The new Italian AI law: An overview, new developments and considerations

On October 10, 2025, the new Italian law on artificial intelligence entered into force. This is the first national regulatory framework in Europe addressing the development, use, and governance of AI systems in accordance with the European regulatory framework (as provided by the AI Act).  The new AI law expressly provides that it is compatible with European law and that it does not introduce new obligations in addition to those provided under the AI Act.

The body of the law consists of principles and sector-specific rules that promote the use of artificial intelligence systems to improve citizens’ living conditions, while providing risk management solutions based on compliance with constitutional principles and European Union law.

The 28 articles approved promote an anthropocentric, transparent, and responsible use of AI, regulating its use in specific sectors such as healthcare, work, and public administration.

1. PROCESSING OF PERSONAL DATA

Section 4 sets out principles on information and confidentiality of personal data, stating that the use of AI systems in the media must be in accordance with the principles of freedom and pluralism, freedom of expression and the right to objectivity, completeness, impartiality, and fairness of information. After emphasizing the need for information related to processing to be provided in clear and accessible language, the law introduces significant changes in the regulation of the processing of minors’ personal data: access to AI technologies by children under the age of 14 (and consequent processing of their personal data) requires the consent of those exercising parental responsibility, while children under the age of 18 may give their consent independently, in accordance with GDPR. The goal here was to ensure strong protection for minors and the processing of their personal data as vulnerable and high-risk subjects.

However, the wording of the law reveals a critical issue: the potential conflict between this rule and the ones from GDPR. Essentially, the GDPR (Section 8 in combination with Section 2(e) of the Data Protection Code) does not require parental consent for the processing of data of minors under 14, but it does so only if the legal basis for the processing is consent, thus allowing the processing of personal data on the basis of other legal bases. The new AI law seems to require consent for the processing of personal data, as there are no further specifications on the use of other legal bases. In addition, it is not clear, from a practical standpoint, what the law means with “access” to AI technologies and which measures should be implemented to assess the age or the parental relationship with the minor.

2. AI AND HEALTHCARE

In the field of healthcare and scientific research, the use of AI is allowed for the improvement of the healthcare system, providing support in the processes of prevention, diagnosis, and treatment, while leaving the decision-making power to medical professionals. Significant changes have been introduced to facilitate scientific research in the healthcare sector: public and private non-profit research activities are considered to be of significant public interest, with the possibility of processing personal data without consent, subject to the previous communication to the Data Protection Authority. Here the major criticism is that the law choses to derogate the consent requirement under the Data Protection Code only for the public and non-profit research activities, while the majority of the medical research in Italy is privately financed and for profit.

Section 10 on electronic health records, surveillance systems, and digital health governance provides for the establishment of an artificial intelligence platform to support healthcare purposes and local assistance by AGENAS.

3. AI AND EMPLOYMENT

In the world of employment, the use of AI is encouraged to improve working conditions, protect the mental and physical integrity of workers, and increase the quality of work performance and business productivity. The use of AI must be as transparent as possible and cannot be carried out in a way that is contrary to human dignity or violates the confidentiality of personal data. The employer is required to inform the worker of the use of AI in specific cases mentioned by law. With regard to intellectual professions, the AI law lays down regulations aimed at protecting these professions from the misuse of AI, which distorts their function and damages the relationship of trust between client and professional. For this reason, Section 13 establishes that the use of AI systems is permitted as a support and instrumental to activities, with a prevalence of intellectual work.

4. AI AND PUBLIC ADMINISTRATION

The use of AI can be a means of ensuring the full application of the key principles of good performance, efficiency, and impartiality in public administration. For this reason, the AI law promotes the use of AI in order to increase the quality and quantity of services provided to citizens and businesses, while respecting the autonomy and decision-making power of the person who remains solely responsible for the measures taken.

5. GOVERNANCE

The law introduces rules that outline Italian governance on artificial intelligence: the national authorities for AI will be the National Cybersecurity Agency and the Agency for Digital Italy, which will be entrusted with the task of ensuring the application and implementation of EU national legislation on artificial intelligence, without prejudice to the specific competences of the Bank of Italy, Consob, and Ivass. Coordination will also be necessary with independent authorities, from the Data Protection Authority to the Communications Regulatory Authority.

6. CRIMINAL LAW

The legislative intervention also concerns the criminal sector: the new AI law introduces new aggravating circumstances with regard to the use of AI to commit specific crimes and introduces the new crime of deep fake. The new criminal offense punishes the unlawful dissemination of content generated or manipulated by artificial intelligence.

Although ambitious, the Italian AI law does not come without its critics: in addition to the conflict with the GDPR regarding the legal basis for the processing of minors’ personal data, the law is only apparently innovative, as it is legislation that sets out many general principles and lacks specific obligations that could have a real impact on the use and regulation of AI systems. The broad scope and generic nature of the rules leave room for discretionary interpretations by the courts and independent authorities, in contrast to the need for certainty in such an innovative and high-risk sector.