Close-up of a brass padlock resting on an illuminated green circuit board

Last reviewed: June 6, 2026: law's signing date (Sept 23, 2025), entry-into-force (Oct 10, 2025), dual AgID/ACN/Garante enforcement structure, and Article 9(2)(g) health-data exemption all confirmed against the Baker McKenzie analysis of the final text. No corrections needed.

TL;DR: Italy's new comprehensive AI Law officially takes effect on October 10, 2025, offering one of the first national frameworks to complement the EU AI Act. The law establishes a dual governance structure for AI oversight while introducing a crucial, pragmatic compromise: authorizing the **secondary use of sensitive, de-identified health data for non-profit scientific AI research without requiring new patient consent**, simplifying a major bottleneck under the General Data Protection Regulation (GDPR).

A Blueprint for EU AI Governance

The Italian AI Law was signed into effect on September 23, 2025, following its final approval by the Italian Senate. With its entry into force on October 10, 2025 [1], Italy becomes one of the first major EU member states to fully codify national legislation designed to interpret and operationalize the sweeping European Union Artificial Intelligence Act (EU AI Act).

The law is intended to complement the broader EU framework by setting specific national principles and targeted sectoral rules. Its structure reveals a clear intent to balance the imperatives of market innovation, cybersecurity resilience, and fundamental data privacy rights under the GDPR.

Dual Enforcement: Separating Technical and Privacy Oversight

To ensure rigorous oversight aligned with the EU AI Act’s risk-based approach, the Italian law confirms the designation of a dual structure of competent national authorities [2, 1]:

  • **The Agency for Digital Italy (AgID):** Designated as the national **Notifying Authority**. AgID will be responsible for defining procedures related to the notification, assessment, accreditation, and monitoring of the technical bodies that conduct conformity assessments of AI systems.[2, 1]
  • **The National Cybersecurity Agency (ACN):** Designated as the national **Market Surveillance Authority**. ACN is entrusted with monitoring, inspection, and enforcement powers over AI systems, with a specific focus on cybersecurity and technical compliance.[2, 1]

Crucially, the Italian Data Protection Authority (known as the Garante) retains its existing, full competence and powers concerning the processing of personal data under the GDPR, despite the establishment of these new specialized AI agencies.[2] This layered approach ensures that fundamental privacy rights are not diluted by the introduction of technical market regulation.

The Health Data Compromise: Speeding AI Research

One of the most significant and potentially transformative provisions of the Italian AI Law addresses a long-standing conflict between the strict consent requirements of GDPR and the practical need for large-scale data to train effective AI systems, particularly in the healthcare sector.

The law authorizes the **secondary use of personal data**, including special categories of health data, for specific, non-profit scientific research purposes related to developing AI systems.[2, 1] This includes uses aimed at the prevention, diagnosis, and treatment of diseases, as well as the development of drugs and therapies.[2]

A GDPR Article 9 Justification

Under this specific framework, data controllers are permitted to use this data **without requiring new consent** from the data subject. This exemption is valid provided the data is stripped of direct identifiers and the processing is justified on the grounds of "substantial public interests," in line with Article 9(2)(g) of GDPR.[2]

For medical and scientific researchers, this legislative compromise provides a necessary simplification, prioritizing rapid innovation in public health. Previously, any shift in the research purpose could necessitate the costly and complex process of re-obtaining patient consent, a significant operational hurdle for longitudinal studies and iterative AI model development.

Mandatory Safeguards and Regulatory Scrutiny

The authorization to use sensitive data without new consent is coupled with mandatory safeguards designed to ensure transparency and retain regulatory oversight. This is intended to prevent misuse while facilitating scientific advancement:

  • **Simplified Transparency:** Data controllers engaging in this secondary use must fulfill their transparency and information obligations to data subjects in a simplified manner, by publishing a dedicated privacy notice on their website.[2, 1]
  • **Garante Pre-Approval Review:** Controllers must formally communicate the processing activities, along with necessary GDPR documentation (such as a Data Protection Impact Assessment), to the Garante (DPA).[2]
  • **30-Day Blocking Period:** The processing of data may only commence 30 days after this communication is made, giving the Garante a critical window to review the intended activities. If the Garante deems the safeguards insufficient or the processing non-compliant, it may issue a blocking measure to halt the activity.[2]

This 30-day review period is a novel regulatory mechanism designed to provide the DPA with real-time oversight over high-risk data processing activities before they can result in potential privacy harms. It demonstrates Italy’s commitment to an accountability-first model for high-impact AI systems.

Other Sectoral Rules

Beyond health and scientific research, the Italian AI Law also sets sector-specific rules for employment and regulated professions. For example, the law mandates that the use of AI systems by employers must be transparent, and workers must be informed of any AI use before employment commences.[2] Similarly, in regulated professions, AI is restricted to supporting tasks, and practitioners must clearly communicate to clients any AI systems used to preserve the fiduciary relationship.[2]

Actionable Recommendations for Organizations

Review Data Usage for Public Interest Exemption

For organizations, particularly universities and non-profit research hospitals, operating in Italy, immediately review AI development programs involving health data. Assess if they qualify for the "substantial public interests" exemption to use the secondary use authorization for de-identified data.[2]

Update Transparency Notices

Any controller planning to use the new health data exemption must immediately update their website privacy notices to reflect these specific processing activities, as this simplified transparency requirement is non-negotiable.[2, 1]

Prepare for Garante Review

Plan a 30-day buffer into any new AI research project’s timeline that utilizes this exemption. This period must be reserved for the Garante's mandatory review, and all necessary Data Protection Impact Assessment (DPIA) documentation must be prepared and filed with the DPA.[2]

Clarify New Governance Roles (EU-wide)

Multinational companies operating in the EU should track how other member states transpose the EU AI Act. Italy’s separation of technical enforcement (ACN) from privacy enforcement (Garante) is likely to be replicated, requiring businesses to engage with separate national regulators for compliance.[2, 1]

References

  1. Italy Proposes New Artificial Intelligence Law. Inside Privacy (Baker McKenzie).
  2. Italy Adopts Artificial Intelligence Law. Inside Privacy (Baker McKenzie).