Italy | Herbert Smith Freehills

Policy

AI regulation

AI-related law and regulation

Case law

11 Mar 2025 Insight

Reports and highlights

Italy currently has no dedicated artificial intelligence regulation. Instead, it adheres to existing European legislation, such as the EU AI Act. However, Italian regulators such as Garante, AGCOM, and the ACN are actively shaping AI guidance and oversight. Italy is also working towards regulating AI through a proposed national law that will implement specific EU AI Act provisions, but also likely set out additional rules. As a civil law country, court rulings do not set binding precedents, but both the Supreme Court and regulatory bodies like the Garante have already considered AI-related legal matters, signalling growing judicial and regulatory engagement with the technology.

Italy's strategy places significant importance on AI. To support and guide the government in the definition of national legislation and policies on AI, a committee of experts developed the "Italian Strategy for Artificial Intelligence 2024-2026". It outlines sector-specific frameworks for regulating AI, with a focus on:

Research, seeking to retain homegrown talent, to attract researchers from abroad, fostering the development of local expertise and encouraging the continuous knowledge exchange to strengthen Italy’s AI ecosystem.
Public administration, outlining guidelines to promote AI, including procurement processes and the development of AI applications. The Strategy proposes the creation of a Department for AI within the National School of Administration to train public sector employees fostering AI competence across the public administration.
Businesses, supporting small and medium-sized enterprises (SMEs) through local facilitators, while helping businesses navigate the compliance costs associated with the EU AI Act, particularly for high-risk AI applications.
Education, focusing on both specialised training and basic education from schools to workplaces, starting with teacher development and programs for citizens.

There is no specific AI regulation currently as Italy implements the EU AI Act (read our guide on AI and EU here), effective from 1 August 2024, which establishes a comprehensive legal framework for AI across all EU member states.

However, the country is working on its own AI Bill, aimed at establishing a national regulatory framework which focuses on five key areas:

National strategy
National authorities
Promotion initiatives
Copyright protection
Criminal sanctions

The proposed law introduces specific requirements for AI-generated content and copyright protection, including:

Any text, image, audiovisual, or radio content created or modified by AI systems must include a visible identifier, such as the acronym "AI". For this purpose, providers must implement tools enabling users to declare AI generated contents. Exceptions apply to content clearly identified as creative, artistic, satirical, or fictional.
Copyright protection is extended to creative works involving human intellectual effort, even when AI tools are used in the creation process. Copyright will apply so long as the final work reflects the author's intellectual contribution.
Reproduction or extraction of copyrighted works for training AI systems is limited to legally accessed content or cases where the author has not explicitly denied consent.

Despite its ambitions, the AI Bill is currently stalled before the Italian Parliament, primarily due to its economic implications (requiring further review by the Budget Committee) and the European Commission's objections, which stress the need for the Bill to align with the EU AI Act and avoid imposing unnecessary national restrictions beyond the EU framework.

From consumer protection law to online safety, AI continues to stretch existing legal frameworks. See the latest updates below.

Garante per la Protezione dei Dati Personali - the Italian Data Protection Authority - has issued sector-specific guidance on AI applications, focusing on key areas such as healthcare, web scraping, and AI regulation:

Healthcare: the Garante has established a set of guidelines for implementing AI-driven healthcare services nationwide. Key requirements include that the legal basis for processing personal data must be rooted in public interest and that data controllers must provide a highly detailed Data Protection Impact Assessment (DPIA), including risk analysis and anti-discrimination measures, closely aligned with the provisions of the EU AI Act.
Web Scraping: the Garante issued guidance to protect personal data published online by public and private entities from web scraping. Where indiscriminate data collection is used to train generative AI models, the Garante issued a number of recommendations, including restricting access to certain website areas (for example, through user registration) to limit data exposure, incorporating anti-scraping clauses in website terms of service, monitoring web traffic to detect unusual data flows, and implementing anti-bot measures using available technological solutions.
AI Bill: the Garante expressed its opinion on the proposed AI Bill and recommended introducing a general cross-sector provision to ensure that personal data processing for AI systems complies with existing data protection regulations, and expanding its regulatory role to oversee AI-driven personal data processing, given the extensive use of personal data in AI systems.

The Garante has been active in interacting with AI products: it temporarily blocked OpenAI’s ChatGPT due to data privacy concerns in April 2023, and it blocked the DeepSeek AI product in Italy in January 2025.

In Italy, the Copyright Law (Law No. 633.1941) states that the copyright protection of literary works extends to computer programs that constitute the author's own intellectual creation. Copyright itself is acquired when the creation of work consists of an expression of "intellectual effort" from a human and is sufficiently original.

Regarding patentability, Article 45 of the Industrial Property Code (IP Code) maintains that software, including AI systems, are not considered inventions and therefore not patentable.

The Autorità per le Garanzie nelle Comunicazioni (AGCOM) – the Italian Communications Regulatory Authority – has not issued any guidance on the use of AI yet. However, in January 2024 it established a Committee on AI in the fields of competence of the authority, tasked with conducting analysis and making proposals to AGCOM. The Committee became operational in January 2025, meaning AI-specific guidelines from AGCOM could be expected during 2025, based on its findings.

The Agenzia per la Cybersicurezza Nazionale (ACN) – the Italian National Cybersecurity Agency – has issued, together with other 23 National agencies in other States, Guidelines for secure AI, suggesting considerations and mitigations that will help reduce the overall risk to an organisational AI system development process.

The guidelines are broken down into four key areas:

Secure design, containing guidelines on risks and threat modelling, and design trade-offs for AI systems.
Secure development, containing guidelines on supply chain security, documentation, and asset management during the AI development process.
Secure deployment, containing guidelines on the deployment stage of the AI system development life cycle, including protecting infrastructure and models from compromise, threat or loss, developing incident management processes, and responsible release.
Secure operation and maintenance, containing guidelines on actions particularly relevant once a system has been deployed, including logging and monitoring, update management, and information sharing.

Explore the latest landmark rulings as AI-related disputes make their way through the courts.

Concluded

Italian Supreme Court, Decision No. 1107 of 9 January 2023. According to the Supreme Court, the unauthorised reproduction of a creative image of a flower constitutes a copyright infringement against the creator of the image, even if AI is involved in the creative process. The use of AI to produce a work of art does not automatically disqualify a work from copyright protection for not being original. However, if an AI system fully replaces human creative input, the final output may not be considered an original work and therefore would not qualify for copyright protection.

Garante v. ChatGPT - OpenAI, Decision No. 755 of 2 November 2024. The Garante found that OpenAI failed to notify the Authority about a data breach in March 2023 and processed users' personal data to train ChatGPT without establishing a proper legal basis. Additionally, the company violated transparency requirements by not providing adequate information to users and did not implement age verification mechanisms, exposing children under 13 to potentially inappropriate responses given their level of development and self-awareness. As a result, OpenAI was sanctioned, ordered to conduct a six-month public awareness campaign, and fined €15 million.

Key contacts

Pietro Pouché

Partner, Milan

Giulia Maienza

Senior Associate (Italy), London

Spartak Kodra

Senior Associate, Milan

Legal Notice

The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.

Stay in the know

We’ll send you the latest insights and briefings tailored to your needs

Subscribe now

Follow us

Follow us