Italy Italy AI strategy national framework

Italy's Privacy Regulator Casts AI as Geopolitical Terrain — But the Governance Gap It Cites Is Corporate, Not National

Garante's 2026 report frames AI as sovereignty infrastructure while flagging that only 9% of large Italian firms have structured AI governance despite 71% adoption.

Italy's AI Governance Gap, 2025 People of Internet Research · Italy 71% Large firms with AI project Up from 59% in 2024, per Politecni… 9% Firms with structured AI governance Same large-firm sample; 54% still … €37M+ Garante sanctions collected 2025 Across 506 corrective and punitive… 2,415 Data breach notifications 2025 A 10% increase over 2024. peopleofinternet.com
Italy's AI Governance Gap, 2025 People of Internet Research · Italy 71% Large firms with AI project 9% Firms with structured AI go… €37M+ Garante sanctions collected 2025 2,415 Data breach notifications 20… peopleofinternet.com

Key Takeaways

A cold war framing for a compliance problem

On July 2, 2026, Pasquale Stanzione, president of Italy's data protection authority (Garante per la protezione dei dati personali), delivered the Authority's annual report to the Chamber of Deputies at Palazzo Montecitorio. His framing was unusually geopolitical for a privacy regulator: AI, he said, has become "il terreno primario di competizione geopolitica" — the primary terrain of geopolitical competition — reflecting "a new idea of sovereignty" and, in his words, a "new cold war." He tied this directly to the European Commission's June 3, 2026 Tech Sovereignty Package, arguing that the Chips Act 2.0 and the Cloud and AI Development Act express a legitimate need to remove European technological infrastructure from the veto power of foreign actors — a form of "strategic autonomy" he was careful to distinguish from protectionism.

That's a fair point, and it deserves to be taken on its own terms before any pushback. Europe's dependence on non-EU hyperscalers and foreign chip supply chains is a real vulnerability, not a rhetorical one: the Commission's own package targets a market where non-EU cloud providers control roughly 70% of European share. A regulator whose job is to protect Italians' data has legitimate standing to say that data sovereignty and infrastructure sovereignty are two sides of the same coin — if Italian citizens' data sits on infrastructure a foreign government can compel or seize, no amount of GDPR paperwork fixes that. The Garante's own casework backs this: its emergency limitation on Hangzhou DeepSeek and Beijing DeepSeek's processing of Italian users' data, issued after the two Chinese companies claimed EU law simply didn't apply to them, is a defensible enforcement of existing rules against a company that refused to engage — not an act of protectionism.

The gap the report actually reveals

But the more consequential number in this year's report isn't geopolitical — it's domestic. According to the Politecnico di Milano's Osservatorio Artificial Intelligence, 71% of large Italian companies had launched at least one active AI project in 2025, up sharply from 59% in 2024. Only 9% of those same companies have structured AI governance — clear ownership, risk processes, and alignment with the EU AI Act's obligations. A further 54% are still building such processes, and roughly 9% report no governance effort at all.

That gap is the real story, and it cuts against the geopolitical framing rather than supporting it. Italian firms aren't losing an AI race to foreign infrastructure controllers; they're adopting AI faster than they're building the internal controls to use it responsibly. That's an execution and skills problem, not a sovereignty problem — and treating it as the latter risks pointing Italian policy at the wrong lever. Chips Act-style industrial policy and cloud sovereignty frameworks address supply chains; they do nothing to help a mid-size Italian manufacturer stand up an AI risk committee.

Enforcement without overreach

The Garante's 2025 casework shows a regulator willing to act firmly but selectively. It adopted 506 corrective and sanctioning measures, collecting over €37 million in fines, and fielded 2,415 data breach notifications — a 10% rise on 2024, split between 514 public-sector incidents (municipalities, schools, health facilities) and 1,901 private-sector cases. Two actions stand out as proportionate rather than punitive-for-its-own-sake: suspending Milan Linate airport's facial recognition system after 24,500 passengers' biometric data was improperly retained, and barring Amazon Italia from processing health and union-activity data of 1,800 workers at a single facility. Both targeted specific, demonstrable harms — improperly retained biometrics, sensitive data processed without basis — rather than AI adoption in general.

That distinction matters for how Rome and Brussels should read this report. The Garante is right that AI infrastructure sovereignty is a legitimate strategic concern, and right to keep enforcing GDPR against foreign AI operators who simply refuse to comply. But the 71%/9% gap is the more urgent finding, and it argues for a lighter-touch, capacity-building response: sector-specific AI Act compliance guidance, governance templates for mid-size firms, and enforcement resources aimed at helping the 54% of companies mid-build finish the job — not a heavier sovereignty apparatus modeled on chip fabs and hyperscale data centers. Proportionate regulation means matching the tool to the actual failure mode. Here, the failure mode is under-resourced compliance teams, not foreign veto power over Italian servers.

Italy's AI policy conversation would serve innovation and rights protection better by treating these as two separate problems with two separate fixes, rather than folding a corporate governance shortfall into a geopolitical narrative that, however compelling on its own terms, doesn't actually address it.

Sources & Citations

  1. Garante Privacy — 2025 Activity Report Press Summary
  2. Garante Privacy — DeepSeek Data Processing Limitation Order
  3. European Commission — Strengthening Europe's Tech Sovereignty (Tech Sovereignty Package)
  4. ANSA — Stanzione: 'l'IA terreno di competizione geopolitica, nuova guerra fredda'
  5. Osservatorio Artificial Intelligence, Politecnico di Milano — AI in Italia 2025