On June 10, 2026, Italy's Council of Ministers approved two implementing decrees under Law No. 132/2025, becoming the first EU member state to operationalize a comprehensive national AI regulatory framework aligned with the EU AI Act (Regulation 2024/1689). The decrees — still subject to parliamentary committee and regional review before final adoption — cover employment protections, biometric surveillance limits, mandatory professional AI literacy, and a new criminal offence for safety failures in high-risk AI systems. With the EU AI Act's full application date arriving on August 2, 2026, Italy's move sets an implementation benchmark that most of its EU peers have not approached.
A Framework Built on Statute
Italy's Law No. 132/2025 — formally titled Disposizioni e deleghe al Governo in materia di intelligenza artificiale — entered into force on October 10, 2025. Its 28 articles across six chapters delegated a 12-month window for implementing decrees covering algorithmic standards, market surveillance powers, and sector-specific rules. The Agency for Digital Italy (AgID) was designated as Italy's notifying authority; the National Cybersecurity Agency (ACN) became market surveillance authority and the country's liaison with the EU. The law's organizing principle is explicitly anthropocentric: AI is a tool to support human decision-making, never a substitute for it. That principle flows through every sector the June 10 decrees touch.
Employment: Algorithmic Dismissals Are Now Void
The employment provisions are among the most immediately enforceable. Any dismissal adopted "solely on the basis of automated processing" is null and void under the decrees. Workers must receive intelligible explanations of AI-informed decisions and retain the right to access underlying data. Final employment determinations — hiring, discipline, and termination — must be made by a natural person with genuine decision-making authority.
The case for these protections is real. Algorithmic management in gig platforms and logistics has produced documented discrimination outcomes across Europe, and relying solely on GDPR Article 22 recourse proved insufficient in practice. The operational challenge is the "solely automated" threshold: when a human manager rubber-stamps an AI-generated score without independent review, the protection may not trigger. Enforcement will depend on how ACN and courts interpret the human oversight requirement, and regulatory guidance will be essential before the provision achieves its intent.
Biometric Surveillance: Stricter Than the EU Baseline
Italy's decrees go meaningfully further than the EU AI Act's biometric provisions. Real-time facial identification in public spaces requires judicial authorization, is capped at 15 days per authorization, and is limited to specific, serious threats — missing persons, trafficking victims, grave public security emergencies. Post-incident facial recognition following crimes carries a seven-day local data retention limit and five-year non-modifiable audit logs, with a mandatory prior consultation with the Data Protection Authority.
Critically, the decrees ban the creation of mass biometric databases through indiscriminate web scraping — a practice deployed commercially outside Italy without direct EU AI Act prohibition at this granularity. Italy is closing a regulatory gap the EU text left open, and doing so before member states face that obligation under the Act's staggered schedule.
Criminal Liability: Bold and Potentially Chilling
The most novel element of the June 10 package is Article 437-bis of the Penal Code — a new criminal offence for omitting safety measures in high-risk AI systems. The penalty structure is steep:
- 1 to 5 years for conduct creating concrete danger to individual safety
- 2 to 8 years when public safety or state security is implicated
- 3 to 10 years for illegal alteration of a high-risk system endangering public safety
Gross negligence reduces sentences by one-third to one-sixth, and the offence requires a showing of "concrete danger" — not mere technical non-compliance with paperwork requirements.
The rationale deserves serious engagement before dismissal. High-risk AI systems deployed in healthcare diagnostics, criminal justice scoring, or critical infrastructure can fail with lethal consequences. Attaching criminal liability to deliberate safety omissions creates accountability that civil fines cannot replicate, particularly for large enterprises that can absorb regulatory penalties as a cost of doing business. The provision is also carefully scoped: it targets omissions and unlawful alterations, not good-faith engineering errors, and the gross-negligence threshold provides a meaningful filter.
That said, the chilling-effect risk is genuine and should not be understated. Italy's AI startup ecosystem — still maturing — may be discouraged from building in the high-risk categories the EU most wants addressed domestically. Prosecutors pursuing edge-case charges against developers of diagnostic healthcare tools would represent a serious regulatory misfire. Whether Article 437-bis functions as a genuine accountability backstop or an innovation deterrent depends entirely on prosecutorial restraint and ACN's willingness to publish clear safe-harbor guidance on what constitutes "technically suitable" safety measures.
AI Literacy: €100 Million and a Six-Month Professional Deadline
The decrees impose mandatory AI literacy across multiple sectors. Schools receive mandatory AI curriculum integration backed by a €100 million fund for teacher training on digital wellbeing. Universities must embed technical, legal, and ethical AI content across disciplines. Healthcare professionals must complete AI-focused continuing medical education through the existing ECM system.
For regulated professions — lawyers, engineers, physicians — the timeline is six months to update deontological codes emphasizing professional responsibility over technological reliance, with fee schedules required to reflect AI risk classifications within 12 months. These are not aspirational commitments: professional orders face a hard regulatory deadline, and failure to update codes constitutes a compliance breach.
The investment side backs the literacy push. Up to €1 billion in venture capital is earmarked for Italy's AI ecosystem, and the SophIA technology hub receives approximately €30 million annually from 2026.
Italy's EU Position: First Mover in a Field of One
The significance of June 10 becomes clearer in EU context. As of June 2026, only nine of 27 EU member states have designated both a market surveillance authority and a notifying authority — the minimum the EU AI Act required by August 2025. Six member states have designated neither. Italy is the only member state to have operationalized a comprehensive national framework that goes beyond baseline designation.
The EU AI Act's full application date of August 2, 2026 is now weeks away, though a May 2026 Omnibus agreement between the Council and Parliament extended high-risk AI system compliance deadlines to December 2027 and August 2028. Italy's decrees create domestic enforceability before those delayed deadlines arrive — giving regulators real tools now rather than holding positions.
The decrees remain in preliminary form: parliamentary committees, the Conference of Regions, and sector authorities must still review before final adoption. But the framework's direction is fixed. For member states still negotiating which agency to designate, Italy's package — employment protections, biometric limits, criminal liability, and a funded literacy program — represents what operationalization actually looks like. The remaining question is whether its criminal liability approach, which no other EU state has yet matched, will prove prescient or cautionary as enforcement begins.