On June 10, 2026, Italy's Council of Ministers approved — in preliminary examination — the first two legislative decrees implementing Law No. 132/2025, the national AI statute that took effect on October 10, 2025. According to the official Council of Ministers press release, the package designates two national authorities, sets rules for biometric and predictive policing, lightens the evidentiary burden in AI civil-liability cases, and creates a new criminal offense for tampering with high-risk AI systems. Italy is now the first EU member state to move from a national AI law to operational implementing decrees that sit alongside the EU AI Act (Regulation 2024/1689).
Much of this is genuinely good lawmaking. The parts that worry us are narrower — but they matter.
Clean governance beats institutional sprawl
The most important design choice is the simplest. Rather than inventing a new super-regulator, the decrees split duties between two existing bodies: the Agency for Digital Italy (AgID) becomes the notifying authority, and the National Cybersecurity Agency (ACN) becomes the market-surveillance authority and single point of contact with the EU. Sector regulators — Banca d'Italia, CONSOB, IVASS for finance, and the data-protection Garante for high-risk justice and security uses — keep their existing competences.
This matters for innovation. A fragmented or duplicative authority map is one of the surest ways to raise compliance costs without raising safety. By routing AI oversight through agencies that already understand cybersecurity and digital infrastructure, Italy gives builders a knowable address and avoids the turf wars that have slowed enforcement elsewhere. It is a model other member states should copy as they transpose the AI Act.
Policing rules: proportionality done properly
The second decree governs AI in law enforcement, and here the steelman for tight rules is overwhelming. Real-time biometric identification and predictive policing are the AI use cases most prone to irreversible harm: a false match is not a billing error, it is a wrongful detention. Civil-liberties advocates are right that untargeted facial recognition tends to expand quietly until it becomes ambient surveillance.
The decree answers that concern with structure rather than slogans. Per the legal analysis of the text, real-time biometric identification requires prior judicial authorization, is limited to preventing "specific and serious threats to public security" or locating missing and trafficked persons, cannot exceed 15 days, and must name target individuals. Post-event facial recognition is allowed only after a crime, with raw data retention capped at 7 days and non-modifiable audit logs kept for five years. Mass identification and indiscriminate web-scraping for biometric databases are banned outright.
This is what proportionate regulation looks like: it permits the high-value, time-bound uses (finding a kidnapping victim) while foreclosing the dystopian one (a permanent watchlist of everyone). The judicial gate and the hard retention limits are the right instruments — narrow, auditable, and reversible.
Civil liability: a defensible thumb on the scale
The decree gives injured parties a rebuttable presumption of causation, plus rights to technical documentation, a convenient venue, and direct action against insurers. The case for this is real: when harm flows from an opaque model, an ordinary claimant cannot reconstruct the causal chain, and strict proof requirements would make the right to redress illusory.
We would urge caution but not opposition. Because the presumption is rebuttable and paired with documentation access, it corrects an information asymmetry rather than imposing no-fault liability. The risk to watch in the final text is calibration — if courts treat the presumption as near-irrebuttable, deployers of perfectly safe systems will price in litigation they cannot defend against. Kept genuinely rebuttable, it is a reasonable adaptation of tort law to opaque software.
The criminal offense is the misstep
Our real concern is the new offense — reported as Article 437-bis — penalizing the omission of required safety measures or the alteration of high-risk AI systems where this creates "concrete danger to life, public safety or State security," with liability extending to companies. Italy already added, in the parent law, an aggravating circumstance for AI-assisted crimes and a deepfake offense punishable by one to five years. The strongest argument for criminalizing tampering is that high-risk systems in healthcare, transport, or critical infrastructure can kill, and that corporate actors respond to criminal exposure as they do to nothing else.
Granted. But criminal liability is a blunt instrument for a field defined by constant modification. "Alteration" of an AI system is what responsible engineering is: fine-tuning, patching, red-teaming, rolling back. The draft reportedly requires gross negligence and concrete danger, which helps — yet the chilling effect operates on the margin of uncertainty, not the eventual verdict. Security researchers who probe deployed systems, and engineers who push rapid safety updates, will reasonably fear that a good-faith change later reframed as "alteration creating danger" lands them in a criminal file. The lesson is fresh from elsewhere: Anthropic was forced this month to disable two models over a jailbreak it considered minor and reproducible in rival systems — a reminder of how a single vaguely-scoped safety lever can halt deployment for hundreds of millions of users.
What to fix before final adoption
These are preliminary-examination drafts; the Garante, the Conference of Regions, and parliamentary committees still weigh in. Two precise fixes would preserve the framework's strengths. First, add an explicit safe harbor to Article 437-bis for documented good-faith security research and routine safety maintenance. Second, write into the civil-liability text that the causation presumption is overcome by evidence of conformity with the AI Act's risk-management obligations. Italy has built the EU's most coherent national AI governance architecture. It should not let one over-broad criminal clause undercut the very experimentation the rest of the law is designed to encourage.