Italia steps up efforts on the AI Act: Europe’s first implementation package

However, supervision is not exclusive. For regulated sectors – banking, finance and insurance – responsibility remains with the sector-specific authorities: the Bank of Italy, Consob and Ivass retain oversight of high-risk systems operating within their respective fields. This approach reflects the complexity of the Italian regulatory landscape, but it also creates potential overlaps.

To manage potential conflicts, the package provides for a Co-ordination Committee within the Prime Minister’s Office and a technical working group within the Ministry for Enterprise. These are signs that the difficulty of striking a balance between different administrative bodies has characterised the entire drafting process of the decrees.

The power to impose sanctions is significant. Both Agid and Acn will be able to impose the administrative fines provided for in Article 99 of the AI Act in the event of a breach of the prohibition on unlawful practices.

The maximum amount is in line with the European regulation: up to 35 million euros or, for businesses, up to 7 per cent of the total annual global turnover for the previous financial year, whichever is higher. This threshold means that the penalties are potentially much heavier than those provided for under the GDPR for privacy breaches, and should encourage companies to take compliance seriously.

In the field of employment, the decree introduces specific safeguards for the use of automated decision-making systems. The key principle is that decisions concerning employment relationships – including dismissals – taken solely on the basis of automated processing carried out by artificial intelligence systems are null and void.

The legislation does not prohibit the use of AI in decision-making processes, but requires that the final decision remain a human one. This approach is consistent with the principle of anthropocentrism that runs through the entire regulatory framework: artificial intelligence as a support, not as a substitute for human judgement.

The decree also establishes a dedicated observatory to monitor the impact of AI on worker protection and introduces an obligation to include artificial intelligence systems within the scope of the risk assessment required under the Consolidated Act on Health and Safety at Work.

For professionals, Article 48 enshrines the guarantee of fair remuneration for services involving the use of AI systems, with a surcharge linked to the risk classification under the AI Act. However, this increase is included as an option and is subject to an update, within twelve months, of the decrees setting out the parameters for the payment of professional fees.

The most contentious aspect of the package concerns the use of biometrics by law enforcement agencies. Facial recognition, aided by artificial intelligence, is being introduced in stadiums, at major events and in preventive policing activities.

The decree distinguishes between two scenarios, each with different rules. On the one hand, there is real-time identification in public places for preventive purposes: this is permitted only in exceptional cases, where there is a danger or threat linked to terrorism or other offences of particular public concern, or for the search for missing persons, victims of abduction, trafficking or sexual exploitation. Authorisation from the public prosecutor is required, at the request of the chief of police or provincial commanders.

There is also the case of retrospective recognition: AI-integrated CCTV systems may be installed in venues and at events where public order requirements apply — such as stadiums, large gatherings and venues with controlled access. Biometric access data may be stored locally for seven days. Facial recognition may be triggered following a crime, including an attempted crime, to identify individuals already under suspicion on the basis of video or photographic images. Responsibility lies with the public security officer designated by the Chief of Police.

The Minister of the Interior, Matteo Piantedosi, has made it clear that ‘there is no generalised “Big Brother”’ and that ‘artificial intelligence is a support tool, not an automated police officer. Decisions remain human’. Before being used in actions that could affect people’s rights, automated results must undergo a qualified and traceable human review.

Biometric databases created through indiscriminate web scraping or the use of CCTV cameras remain prohibited.

The package also sets out provisions for regulatory testing environments, known as regulatory sandboxes. It will be possible to carry out testing and validation of AI systems by way of derogation from regulations and authorisation schemes, under controlled conditions and under the supervision of AGID and ACN.

The measure was fine-tuned right up to the last minute to ensure coordination with the fintech pilot scheme overseen by the Ministry of the Economy. This is a sign of the tensions between government departments that have characterised the entire process.

There are also developments in the field of intellectual property. The algorithms used to train AI systems will be eligible for protection as trade secrets, offering businesses a means of safeguarding their investment in research and development.

The decree also incorporates provisions on digital literacy into school and university curricula, and updates copyright legislation to protect human creativity and critical thinking.

The two decrees will now have to be scrutinised by the parliamentary committees and the Unified Conference. Further decrees, particularly on health and justice issues, will be needed to complete the framework.

In a separate Prime Ministerial Decree, the Government has appointed a new group of experts tasked with updating the National Strategy for Artificial Intelligence for the period 2026–2028. The Committee, coordinated by Gianluigi Greco and comprising thirteen members, will operate on a voluntary basis until 31 January 2027.

The new strategy will place greater emphasis on the development of the economic and technological ecosystem than the legislation does. However, the timetable suggests that it will only be finalised towards the end of the parliamentary term: the implementation phase will inevitably fall to the next government.

Meanwhile, the European Commission’s Digital Omnibus package has provided for simplifications and a postponement — between December 2027 and August 2028 — of the application of the rules for high-risk systems, which are referred to in various sections of the Italian decrees. National legislation may therefore need to be updated even before it becomes fully operational.

Italia has chosen to take the lead. Whether this will result in a competitive advantage or a regulatory handicap will depend on the ability to rapidly adapt the national framework to changes in European regulations and on how quickly businesses and public administrations are able to adapt to rules which, for the first time, make artificial intelligence a subject of law.