IT EN
Client Portal →
sales@10punto10.eu · 02 87176855
· 10punto10

AI Act Italy: Complete Guide to Law 132/2025 — ACN and AgID Leading Italian AI Governance

intelligenza artificialeAI Act / Legge 132/2025AgIDgovernance
AI Act Italy: Complete Guide to Law 132/2025 — ACN and AgID Leading Italian AI Governance

What Law 132/2025 means for your business

Italy has become one of the first EU member states to translate the European AI Act into a concrete national framework. With the enactment of Law 132/2025, the country has officially designated two agencies — ACN (Agenzia per la Cybersicurezza Nazionale) and AgID (Agenzia per l’Italia Digitale) — as the pillars of its AI governance structure. For small and medium businesses operating in Italy or across Europe, understanding this law is no longer optional. It is a compliance priority.

The EU AI Act entered into force on 1 August 2024, but it left each member state responsible for building the local enforcement machinery. Law 132/2025 is Italy’s answer. It establishes who enforces what, how penalties work on a national level, and what support structures exist for companies navigating this new regulatory landscape.

If your business uses chatbots, automated decision-making tools, predictive analytics, or any form of machine learning in its operations, this legislation directly affects you.

ACN and AgID: a dual-authority model

Italy chose a two-agency governance approach, splitting responsibilities between enforcement and innovation. This reflects the country’s existing institutional setup and offers businesses two distinct points of reference.

ACN: enforcement and market surveillance

The Agenzia per la Cybersicurezza Nazionale serves as Italy’s primary national competent authority under the EU AI Act. In practical terms, ACN is the body that will conduct inspections, investigate complaints, and issue penalties for non-compliant AI systems. It coordinates directly with the EU AI Office in Brussels and sits on the European AI Board.

For businesses, ACN is the agency you will interact with if your AI systems fall under the high-risk category or if a compliance issue arises. It has the power to request technical documentation, access source code during audits, and order the withdrawal of AI products that fail to meet regulatory standards.

AgID: public sector guidance and digital standards

AgID complements ACN by focusing on AI adoption within public administration. It issues technical guidelines, manages the registry of AI systems used by government bodies, and promotes responsible innovation in public services. While AgID’s mandate is primarily public-sector oriented, its technical standards and best practices serve as a useful reference for private companies looking to align with Italian expectations around AI governance.

The risk-based framework: where does your business stand?

The EU AI Act — and by extension, Italy’s Law 132/2025 — classifies AI systems into four risk tiers. Understanding where your tools and processes fall is the first step toward compliance.

Prohibited practices include social scoring, manipulative AI techniques that exploit vulnerabilities, and most forms of real-time biometric identification in public spaces. These bans have been in effect since February 2025.

High-risk AI systems face the heaviest obligations. If your business uses AI for recruitment screening, credit scoring, worker management, or any application listed in Annex III of the regulation, you must implement a quality management system, maintain thorough technical documentation, ensure human oversight, and register your system in the EU database. Conformity assessments are mandatory.

Limited-risk systems — such as customer-facing chatbots or AI-generated marketing content — must meet transparency obligations. Users need to know they are interacting with an AI, and synthetic content must be clearly labelled.

Minimal-risk AI carries no specific regulatory obligations. Most standard business automation tools, from email sorting to basic analytics dashboards, fall into this category.

According to Eurostat data, roughly 8% of EU enterprises were using AI technologies by 2023, with Italian SMBs estimated at around 5-6%. As adoption accelerates, more companies will find themselves subject to these classifications, whether they realise it or not.

Compliance deadlines you cannot afford to miss

The regulation follows a phased rollout, and several deadlines are already behind us or approaching fast:

  • February 2025 — Prohibitions on banned AI practices took effect. AI literacy requirements now apply to all organisations deploying AI.
  • August 2025 — Rules on general-purpose AI models apply. National governance structures, including ACN’s full operational mandate, must be in place. Penalty frameworks become enforceable.
  • August 2026 — The bulk of the regulation kicks in. High-risk AI system requirements, transparency obligations for limited-risk systems, and full conformity assessment procedures all become mandatory.
  • August 2027 — Extended deadlines for high-risk AI embedded in products already covered by existing EU product safety legislation.

For SMBs, the August 2026 deadline is the most critical. If you are developing, deploying, or even reselling AI systems that fall under the high-risk category, your compliance programme should already be underway.

Penalties: proportionate but significant

The fines under the AI Act are substantial. Violations involving prohibited AI practices can result in penalties of up to 35 million euros or 7% of global annual turnover, whichever is higher. Non-compliance with high-risk AI obligations carries fines of up to 15 million euros or 3% of turnover. Providing incorrect information to authorities can cost up to 7.5 million euros or 1% of turnover.

There is an important nuance for smaller companies. The regulation applies proportionality: for SMEs and startups, fines are capped at the lower of the two thresholds. This means a small business will never face the percentage-based calculation if the fixed euro amount is lower. Still, even the reduced caps represent existential sums for most SMBs, making proactive compliance far cheaper than reactive damage control.

What Italian SMBs should do now

The regulatory landscape is set. The agencies are designated. The deadlines are fixed. Here is a practical roadmap for businesses that want to stay ahead.

Audit your AI usage. Map every AI-powered tool in your organisation, from HR screening software to customer service bots. Classify each one according to the risk tiers.

Assess your documentation. High-risk systems require detailed technical documentation, data governance records, and evidence of human oversight mechanisms. Start building these records now, not six months before the deadline.

Leverage the regulatory sandboxes. The EU AI Act mandates that each member state establish at least one AI regulatory sandbox. Italy’s sandbox programme offers SMBs a supervised environment to test and validate AI systems before full market deployment, with reduced fees and simplified procedures.

Monitor ACN and AgID communications. Both agencies will publish guidance, technical standards, and FAQs as the implementation progresses. Staying informed is the simplest form of risk management.

The Italian AI market was valued at approximately 760 million euros in 2023, with year-over-year growth near 50%. That growth is not slowing down. The businesses that treat Law 132/2025 as a strategic opportunity rather than a bureaucratic burden will be the ones best positioned to compete in an increasingly AI-driven European market.

Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.

Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.

💬

Need support on this topic?

Let’s assess your company’s situation together. First consultation is free.

Contact us
📩

Stay updated every week

Cybersecurity, AI and technology for SMBs. No spam, only useful content.

Subscribe to newsletter