National law · source: Normattiva

Does Law 132/2025 replace the AI Act for businesses in Italy?

In short: no. It is a dual track. An Italian SME must comply with both: the European regulation (directly applicable) and the first comprehensive national law on AI. Law 132/2025 is largely a law of principles and delegations: the implementing decrees are expected by October 2026. Below, the facts verified on Normattiva, then our reading.

The facts · fields 1–10

What the official source says.

Verified on Normattiva

01 · Name

Law 23 September 2025, No. 132

"Provisions and legislative delegations to the Government on artificial intelligence". Common acronym: Law 132/2025 — the first comprehensive Italian national law on AI.

Normattiva · urn:nir:stato:legge:2025-09-23;132

02 · Type of source

Ordinary national law, with delegations

A law of the Italian State, also containing legislative delegations to the Government (Art. 76 of the Italian Constitution) for the subsequent adoption of legislative decrees.

Normattiva · Law 132/2025

03 · Nature

Binding, partly principle-setting and delegating

Hard law: a law of the State in force. Part of the provisions, however, is of a principle-setting and delegating nature: it will become fully operative only with the implementing legislative decrees.

Normattiva · Law 132/2025

04 · Subject matter

National principles, in a human-centric dimension

It lays down national principles and rules on the research, experimentation, development, adoption and use of AI systems and models, in a human-centric dimension, and adapts the Italian legal order to Regulation (EU) 2024/1689. It intervenes in specific sectors (healthcare, employment, intellectual professions, public administration, justice), on copyright and on the Criminal Code, and delegates to the Government the completion of the regulatory framework.

Normattiva · Law 132/2025

05 · Who it applies to

National scope, with sector-specific provisions

It concerns public and private entities that develop or use AI on Italian territory, with sector-specific provisions for healthcare professionals, employers, intellectual professionals (use of AI as a mere support tool), public administrations and the judicial system. It builds on the AI Act without altering the latter's European personal scope.

Normattiva · Law 132/2025

06 · Key dates

From publication to the delegating decrees

  1. Publication in the Official Gazette (Gazzetta Ufficiale), General Series No. 223.

  2. Entry into force (after the ordinary 15-day vacatio legis).

  3. Deadline for the legislative delegation to the Government (within 12 months of entry into force) to adopt the implementing legislative decrees and the measures adapting the framework to the AI Act.

Official Gazette No. 223 of 25/09/2025 · Normattiva

07 · Competent authorities

AgID and ACN; the Data Protection Authority (Garante)

  • AgID (Agency for Digital Italy) — functions of promotion and development of AI and notifying functions.
  • ACN (National Cybersecurity Agency) — functions of supervision, inspection and penalties and security aspects.
  • Italian Data Protection Authority (Garante) — remains the competent authority for the processing of personal data.

The designation is made by the law; the article indicated by secondary sources is Art. 20 ⚠️ [to verify] the exact numbering against the Normattiva/Official Gazette text (corroborated by AI Legal Atlas + an independent legal source).

Normattiva · Law 132/2025 (article number to be confirmed)

08 · Status

In force since 10 October 2025, partial implementation

Numerous provisions require the delegated legislative decrees (expected by October 2026) in order to become fully operative. As at the date of this brief, the implementing decrees are pending.

Normattiva · Law 132/2025

09 · Relationship with other rules

It adds to the AI Act; it touches the GDPR and the Criminal Code

  • ↔ AI Act (Reg. EU 2024/1689): Law 132/2025 adds to and gives national effect to the AI Act; it does not replace it and cannot derogate from it (primacy of EU law). It designates the Act's national authorities.
  • ↔ GDPR: the processing of personal data connected with AI remains subject to the GDPR and to the Italian Data Protection Code, with the Garante as competent authority.
  • ↔ Criminal Code: the law amends the Criminal Code by introducing protection against the unlawful dissemination of AI-generated/altered content (deepfakes) — ⚠️ [to verify] the exact number of the new Criminal Code article (sources indicate the insertion of an Art. 612-quater of the Criminal Code).
  • ↔ ISO/IEC 42001: voluntary AI management standard, useful as a governance framework in support of compliance; not referenced as a legal obligation.

Normattiva · Law 132/2025 (Criminal Code article number to be confirmed)

10 · Official source

Normattiva — consolidated text in force

Primary source to be cited: Normattiva, consolidated text in force. Publication: Official Gazette of the Italian Republic, General Series No. 223 of 25 September 2025.

Open the official source on Normattiva

Primary source · Normattiva + Official Gazette No. 223/2025

NomotecnIA reading · interpretation, not source

Fields 11–12 · own synthesis

Our reading for an SME.

Synthesis

  • Law 132/2025 does not replace the AI Act: it is a dual track. An Italian SME must comply with both — the European Regulation (directly applicable) and the national law.
  • It is largely a law of principles and delegation: many detailed rules will arrive with the legislative decrees expected by October 2026. Today it is binding as to principles, authorities and certain specific provisions (e.g. criminal, professions, employment).
  • Immediate practical relevance for SMEs: the rules on the use of AI in the intellectual professions (AI as a support tool, with the human element prevailing) and the transparency/information obligations towards workers.
  • The framework is human-centric: human oversight and the responsibility of the person remain the centre of gravity.
  • Italian reference authorities: AgID (promotion) and ACN (supervision and penalties); for personal data, the Garante remains competent.

Practical obligations for a deployer / SME

  1. Monitor the implementing decrees (window until October 2026): the detailed rules will bear on concrete obligations and penalties.
  2. Intellectual professions: if AI is used in professional activity, document that it is a support tool and that the prevalence of human/intellectual work is maintained; ensure information to the client where due.
  3. Employment: inform workers about the use of AI systems that concern them; coordinate with employment-law obligations and with the AI Act.
  4. Healthcare (where applicable): comply with the provisions on the use of AI in support of (not replacing) clinical decision-making and on informed consent.
  5. Transparency on synthetic content: guard against the criminal-law risk associated with deepfakes and the unlawful dissemination of altered content.
  6. Coordinate the Law 132 controls with those of the AI Act and the GDPR within a single internal governance framework, avoiding duplicated compliance efforts.

Positioning note (NomotecnIA): NomotecnIA provides guidance and readiness support; it is not a notified body and does not issue conformity certifications.

Meta · fields 13–15

Revision, disclaimer and source

Last revision · 2026-07-06

Disclaimer

This content is for general informational and guidance purposes only; it does not constitute legal advice or an attestation of conformity. As this is a law still partly implemented by delegated decrees, for any assessment the official source (Normattiva / Official Gazette) always prevails. NomotecnIA is not a notified body.

  • #Law132_2025
  • #ItalianAILaw
  • #ArtificialIntelligence
  • #LegislativeDelegation
  • #AgID
  • #ACN
  • #GarantePrivacy
  • #AIAct
  • #Deepfake
  • #SME

Official source · Normattiva

From the rule to your business

How does Law 132 coordinate with the AI Act in your SME?

The AI Entry Assessment unifies the national and European controls into a single governance framework: mapping of systems, gap analysis, prioritised roadmap — with no duplicated compliance.