A Regulator Reaches for New Tools It May Not Need
On June 17, 2026, AGCOM — Italy's communications authority — published its 2026 Report on Artificial Intelligence, a two-part document combining a technical-economic survey of generative AI with a legal analysis from the Authority's AI Committee. The legal section is the consequential half. It frames "disinformation, deepfake, voice cloning and algorithmic manipulation" as systemic risks to pluralism and public trust, and calls for AGCOM to build out platform-transparency and algorithmic-auditing capacity: content provenance labeling, independent testing protocols, a permanent disinformation observatory, public dashboards, and an internal bench of AI auditors and data scientists.
The steelman here is real. AGCOM's own July 2025 survey of over 7,000 Italians found that one in two respondents had already encountered hate content, hoaxes, or non-consensual imagery online, that 41% didn't know platforms curate content algorithmically at all, and that only one in three Italians routinely verify news sources before sharing them. Generative AI has made synthetic media cheap, personalizable, and — per the report's own language — increasingly "integrable with systems of recommendation and micro-targeting." A regulator watching those numbers has legitimate grounds to worry that self-policing by platforms isn't enough, and that opacity around ranking and moderation algorithms leaves both citizens and enforcers unable to tell manipulation from noise.
The Powers Already Exist
What the report understates is how much regulatory and criminal machinery already sits on top of this problem. Since 2024, AGCOM has been Italy's Digital Services Coordinator under the DSA, with power to investigate platforms, demand risk-assessment data, and fine violators up to 6% of global turnover. The EU AI Act adds its own tiered penalty regime — up to 7% of worldwide turnover (€35 million, whichever is higher) for the most serious violations, such as manipulative or exploitative AI practices banned under Article 5.
And Italy went further than either. Law No. 132/2025, in force since October 10, 2025, added Article 612-quater to the criminal code: distributing AI-altered images, video, or audio capable of deceiving people as to their authenticity, without consent and causing unjust harm, now carries one to five years in prison. That is not a light-touch regime. It is one of the more aggressive deepfake statutes in Europe, layered on top of DSA fines that can already reach 6% of global revenue and AI Act fines that can reach 7%.
Against that backdrop, AGCOM's push for its own auditing infrastructure and a "permanent observatory" reads less like closing a gap and more like a regulator building parallel capacity the law hasn't yet asked it to build. The DSA already gives the European Commission and national coordinators access to platforms' risk-assessment data and algorithmic-transparency reports; a national regulator layering its own independent testing protocols and public dashboards on top risks duplicative demands on the same platforms, inconsistent standards between Brussels and Rome, and — the report's own words — a drift toward "rule of tech" governance where technical bodies set binding practice through soft-law observatories rather than legislation.
Proportionality, Not Absence of Risk, Is the Real Question
None of this means AGCOM should sit still. Algorithmic literacy gaps are real, and Italy's own numbers show most people don't know when they're being shown ranked or personalized content, let alone synthetic content. Tools that help ordinary users identify manipulated media — content provenance standards, clearer labeling — are worth building, and the DSA's own transparency requirements for large platforms give AGCOM real levers to push it without new institutional overhead.
What's harder to justify is the report's framing of "algorithmic manipulation" as an open-ended systemic risk that requires expanding one authority's discretionary reach, rather than an implementation question for laws that already exist. The DSA created EU-wide systemic-risk assessment obligations precisely so that platform auditing wouldn't fragment into 27 separate national regimes. A criminal deepfake law with real prison sentences already targets the most serious individual harms AGCOM's report describes. Before Italy builds a third layer of oversight, AGCOM should have to show the first two are failing — not simply that AI is scary and its remit is broad. Vague "systemic risk" language, applied to a regulator that already holds fining power up to 6% of global turnover, is an invitation to expand jurisdiction by report rather than by law — exactly the kind of unaccountable rulemaking the AI Act and DSA's harmonized structure were designed to prevent.
The report itself warns against a shift from "rule of law" to "rule of tech" — an algorithmic, technocratic mode of governance that displaces democratic contestability. The same caution should apply to expanding a regulator's own toolkit beyond what the law has authorized.
AGCOM is not wrong that synthetic disinformation is a live problem. It is wrong to treat the answer as more discretionary authority for itself, when Italy has already passed one of Europe's toughest criminal responses to the same harm.