What Italy’s Law 132/2025 means for businesses navigating the AI Act

Italy has become one of the first European Union member states to translate the EU AI Act into national legislation. With the publication of Law 132/2025 (Legge 132/2025), Italian lawmakers have created a comprehensive framework that goes beyond mere transposition — it adds sector-specific rules, designates national authorities, and sets out funding mechanisms aimed at helping businesses adopt artificial intelligence responsibly.

For SMBs operating in Italy or across the EU, this law is not just a regulatory formality. It signals the direction that AI governance is heading across Europe and creates both obligations and opportunities that business owners need to understand now.

The EU AI Act and Italy’s national response

The EU AI Act (Regulation 2024/1689) established a risk-based classification system for AI systems across the Union. It categorises AI applications into four tiers — unacceptable risk, high risk, limited risk, and minimal risk — each with corresponding compliance requirements. Member states, however, retain discretion in several key areas: designating competent authorities, setting specific penalty ranges, and adapting rules to national sectors like healthcare, public administration, and labour relations.

Law 132/2025 is Italy’s answer to that mandate. Rather than simply copying the EU text, the Italian government has introduced provisions that reflect national priorities. These include stronger protections for workers affected by automated decision-making, specific guidelines for AI use in journalism and creative industries, and safeguards for minors and vulnerable individuals.

Two agencies share oversight responsibilities under the new law. AgID (Agenzia per l’Italia Digitale) handles technical standards and conformity assessments, while ACN (Agenzia per la Cybersicurezza Nazionale) focuses on security aspects of AI systems. For businesses, this dual-authority structure means understanding which agency governs your specific use case — particularly if you operate high-risk AI systems.

Funding and incentives for SMBs

One of the most relevant aspects of Law 132/2025 for small and medium businesses is the financial support framework. The Italian government has allocated dedicated funds to support AI adoption among SMBs, recognising that compliance costs and the investment needed to integrate AI responsibly can be disproportionately burdensome for smaller companies.

These incentives are channelled through Italy’s broader digital transition strategy, which includes tax credits for AI-related R&D investments, subsidised training programmes for workforce upskilling, and grants for companies developing or deploying AI systems that meet the new regulatory standards. Italy’s National Recovery and Resilience Plan (PNRR) also contributes funding, with billions of euros earmarked for digitalisation projects that now must align with the AI Act’s requirements.

According to recent estimates, over 60% of Italian SMBs have either adopted or are actively exploring AI tools for operations like customer service, inventory management, or financial forecasting. The law’s funding provisions are designed to ensure that regulatory compliance does not become a barrier that forces these businesses to abandon their AI initiatives.

For European SMBs outside Italy, this funding model is worth watching. Several member states are developing similar national incentive programmes, and Italy’s approach may serve as a template — especially for countries in Southern and Central Europe where SMB digitalisation rates have historically lagged behind Northern European peers.

Implementation challenges and critical issues

Despite good intentions, Law 132/2025 faces significant implementation hurdles that directly affect businesses.

Regulatory complexity and overlapping obligations

The most immediate challenge is navigating the interplay between EU-level and national-level requirements. A company deploying a high-risk AI system must comply with the EU AI Act’s technical documentation, conformity assessment, and post-market monitoring obligations — and simultaneously satisfy any additional Italian provisions. For SMBs without dedicated legal or compliance teams, this layered regulatory environment can be overwhelming.

Industry associations, including Confindustria, have raised concerns about the administrative burden. Small business owners report that understanding which rules apply to their specific AI applications remains confusing, particularly when the same system might be classified differently depending on its deployment context.

Workforce and skills gap

Compliance with the AI Act requires technical expertise that many SMBs simply do not have in-house. From conducting risk assessments to maintaining technical documentation and ensuring human oversight of automated decisions, the law demands capabilities that go beyond installing an off-the-shelf software tool.

Italy’s unemployment rate among tech-skilled workers remains extremely low, making it difficult and expensive for smaller companies to recruit the talent they need. The government’s subsidised training programmes address this partially, but building genuine AI governance capacity within an organisation takes time — often more time than the compliance deadlines allow.

Penalties and enforcement uncertainty

Law 132/2025 aligns its penalty structure with the EU AI Act’s tiered approach. Fines for the most serious violations — deploying prohibited AI systems — can reach up to 35 million euros or 7% of global annual turnover, whichever is higher. For high-risk system violations, penalties can reach 15 million euros or 3% of turnover.

While these maximum figures are primarily aimed at large corporations, the law does include proportionality principles for SMBs. However, exact enforcement guidelines are still being developed by AgID and ACN, leaving businesses in a period of uncertainty about how strictly and quickly the rules will be applied.

What European SMBs should do now

Regardless of whether your business is based in Italy or elsewhere in the EU, the direction is clear: AI governance requirements are tightening, and national implementations like Law 132/2025 are making the obligations concrete.

Here are practical steps to consider:

Audit your AI systems. Identify every AI tool or automated decision-making process in your organisation and classify it according to the EU AI Act’s risk categories. Many SMBs are surprised to discover that tools they consider routine — such as automated CV screening or credit scoring algorithms — fall into the high-risk category.
Document everything. The AI Act places heavy emphasis on technical documentation, transparency, and record-keeping. Start building these practices now, even before enforcement begins in earnest.
Explore available funding. If you operate in Italy, investigate the tax credits and grant programmes tied to Law 132/2025 and the PNRR. Other EU countries are launching parallel incentive schemes — check with your national digital agency or chamber of commerce.
Invest in training. Upskilling existing employees is often more cost-effective than hiring new specialists. Several EU-funded programmes offer subsidised AI literacy courses specifically designed for SMB staff.
Monitor national developments. Each EU member state will implement the AI Act slightly differently. Stay informed about your country’s specific provisions, designated authorities, and compliance timelines.

Looking ahead

Italy’s Law 132/2025 represents a significant milestone in European AI regulation. It demonstrates that the EU AI Act is not just a Brussels-level exercise but a framework that will be actively enforced and expanded at the national level.

For SMBs, the key takeaway is that responsible AI adoption is no longer optional — it is becoming a legal requirement with real financial consequences. The businesses that start preparing now, taking advantage of available funding and building internal governance capacity, will be better positioned than those that wait for enforcement actions to force their hand.

The transition period will be challenging, but it also creates a competitive advantage for companies that get it right. In an EU market where trust and compliance increasingly influence purchasing decisions, demonstrating that your AI systems meet the highest standards can be a genuine differentiator.

Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.

Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.