Laws/Regulations directly regulating AI (the “AI Regulations”)

Currently, there are no specific laws, statutory rules, or regulations in Italy that directly regulate AI, and Italy is not expected to enact its own general, far-reaching AI regulation. As for all EU Member States, the EU AI Act will likely be Italy’s central general and cross-sectoral AI legislation.

There are currently no sector-specific laws specifically regulating AI in Italy.

Status of the AI Regulations

The EU AI Act is addressed separately here.

As noted above, there are no laws or regulations in Italy that directly regulate AI. However, since 2021, the Italian Data Protection Authority (DPA) has set up a specific organizational unit dedicated to artificial intelligence. In a recent statement of March 25, 2024, the Chairman of the DPA indicated that the authority possesses the necessary competence and independence to implement the European Artificial Intelligence Act, in line with the objective of ensuring a high level of protection on fundamental rights¹. Furthermore, Italian courts and regulators have begun to interpret existing laws with regard to AI.

Other laws affecting AI

There are various laws that do not directly seek to regulate AI, but may affect the development or use of AI in Italy, such as:

• The GDPR and the Italian Data Privacy Code (Legislative Decree no. 196/2003)
• EU and Italian competition law (Articles 101 and 102 TFEU and Law no. 287/1990)
• The Italian Consumer Code (Legislative Decree no. 206/2005)

Intellectual property laws that may also affect several aspects of AI development and use

Definition of “AI”

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. Accordingly, no definition of AI is currently recognized through Italian national legislation.

Territorial scope

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. Accordingly, there is no specific territorial scope at this stage.

Sectoral scope

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. Accordingly, there is no specific sectoral scope at this stage.

The Italian Data Protection Authority has, nevertheless, issued guidance on the use of AI in several fields, such as:

• Data protection when AI is used in healthcare services (the so called “initiative medicine”)²
• Facial recognition for law enforcement purposes^{3 4}
• The tax risks⁵ from the point of view of combating tax evasion
• The reform of Electronic Health Record and the establishment of the Health Data Ecosystem (EHS)
• Most recently with respect to the Decalogue for the Implementation of National Health Services through AI Systems⁶

Finally, the DPA carried out control activities on the so-called gig economy on the topic of deepfakes⁷ and smart assistants⁸.

Compliance roles

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. However, according to a 2019 judgment, algorithmic decision-making in administrative procedures must account for:

• Transparency regarding the existence of an automated decision and information on the logic used
• Human involvement in the decision, if the decision produces legal effects concerning or significantly affecting a person
• Ensuring non-discrimination through implementing adequate technical and organizational measures⁹

Core issues that the AI Regulations seek to address

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. Nevertheless, Italy’s highest administrative court has sought to address the issues relating to transparency, human oversight and non-discrimination in a 2019 judgement relating to algorithmic decision-making in administrative procedures.¹⁰

The Italian government also released the National AI Strategy (2022-2024), which identifies three areas of action, namely: (i) to strengthen expertise and attract talent in order to develop an AI ecosystem; (ii) to increase funding for advanced research in AI; (iii) to encourage the adoption and the application of AI, both in public administration (PA) and in productive sectors in general.¹¹ The Italian government has also stressed the need to ensure, inter alia, greater clarity with respect to coordination with sector regulations, in particular banking and insurance. It also proposed a system of self-assessment by the companies of AI systems, through guidelines or a repository of examples, and supported the definition of burdens and obligations along the value chain of AI systems, especially for SMEs.

Risk categorization

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. Accordingly, there is currently no risk categorization of AI in Italy, except for those that will be introduced by the EU AI Act.

Key compliance requirements

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. Nevertheless, and as noted above, Italy’s highest administrative court indicated that key compliance requirements include:

• Ensuring transparency regarding the existence of an automated decision and information on the logic used
• Ensuring human involvement in the decision, if the decision produces legal effects concerning or significantly affecting a person
• Ensuring non-discrimination through implementing adequate technical and organizational measures

Regulators

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. As such, the regulation of AI is, for the time being, left to pre-existing regulators. Notably, the Italian Data Protection Authority has already intervened to regulate two AI companies for breaches of data protection regulation.

Enforcement powers and penalties

As noted above, there are currently no specific laws or regulations in Italy that directly regulate AI. The EU AI Act will establish the powers and penalties available to regulators of AI, but that detail is not discussed here.

In the interim, enforcement powers and penalties are set out in pre-existing legislation. The Italian Data Protection Authority, for example, has already used the enforcement powers at its disposal in several cases.

1 Statement of March 25, 2024, of the President of the DPA, who submitted observations to the Presidents of the Italian Senate and Chamber of Deputies and to the Prime Minister after the final approval of EU AI Act.
2 The Garante’s guidance on data protection when AI is used in healthcare.
3 See https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9309458
4 See https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9575877
5 DPA’s opinion no. 452 of December 22, 2021.
6 Decalogue of October 10, 2023.
7 Vademecum on deepfake as of December 2022.
8 DPA’s Advice on Smart Assistants, as of March 2021.
9 See Consiglio di Stato sez. VI, 13/12/2019, decision no. 8472.
10 See Consiglio di Stato sez. VI, 13/12/2019, decision no. 8472.
11 See the National AI Strategy (2022-2024). In terms of AI regulation, the National AI Strategy calls for a radical update in terms of: (i) strengthen the AI research base and associated funding; (ii) promote measures to attract talent; (iii) improve technology transfer process; (iv) increase the adoption of AI among business and PA, fostering the creation of innovative companies. The recent National AI Strategy also aims to align all IA policies related to data processing, aggregation, sharing and exchange, as well as to data security, with the National Cloud Strategy and with ongoing initiatives at the European level, starting with the European Data Strategy and the recent proposals for a Data Governance Act and a regulation on artificial intelligence.