dates that the Council and Parliament are negotiating.^[12]

Date	Milestone	Notes for Italy
Aug 2024	EU AI Act entry into force	Directly applicable across the EU.
Feb 2025	Prohibited practices in force	Article 5 prohibitions enforceable by ACN; no public Italian enforcement actions confirmed in April 2026.
Aug 2025	National authorities designated; GPAI obligations live	AgID and ACN established; GPAI Code of Practice signed by ~24 providers.
10 Oct 2025	Law 132/2025 enters into force	First national AI law in the EU. Sector-specific guidance for healthcare, employment, public administration and justice.
Aug 2026	High-risk obligations — original date	Working baseline. Continue conformity preparation against this date.
Oct 2026	Italy implementing decrees due	Technical standards and detailed guidance under Law 132/2025.
Dec 2027	High-risk obligations — proposed under Omnibus	Stand-alone systems if the Digital Omnibus on AI is adopted.
Aug 2028	High-risk obligations — proposed under Omnibus	Systems embedded in regulated products under Annex I.

Working baseline

Italy’s implementing decrees are due 10 October 2026. The EU AI Act high-risk deadline (2 August 2026) arrives first, so build against EU-level requirements now and adapt as the decrees emerge. If the Digital Omnibus on AI is adopted, the same artefacts move to 2 December 2027 (stand-alone) or 2 August 2028 (embedded).

Italian national AI strategy

The Strategia Italiana per l’Intelligenza Artificiale 2024–2026 was published by AgID in July 2024, days after the EU AI Act’s publication. A 14-member expert committee developed the strategy as the policy context within which Law 132/2025 operates. It explicitly prioritises anthropocentric and sustainable AI, aligning with the EU AI Act’s fundamental-rights protections and Italy’s emphasis on human decision-making autonomy.^[4]

Pillar	Detail
Research and innovation	€500 million allocated in 2024 for 150 new AI professorships, AI research infrastructure and public-private research collaboration.
Public administration	AI adoption for service-delivery efficiency; national pilot projects with scalability focus; streamlined administrative processes.
Enterprise support	SME-focused AI adoption programmes; financial incentives and training; manufacturing and production optimisation.
Education and training	AI literacy across educational levels; workforce reskilling; Ministry of Education AI guidelines.

High-risk AI in Italian markets

Annex III applies uniformly across the EU, but Italy’s economic profile shifts which categories matter most: a manufacturing-led, SME-dominated industrial base; a strong healthcare sector with public-private hybrid delivery; large banks supervised by Bank of Italy, CONSOB and IVASS; and a recognisable fashion and luxury-goods sector.

Sector	Typical applications
Manufacturing and industry	High-risk: AI safety components in machinery (Annex I); automated quality control affecting product safety; worker monitoring and performance evaluation (Annex III §4). Minimal risk: predictive maintenance, inventory optimisation, production scheduling.
Healthcare (sanità)	Law 132/2025 permits AI as a support tool but bars discriminatory use or AI deciding access to treatment. High-risk: diagnostic AI, treatment-recommendation systems, patient triage; AI medical devices requiring CE marking under MDR. Human clinicians remain responsible for final decisions.
Banking and financial services	Supervised by Bank of Italy, CONSOB and IVASS. High-risk: creditworthiness assessment and loan approval (Annex III §5); insurance risk assessment and pricing. Limited risk: customer-service chatbots (transparency obligations only).
Fashion and luxury goods	High-risk: algorithmic hiring and workforce scheduling in retail. Limited risk: AI-generated marketing content (deepfake labelling required). Minimal risk: design assistance, trend prediction, supply-chain optimisation.
Public administration (pubblica amministrazione)	Law 132/2025 includes specific provisions. High-risk: AI for benefits eligibility, immigration processing, public-service access; justice-sector AI for case research (under judicial authority oversight). National-security exemption applies to AI for defence and security.

Build the evidence trail

Article 12 logging on demand. The Glacis Agent Runtime Security & Evidence Sprint produces signed evidence receipts mapped to Articles 9–15 — runtime controls run inside your infrastructure with zero sensitive-data egress, ready for ACN inspection and shaped to coordinate with the Garante on personal-data processing.

Book the Agent Runtime Security Sprint

Article 12 logging requirements

Article 12 mandates automatic event logging across the lifecycle of a high-risk AI system. In Italy this requirement intersects with GDPR and the Garante’s oversight: AI processing personal data must satisfy both frameworks at once.

Layer	What must be captured
Traceability	Logging capabilities ensure traceability of AI system functioning across the lifecycle.
Appropriate level	Logging depth proportionate to the intended purpose of the high-risk system.
Record content	Input-data periods; reference databases consulted; persons involved in verification.
Security and retention	Tamper-evident security measures; retention period appropriate to intended purpose.

Italy-specific logging considerations

GDPR integration — log data containing personal information triggers GDPR. Apply data-minimisation; log only what is necessary for traceability.
Garante notification — AI-related processing that triggers GDPR Articles 24 (controller responsibility), 25 (privacy by design), 32 (security) or 35 (DPIA) may require notification with a 30-day waiting period.
Sector retention — banking (Bank of Italy), insurance (IVASS) and healthcare may impose retention windows beyond the AI Act baseline.
ACN access — as market surveillance authority, ACN may request access to logs during inspections; logs must be available and interpretable.

Sector-specific requirements

Law 132/2025 provides detailed guidance for AI deployment in healthcare, employment and the protection of minors:

Sector	Requirements under Law 132/2025
Healthcare (sanità)	AI permitted as a support tool for clinical decision-making; AI cannot be used to discriminate or decide access to treatment; human clinicians remain responsible for all final treatment decisions; medical AI devices require CE marking under MDR.
Employment (lavoro)	Employers must inform workers about AI systems used in the workplace; appropriate training is required; Article 12 of Law 132/2025 establishes a National Observatory for AI employment-impact monitoring.
Minors (minori)	Under 14: parental consent required for AI access and related data processing. Ages 14–18: minors may consent if information is easily accessible and comprehensible. Aligns with GDPR Article 8 and Italian data-protection law.

Garante coordination

The Garante per la protezione dei dati personali retains all authority over personal-data processing underlying AI activities. Under Law 132/2025 the AI Act framework operates alongside GDPR, not as a replacement.^[6]

Area	Detail
Prior notification	Certain AI-related processing must be communicated to the Garante (relating to GDPR Articles 24, 25, 32 and 35). Processing may commence 30 days after notification unless the Garante issues a blocking measure.
Research processing	Public and private non-profit AI research is classified as significant public interest, allowing personal-data processing without consent — but ethics-committee approval and Garante notification are still required.
GDPR principles	Lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability — all apply to AI data processing.

Dual compliance

AI systems in Italy face dual compliance: EU AI Act (enforced by ACN) and GDPR (enforced by the Garante). Non-compliance with either can result in separate penalties. Article 22 GDPR (automated decision-making) remains particularly relevant for high-risk AI making decisions that affect individuals.

Conformity assessment pathway

AgID is Italy’s notifying authority, responsible for accrediting conformity-assessment bodies. The pathway depends on the system’s classification:

Pathway	Detail
Internal control (most high-risk)	Provider self-assessment supported by: technical documentation per Annex IV; quality management system; post-market monitoring plan; EU declaration of conformity; CE marking affixation. Cost is internal resourcing.
Notified body assessment	Required for biometric identification systems; medical AI devices under MDR; products under EU harmonisation legislation requiring third-party assessment. Typical timeline 3–12 months; cost €10,000–€100,000.

AgID is establishing the notified-body accreditation framework. Organisations requiring third-party assessment should monitor AgID announcements; cross-border recognition allows the use of notified bodies accredited in other member states.

Enforcement and penalties

ACN is Italy’s primary enforcement authority for the AI Act. No public Italian enforcement actions for prohibited practices have been confirmed in April 2026 — authorities are completing the institutional set-up before bringing actions. Penalties follow the EU framework, with Garante GDPR fines stacking on top where personal data is involved.

Violation	Maximum fine	Enforcing authority
Prohibited AI practices	€35,000,000 or 7% global revenue	ACN
High-risk non-compliance	€15,000,000 or 3% global revenue	ACN; sector regulators
GPAI model non-compliance	€15,000,000 or 3% global revenue	ACN; EU AI Office
Transparency violations	€7,500,000 or 1% global revenue	ACN
GDPR violations (AI-related)	€20,000,000 or 4% global revenue	Garante

Stacking penalties

ACN (AI Act) and Garante (GDPR) penalties can stack. An AI system that processes personal data in violation of both frameworks faces potential fines under each. SME proportionality principles apply, but the ceilings remain substantial.

Compliance roadmap for Italian organisations

The roadmap below builds against 2 August 2026 as the working baseline. If the Digital Omnibus on AI is adopted, the same artefacts move to 2 December 2027 (stand-alone) or 2 August 2028 (embedded), with no rework — only the milestone dates shift. Italy’s implementing decrees (due by 10 October 2026) will then sit alongside the new EU dates.

Phase	Detail
01. AI inventory and Italian context (Month 1)	Catalogue all AI systems across your Italian operations. Classify per Annex III. Identify sector overlays (healthcare, banking, employment). Map systems to ACN, Garante, Bank of Italy, CONSOB, IVASS. Flag any systems with personal-data processing requiring Garante notification.
02. GDPR integration (Month 1–2)	For AI processing personal data: verify GDPR foundations (legal basis, DPIA, privacy by design); prepare Garante notifications; align AI governance with the existing privacy programme; ensure Article 22 GDPR compliance for automated decision-making.
03. Risk management — Article 9 (Month 2–4)	Stand up continuous risk management per Article 9. Identify foreseeable risks in the Italian deployment context. Implement mitigation aligned with Italy’s human-centric principles. Integrate with ISO 42001 or NIST AI RMF where relevant.
04. Article 12 logging (Month 3–6)	Deploy automatic logging across the lifecycle. Configure logging depth appropriate to intended purpose. Capture input-data periods, reference databases and personnel involved. Tamper-evident protection with appropriate retention. Generate cryptographic evidence of control execution.
05. Conformity and documentation (Month 4–7)	Annex IV technical documentation. Article 17 quality management system. Internal-control or notified-body pathway as applicable; engage AgID-accredited or cross-border bodies 6+ months before deadline. EU declaration of conformity; CE marking.
06. Post-market monitoring (Ongoing)	Track performance and incidents. Article 73 serious-incident reporting to ACN within the 15-day deadline. Maintain living documentation. Monitor AgID and ACN announcements for implementing decrees (due October 2026). Coordinate with sector regulators.

Critical timing insight

Italy’s implementing decrees are due within 12 months of Law 132/2025 entering force — i.e. by 10 October 2026. The EU AI Act high-risk deadline (2 August 2026) arrives before this. Build against EU-level requirements now and adapt as the Italian decrees emerge.

FAQ

Who is the national competent authority for the EU AI Act in Italy?

Italy has a triangle: AgID (notifying authority for conformity-assessment-body accreditation); ACN (market surveillance authority and EU single point of contact, responsible for enforcement, inspections and sanctions); and Garante (GDPR oversight for AI-related personal-data processing). Sector regulators — Bank of Italy, CONSOB, IVASS — supervise AI in their respective domains.

Does Law 132/2025 create new compliance obligations beyond the EU AI Act?

No. Law 132/2025 was explicitly designed to complement the EU AI Act without imposing additional obligations. It relies entirely on EU AI Act definitions and provides sector-specific guidance (healthcare, employment, public administration, justice) rather than new requirements. The law’s value is in clarifying how EU requirements apply in the Italian context and establishing the national governance structure.

How does the Garante interact with AI Act enforcement?

The Garante retains all GDPR powers over personal-data processing underlying AI activities. AI processing personal data faces dual compliance: AI Act (ACN) and GDPR (Garante). Certain AI-related processing requires Garante notification, with a 30-day waiting period before processing may commence. Violations can result in separate penalties from each authority.

When are Italy’s implementing decrees expected?

Within 12 months of Law 132/2025 entering force — by 10 October 2026. The decrees will address specifics left undefined in the framework law. The EU AI Act high-risk deadline (2 August 2026) arrives before this, so organisations should proceed using EU-level requirements first.

How does Italy support SMEs with AI compliance?

The AI Strategy 2024–2026 prioritises support for SMEs, which form the backbone of Italian industry. The strategy includes financial incentives, training programmes and collaborative research initiatives. Proportionality principles in enforcement provide some relief for smaller organisations, though compliance obligations remain.

Can I use AI for employment decisions in Italy?

Yes, with significant requirements. AI for recruitment, task allocation, performance monitoring, promotion or termination decisions is high-risk under Annex III §4. Law 132/2025 requires employers to inform workers about AI systems and ensure appropriate training. The National Observatory monitors employment impact. Human oversight per Article 14 is mandatory.

References

Cleary Gottlieb. "Italy Adopts the First National AI Law in Europe Complementing the EU AI Act." October 2025. clearygottlieb.com
A&O Shearman. "Law No. 132: Italy’s Leadership in National AI Regulation." October 2025. aoshearman.com
Linklaters. "Italy — A Pioneering National Framework to Complement the EU AI Act." September 2025. linklaters.com
AgID. "The Italian Strategy for Artificial Intelligence 2024–2026." July 2024. agid.gov.it
European Union. "Regulation (EU) 2024/1689." OJEU, 12 July 2024. EUR-Lex
Hogan Lovells. "Italy’s AI Law: the Good, the Bad… and the Actual Substance." October 2025. hoganlovells.com
Jones Day. "Italy Leads the Way in Shaping National AI Legislation Within the EU." October 2025. jonesday.com
White & Case. "AI Watch: Global Regulatory Tracker — Italy." Updated 2025–2026. whitecase.com
EU Artificial Intelligence Act. "Overview of All AI Act National Implementation Plans." Updated 2026. artificialintelligenceact.eu
IAPP. "Italy Becomes First EU Member State to Pass an AI Law." October 2025. iapp.org
European Parliament. "Artificial Intelligence Act: delayed application, ban on nudifier apps." 23 March 2026. europarl.europa.eu

Ready to make the receipts

EU AI Act compliance in days, not months.

The Glacis Agent Runtime Security & Evidence Sprint produces signed evidence receipts that your AI controls execute correctly — mapped to Articles 9–15, Italian Law 132/2025 principles, GDPR requirements and the AgID / ACN / Garante triangle. Runtime controls run inside your infrastructure with zero sensitive-data egress. Get an audit-ready evidence pack before the August 2026 working baseline (or whatever the Omnibus settles on).

Book the Agent Runtime Security Sprint See a sample evidence pack →

Related guides

Full EU AI Act guide	Risk categories, Articles 9–15 in detail, GPAI obligations, conformity-assessment paths, Omnibus status.
EU AI Act in Spain	AESIA, the December 2025 guidance pack, the regulatory sandbox, draft national AI law.
EU AI Act in Germany	BNetzA designation, KoKIVO coordination centre, BaFin overlay, KI-MIG draft.
ISO 42001 guide	AI management system standard.
AI risk assessment	Article 9 implementation guide.

Navigate

Product

Solutions

Evidence