EU AI Act enforcement in Italy: Garante's aggressive posture

Italian competent authorities

Garante (Garante per la protezione dei dati personali) handles AI Act elements overlapping with GDPR, including Article 50 transparency and Article 10 governance. AGID (Agenzia per l'Italia Digitale) handles AI in public administration. ACN (Agenzia per la Cybersicurezza Nazionale) handles cybersecurity AI. Banca d'Italia handles fintech AI. The Italian AI Office is being established to coordinate and represent Italy at the European AI Office.

Italian enforcement history and philosophy

The Garante banned ChatGPT temporarily in March 2023, citing GDPR violations on training data and minor protection. It was the EU's first regulatory action against a major LLM provider. The Garante subsequently issued guidance allowing ChatGPT to operate after compliance changes. For AI Act enforcement, expect Italian authorities to move fast on Article 5 prohibitions (especially emotion recognition in education and workplaces), Article 50 transparency failures on consumer chatbots, and Annex III HR-tech use cases.

Italian national AI law

Italy is debating a national AI law that will complement the EU Regulation. Key expected elements: stricter rules on AI use in education (limits on student profiling), clearer allocation between provider and deployer for AI Act compliance, additional protections for workers against AI-driven decisions, and mandatory Italian-language disclosures for consumer-facing AI. The law is expected to clear Parliament in 2026.

Italian AI strategy

Italy's national AI strategy 2024-2026 emphasizes both innovation and ethics. Italy hosts the G7 Hiroshima AI Process secretariat (Italian G7 presidency in 2024). This positions Italy as a coordinating EU voice on AI governance. For SaaS, the practical impact: Italian enforcement will track closely with European Commission positions but with a faster, more visible enforcement style.

Italian public procurement

Italian public procurement runs through Consip (national) and regional administrations. AGID (Agenzia per l'Italia Digitale) publishes the technical specifications for AI-touching procurement. Since January 2026, AI-related tenders require compliance attestation covering Article 5, Annex III classification, Article 50 implementation, and Article 73 incident reporting. Missing the attestation disqualifies the bid.

Frequently asked questions

Did Italy really ban ChatGPT?

Yes - the Garante temporarily blocked ChatGPT in March 2023 over GDPR concerns on training data and minor protection. The ban lasted about a month, and OpenAI implemented compliance changes to resume Italian operations.

Who enforces the AI Act in Italy?

Garante for GDPR overlap, AGID for public administration AI, ACN for cybersecurity AI, Banca d'Italia for fintech. The Italian AI Office is being established for overall coordination.

Are Italian-language disclosures required?

Likely yes - the draft national AI law is expected to require Italian-language Article 50 disclosures for consumer-facing AI. The Codice del consumo already requires Italian-language consumer information.

How does AGID attestation work?

AGID publishes a compliance template for AI-touching public tenders. Vendors complete and sign the attestation, submit with the bid. The format covers all main AI Act articles plus Italian-specific sectoral rules.

Does Italy have sectoral AI rules?

Yes - particular sensitivity on AI in education, AI in healthcare (Italian Medicines Agency overlay), AI in fintech (Banca d'Italia overlay), and AI in public employment (CNIL-equivalent restrictions on automated worker monitoring).

Sources

• https://www.gpdp.it/
• https://www.agid.gov.it/
• https://www.acn.gov.it/