Share This Article
On June 10, 2026, Italy’s Council of Ministers approved two implementing decrees under Law No. 132/2025, making Italy the first EU Member State to operationalize a comprehensive national AI regulatory framework aligned with the EU AI Act (Regulation (EU) 2024/1689).
This article breaks down every key provision — from AI in education and the workplace, to biometric policing, civil liability, and new criminal sanctions — and explains what they mean for businesses, professionals, and citizens.
Overview: Italy and the EU AI Act
Italy’s implementing decrees do not create a parallel regulatory regime. Instead, they transpose and operationalize the European framework within the Italian legal system. Two decrees were approved:
- Powers of national AI authorities; AI in education and professional training; AI in employment relations.
- AI in law enforcement (including biometric surveillance); civil liability for AI-caused harm; new criminal provisions.
The overarching principle throughout is the anthropocentric model of Law No. 132/2025: AI is a tool to support human decision-making, never a replacement for it.
AI in Regulated Professions
For lawyers, doctors, engineers, and other regulated professionals, the decrees introduce mandatory AI literacy in both initial and continuing professional development, covering three dimensions:
- Technical — how AI systems function, their capabilities and limitations.
- Legal — the EU AI Act and applicable national rules.
- Deontological — professional responsibility, disclosure obligations toward clients, and the anthropocentric principle.
Professional orders must update their regulations within six months. Responsibility for AI-assisted work remains with the professional — it does not transfer to the technological tool.
Compensation parameters — including forensic fee schedules — must also be revised within twelve months to reflect the risk classification of the AI system employed, ensuring transparent criteria that protect both professional and client.
AI in the Workplace and Employment
This is one of the most immediately relevant areas for HR teams and employers. The core rule is unambiguous:
Decisions regarding the creation, modification, or termination of an employment relationship — including disciplinary measures and dismissals — cannot be made solely on the basis of automated processing. The final decision must always be reserved to a natural person with decision-making authority. A dismissal issued in violation of this rule is null and void.
Additional employer obligations include:
- Fulfilling all prior disclosure obligations under applicable law before initiating automated processing.
- Providing workers, upon request, with an intelligible explanation of any AI-informed decision affecting them, delivered with the involvement of a natural person.
- Indicating the potential impact of the AI system on the decision and the main parameters considered.
- All existing data access rights remain fully in force.
Italy’s National AI Supervisory Authorities
The decrees establish a multi-authority framework for AI Act compliance in Italy:
| Authority | Role under the AI Act |
|---|---|
| AgID (Agency for Digital Italy) | Notifying authority |
| ACN (National Cybersecurity Agency) | Market surveillance authority; single point of contact with EU institutions |
| Banca d’Italia, CONSOB, IVASS | Supervision of high-risk AI in financial services |
| Garante (Data Protection Authority) | High-risk AI in law enforcement, border management, justice, and democracy |
Sanctions are graduated and proportionate. Italy has exercised the EU AI Act’s option to set maximum penalties below the European ceilings, calibrated to the degree of responsibility of each actor in the AI supply chain. National authorities must submit an annual report to the Presidency of the Council of Ministers.
AI in Law Enforcement and Biometric Surveillance
Italy permits AI to strengthen crime prevention and response, but only within a rigorous legal perimeter. Mass surveillance remains explicitly prohibited.
Real-Time Biometric Identification
Permitted only in conformity with Article 5 of the EU AI Act, and exclusively for:
- Preventing specific and serious threats to public security and order.
- Searching for missing persons or victims of kidnapping, trafficking, or sexual exploitation.
Judicial authorization is mandatory. Each authorization is temporally and geographically limited, specific to identified persons, and may not exceed 15 days (extendable with motivated justification). Matching is only permitted against lawfully compiled databases — databases built through untargeted web scraping are explicitly banned.
Post-Event Facial Recognition
Under Article 26(10) of the EU AI Act, post-event facial recognition using existing video-surveillance systems may be activated only:
- After a crime has been committed (including attempts), to identify suspects from video-photographic evidence.
- Under the data controllership of the Ministry of the Interior.
- Subject to a prior impact assessment and consultation with the Data Protection Authority.
Local data retention is limited to seven days. Non-modifiable logs must be kept for five years. Decisions based solely on AI output are prohibited, as is any untargeted or generalized use.
Civil Liability for AI-Related Harm
The decrees directly address a protection gap created by the European Commission’s withdrawal of the proposed AI Liability Directive. New procedural tools are available to individuals harmed by AI systems, without imposing new substantive obligations on businesses:
- Access to technical documentation of the AI system, enabling the injured party to understand its relevant characteristics.
- A rebuttable presumption of causation, which lightens — but does not eliminate — the evidentiary burden.
- An alternative forum near the injured person’s residence, reducing the cost of judicial protection.
- A direct action against the insurer, as an additional tool to ensure effective compensation.
Existing protections under data protection law and product liability law remain fully in force.
New Criminal Offenses: Article 437-bis of the Italian Criminal Code
The decrees introduce a new criminal provision — Article 437-bis — targeting the most serious failures in high-risk AI safety. It penalizes:
- The failure to adopt required safety measures in high-risk AI systems.
- The alteration of such systems when either act creates a concrete danger to life, public safety, or State security.
Key features of the provision:
- Liability may extend to the legal entity under Italian corporate criminal liability law — responsibility does not rest solely on individuals.
- Punishability requires concrete danger; negligent liability requires gross negligence (colpa grave), avoiding criminalization of every technical deviation or operational error.
The message is clear: whoever develops, deploys, or uses high-risk AI systems must rigorously maintain safety measures throughout the system’s entire lifecycle.
Quick Reference: Key Rules at a Glance
| Area | Key Rule | Deadline / Limit |
|---|---|---|
| Regulated professions | Mandatory AI literacy (technical, legal, deontological) | Orders: 6 months; fee schedules: 12 months |
| Employment & dismissal | Exclusively automated dismissals are null and void | Immediate |
| Real-time biometrics | Judicial authorization required; serious threats only | Max 15 days per authorization |
| Post-event facial recognition | Post-crime only; Ministry of Interior controllership | Data retention: 7 days |
| Civil liability | Presumption of causation; direct insurer action available | Immediate |
| Criminal sanctions (Art. 437-bis) | High-risk AI safety failures; concrete danger required | Immediate |
Frequently Asked Questions
What are Italy’s AI implementing decrees?
They are two legislative decrees approved on June 10, 2026, implementing Law No. 132/2025 — Italy’s national AI framework — and aligning Italian law with the EU AI Act (Regulation (EU) 2024/1689).
Is Italy the first EU country to implement the AI Act nationally?
Yes. With Law No. 132/2025 and these implementing decrees, Italy is the first EU Member State to adopt a comprehensive, sector-specific national AI regulatory framework that fully complements the EU AI Act.
Do the decrees allow mass biometric surveillance?
No. The decrees explicitly prohibit mass or untargeted biometric surveillance and ban the creation of biometric databases through indiscriminate web scraping. Real-time biometric identification is permitted only in exceptional, judicially authorized cases with strict temporal and geographic limits.
Can an employer dismiss an employee based solely on an AI decision?
No. A dismissal made exclusively on the basis of automated processing is null and void. Final employment decisions must always be made by a natural person with decision-making authority.
What new criminal offenses does the decree introduce?
Article 437-bis of the Italian Criminal Code penalizes the failure to adopt safety measures or the alteration of high-risk AI systems when either act creates a concrete danger to life, public safety, or State security. Liability can extend to legal entities, not only individuals.
Which authorities supervise AI compliance in Italy?
AgID serves as notifying authority. ACN is the market surveillance authority and EU single point of contact. Banca d’Italia, CONSOB, and IVASS oversee AI in financial services. The Garante (Data Protection Authority) intervenes on AI used in law enforcement, border management, justice, and democracy.
Do the decrees affect businesses outside Italy?
Any business placing AI systems on the Italian market or using them within Italy — including non-Italian companies — falls within the scope of the EU AI Act and these national implementing measures. Operators with high-risk AI systems should verify compliance with both.
On a similar topic, you can read the article “The Italian Data Protection Authority Issues A Decision on AI Sentiment Analysis in the Workplace“.