On 23 April 2024, the Italian Council of Ministers approved the AI Bill (No. 1146), which the Senate adopted on 20 March 2025. This national law complements and exceeds the scope of the EU AI Act, introducing several gold plating measures.
The Bill still needs to be promulgated by the President of the Republic, after which it can enter into force following a publication in the Official Journal.
The Bill aims to strengthen Italy’s technological competitiveness and regulate AI use in key sectors including data governance, national security, healthcare, employment and intellectual property. A national investment fund of €1 billion is foreseen to support AI development.
It is divided into five parts:
- General Principles and Objectives
- Sector-specific Provisions
- National Strategy, Governance, and Promotional Measures
- Provisions on User Protection and Copyright
- Sanctions and Penalties
A few key take-aways are the following:
Governance and oversight
The Bill appoints several authorities as competent authorities under the EU AI Act (art. 70).
- Agency for Digital Italy (AgID) is responsible for promoting innovation, defining procedures, and evaluating and monitoring notified bodies.
- AgID is designated as the notifying authority under article 70.
- National Cybersecurity Agency (ACN) oversees supervision, inspections, and sanctions.
- ACN is designated as a market surveillance authority and single point of contact with EU institutions under article 70.
Regarding Italian market surveillance authorities for financial institutions, the Bill confirms that Banca d’Italia, IVASS (Istituto per la Vigilanza sulle Assicurazioni) and CONSOB (Autorità Italiana per la viglanza dei mercati finanziari) will continue to serve as market supervisory authorities in accordance with Article 74(6) of Regulation (EU) 2024/1689.
A coordination committee, set up at the Presidency of the Council of Ministers, composed of the Directors-General of AgID and ACN and the head of the Department for Digital Transformation of the Presidency of the Council of Ministers, will ensure cooperation among public authorities. Top management representatives of the Banca d’Italia, CONSOB and IVASS will also participate in this committee when dealing with matters of their respective competences.
The Bill does refer to the Garante per la Protezione dei Dati Personali (GPDP), the Italian Data Protection Authority, but it is not appointed as a competent authority under the AI Act, even though the Garante did a plea to do so last year given its experience with dealing with automated decision-making and the close interrelation between AI and data protection. The Bill does explicitly state that the competences, tasks and powers of the GPDP remain unaffected.
Sector-specific provisions
Several take aways:
- National defense: In accordance with Italy’s cybersecurity and defensive strategy, international reliance should be limited. Hence, the public sector shall operate on servers located within Italy to strengthen national security and protect the safety of citizen’s data.
- Healthcare: AI systems in the health sector merely supports processes of prevention, diagnosis, treatment and therapeutic choices, leaving the decision-making process in the hands of the medical personnel. It also provides for a legal basis to process personal data in article 8(3) of the Bill.
- Workplace: Employers must inform employees about the usage of AI in automated decision-making or monitoring systems. Additionally, the bill provides that AI is only permitted for performing ancillary and support activities related to the main activity when it is used in intellectual professions (e.g., lawyers, engineers, etc.), again putting human decision-making first. In addition, all AI employers must clearly and comprehensively inform their clients when they use AI systems.
- Public administration and judiciary field: In the judicial environment, the bill states that AI can only be used to simplify the work of judicial officers and support jurisprudential and doctrinal research. Again, humans remain at the center: the final decision on interpretative and judicial issues must always remain a judge’s prerogative.
Intellectual Property
The Bill goes on to adapt Italian copyright law, by adding that also content that is partially AI-generated can be protected. For this to be the case the AI-generated content must be the result of the intellectual effort of the author. How this will work in practice still remains the question. A previous version of the Bill clarified such an intellectual effort to be when the human contribution is creative, relevant and demonstrable, but this wording has been left out in the version approved by the Senate.
Sanctions
Lastly, the Bill foresees in sanctions for criminal use of AI systems. For example, when AI is used insidiously, hinders public or private defense (although it is not very clear what this refers to), or contributes to aggravating the consequences of a crime this might be considered an aggravating circumstance in criminal law. The bill also states that the unlawful dissemination of content generated or manipulated by AI to mislead as to its genuineness (e.g. deepfakes) is punishable by imprisonment from six months to three years and from one to five years if it causes unjust damage.
Conclusion
The recently approved Italian AI Bill reflects a clear and deliberate choice by the Italian legislator to adopt a protective and cautious approach to the governance of artificial intelligence. By placing strong emphasis on human-centric principles - such as ensuring human oversight - the legislation arguably even goes beyond the requirements of the EU AI Act. This approach could be seen as a form of "gold-plating," where national legislation adds layers of obligations or restrictions beyond what is strictly required at the EU level. While this may enhance legal certainty and ethical safeguards within Italy, it could also raise concerns around regulatory fragmentation and potential burdens on innovation. Nevertheless, the Italian AI Bill offers a notable example of how Member States may seek to shape their national frameworks in line with, or in some cases more strictly than, the overarching European AI governance structure.
