Italy's Law 132/2025 on AI: Work, Health, Liability | TLY

AI Regulation Tracker  /  Legislation in force

Italy's AI Law 132/2025 Advances: Cabinet Clears First Implementing Decrees on Liability and Health Data

Italy's national AI statute is already in force, and the government has now given preliminary approval to the decrees that will fill in workplace notice, health-data, biometrics, and liability rules. Firms operating AI in Italy should map their duties before the delegation expires around October 2026.

Italy's AI Law 132/2025 Advances: Cabinet Clears First Implementing Decrees on Liability and Health Data regulation briefing
The Leveraged Years AI Regulation Tracker

Italy has moved from passing a national AI law to building the machinery that makes it operate. Law No. 132/2025, which was widely reported as Europe's first comprehensive national AI statute aligned to the EU AI Act, set the framework. On June 10, 2026, the Council of Ministers gave preliminary approval to two implementing legislative decrees, the instruments that translate the law's principles into enforceable detail. For firms with any AI exposure in Italy, the shift matters because several duties already bind today, while the harder-edged rules on liability and biometrics are now taking shape.

What the decrees are meant to settle

The June 10 approval was preliminary, which in the Italian process means the texts still move through further review before final adoption and publication. The government's delegation to issue these decrees carries a deadline: it must be exercised by around October 2026. The two decrees are reported to cover new criminal and civil liability provisions and biometrics rules, among other matters. Because the decrees are not yet published in the Gazzetta Ufficiale, their identifying numbers are not confirmed, and readers should treat the June 10 approval as reported through government and secondary coverage until the official text appears.

That caution is not a technicality. Decree numbers, effective dates, and precise wording only become reliable once they run in the Gazzetta Ufficiale. Any firm building a compliance plan around a specific decree should confirm the citation there before relying on it.

The duties that already apply

While the decrees advance, Law 132/2025 imposes obligations that operators must meet now. Two stand out for working professionals.

First, employers must inform employees when AI is used in the workplace. This is a transparency duty aimed at the people whose work is affected by an AI system, and it applies regardless of how far along the decrees are. Firms that have quietly introduced AI tools into hiring, scheduling, monitoring, or evaluation should confirm that staff have been told.

Second, the secondary use of pseudonymized health data triggers a notification to the Garante, Italy's data protection authority, followed by a 30-day standstill. In practice this means a research team or company that wants to reuse pseudonymized health data for a new purpose cannot simply proceed. It must notify the Garante and wait out the standstill period before acting. That fixed waiting window has to be built into project timelines rather than discovered at the last moment. Related health-data guidelines were expected around February 2026, and operators in the sector should check whether that guidance has issued.

What it does not do yet

The June 10 approval does not by itself put the new liability and biometrics rules into force. Those arrive through the decrees, and until the texts are finalized and published, the specific standards, thresholds, and any penalties remain to be confirmed. Firms should prepare for the direction of travel, informed by the law and the reported scope of the decrees, without assuming the final wording. Overreading a preliminary approval as settled law is the mistake to avoid here.

The cross-border angle for US readers

For a US firm, the reach is practical rather than theoretical. If your business operates AI in Italy, whether through an Italian subsidiary, staff on the ground, or health or research activity involving Italian data, the workplace-AI notice duty and the health-data notification duty apply to you. The 30-day Garante standstill in particular can affect product and research schedules that assume data can be reused on demand. Italy also offers a preview of how EU member states are layering national AI rules on top of the EU AI Act, which is worth watching for any company planning European operations.

The near-term action is straightforward. Map where AI sits in your Italian footprint, confirm the employee-notice and health-data steps are handled, and track the Gazzetta Ufficiale for the decrees so that the liability and biometrics rules do not arrive as a surprise.

Frequently Asked Questions

What changed with Italy's AI law?

Law No. 132/2025 is already in force as Italy's national AI statute aligned to the EU AI Act. On June 10, 2026 the Council of Ministers gave preliminary approval to two implementing decrees covering matters including criminal and civil liability and biometrics, with the delegation to be exercised by around October 2026.

Who is affected?

Firms and professionals deploying AI in Italy. That includes employers using AI in the workplace, healthcare and research operators reusing pseudonymized health data, and any operator handling biometric data. US firms operating AI in Italy are covered.

What must an employer do right now?

Inform employees that AI is being used in the workplace. This transparency duty applies today under Law 132/2025, independent of the pending decrees.

What happens before you can reuse pseudonymized health data?

You must notify the Garante and observe a 30-day standstill before proceeding. That waiting period should be built into research and product timelines.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.