The new Italian artificial intelligence law: principles, governance, and compliance

Artificial Intelligence

On October 10, 2025, Law No. 132 of September 23, 2025, titled “Provisions and Delegations to the Government on Artificial Intelligence” (the so-called “AI Law”), will officially come into effect. This is the first comprehensive national legislation on artificial intelligence in Europe, aligning with the AI Act (EU Regulation 2024/1689) and the GDPR (EU Regulation 2016/679). Its adoption represents a strategic step for Italy’s positioning both at the regulatory and technological levels.

So, what are the key points introduced by this new regulation?

The law establishes a set of general principles guided by a clear human-centered approach, with a strong emphasis on transparency, proportionality, safety, and human control. The declared objective is both simple and ambitious: to ensure that artificial intelligence never compromises human decision-making autonomy.

A differentiated approach is adopted for strategic sectors such as healthcare, labor, public administration, and justice. In the justice sector, for example, it is explicitly stated that AI can only be used as an organizational support tool, with an absolute ban on replacing judges in judicial decisions.

The AI Law also amends the criminal code by introducing a new criminal offense: the illegal dissemination of AI-generated or manipulated content (so-called deepfakes), punishable by imprisonment from one to five years.

Furthermore, it strengthens the protection of copyright for works created with the contribution of artificial intelligence, as long as they still involve human intellectual input.

At the institutional level, the AI Law designates two authorities to oversee its implementation: the Agency for Digital Italy (AgID) and the National Cybersecurity Agency (ACN).

The enactment of the law marks a turning point and, at the same time, imposes an urgent need for businesses to comply: understanding sectorial impacts, mapping AI system usage, and updating internal policies and processes will be essential to ensure full compliance.

For more in-depth details and to evaluate the actions to take within your organization, you can read our detailed article by clicking here.

Healthcare dossier: €80,000 fine for a hospital-university company for unauthorized accesses and information shortcomings

Data Protection

With Provision No. 487 of September 11, 2025, the Italian Data Protection Authority imposed a €80,000 fine on a hospital-university company and a €12,000 fine on a private nursing home for violations related to the management of health dossiers. The inspection revealed significant issues, including unauthorized access to clinical data by staff not involved in the care process, lack of access controls and alert systems, inadequate logging records, and a complete lack of specific patient information about the existence of the dossier.

The Authority took the opportunity to reaffirm several established principles:

• Health dossiers require a distinct and comprehensive information notice, clearly indicating purposes, legal bases, retention periods, and the rights of the data subject.
• Limitation of purposes and minimization principles mandate that access should only be allowed to professionals directly involved in the specific episode of care.
• The integrity, confidentiality, and security of data require strong authentication, segregation by roles and operational units, immutable logs, alerts for unusual access, and periodic audits.

The provision also highlights the importance of privacy by design and by default, as well as accountability, which translates into restrictive default configurations, explicit patient consent for feeding the dossier, and the ability for selective data masking. It is confirmed that the processing of health data for care purposes is based on Article 9, Paragraph 2, Letter H of the GDPR, while feeding the health dossier requires specific consent from the data subject, as it is optional and distinct from the medical record. Patients must be able to choose whether to populate the dossier and which data to mask, while access must be strictly restricted, tracked, and subject to both prior and post-access controls.

NIS2: publication of the “Basic Specifications” by the ACN

Cybersecurity

With the publication of the “Guide to the Basic Specifications,” the National Cybersecurity Agency (ACN) takes a crucial step in implementing the NIS2 Directive, translating cybersecurity obligations for public and private organizations categorized as “essential” or “important” into operational guidance.

This document is not merely technical or bureaucratic; rather, it serves as a concrete orientation tool, accessible even to those facing these new responsibilities under Legislative Decree 138/2024, which has implemented NIS2 into Italian law.

The 10 minimum measures outlined in the document (ranging from identity management to role and responsibility definition, asset protection to incident management) represent the baseline required to start an adjustment process. However, this will soon need to evolve, considering the 43 controls for essential entities and the 116 accompanying detailed requirements.

The most relevant novelty is cultural, even before being technical: cybersecurity is no longer (just) an IT issue but has become a matter of governance. It’s no longer enough to store some policies or have good technological infrastructure; an integrated, documented approach is required, involving senior management in risk assessment, business continuity planning, and crisis management.

Additionally, the timelines are tight: within 24 hours of identifying a significant incident, a pre-notification must be sent to CSIRT Italia; within 72 hours, a full notification; and incident categories are clearly defined, with specific requirements for essential (including internal privilege abuse) and important entities.

In this scenario, moving now is crucial, not just to avoid penalties or non-compliance but to build robust digital resilience, an increasingly central element for business competitiveness and sustainability. The Data & Technology Innovation team at LEXIA supports businesses and public entities in the adjustment process to the NIS2 Directive, integrating legal, strategic, and technical expertise to ensure regulatory compliance, accountability, and operational management of cybersecurity obligations.

European Union and United States: towards a new balance in personal data transfers?

Data Protection

As explored in our recent article, September saw two significant developments regarding personal data transfers between the European Union and the United States.

The first is the ruling by the European Union Court (Case T-553/23, Latombe v. European Commission) on September 3, 2025, confirming the adequacy decision adopted by the European Commission in July 2023 establishing the Data Privacy Framework (DPF). This framework ensures that personal data transfers to the United States offer an adequate level of protection in line with the GDPR. The ruling mainly addressed two issues: the independence of the Data Protection Review Court (DPRC) and the legitimacy of bulk data collection by U.S. intelligence agencies. The Court found that the DPRC provides sufficient independence and impartiality and that bulk data collection without prior authorization is lawful if subject to subsequent judicial review.

The second intervention came from the European Data Protection Supervisor (EDPS), who on September 17, 2025, issued an opinion on the European Commission’s proposal to initiate negotiations for a framework agreement between the EU and the U.S. regarding the exchange of information for border control and visa applications. This agreement is part of the Enhanced Border Security Partnership (EBSP) planned for 2026, which would involve sharing personal data, including biometric data, for border security. While the EDPS welcomed the initiative, it recommended specific safeguards to protect personal data, such as transparency measures, respect for the principle of proportionality, and the establishment of control and appeal mechanisms.

The framework agreement, together with the DPF, could represent a significant step in consolidating the European legal framework for the transfer of personal data to the United States.

The Data & Technology Innovation team at LEXIA is available to support data controllers and processors in evaluating the adequate safeguards required by the GDPR for transferring personal data outside the European Economic Area, including implementing Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and conducting Data Transfer Impact Assessments (DTIAs).