Does Law 132/2025 replace the AI Act for businesses in Italy?
In short: no. It is a dual track. An Italian SME must comply with both: the European regulation (directly applicable) and the first comprehensive national law on AI. Law 132/2025 is largely a law of principles and delegations: the implementing decrees are expected by October 2026. Below, the facts verified on Normattiva, then our reading.
The facts · fields 1–10
What the official source says.
01 · Name
Law 23 September 2025, No. 132
"Provisions and legislative delegations to the Government on artificial intelligence". Common acronym: Law 132/2025 — the first comprehensive Italian national law on AI.
Normattiva · urn:nir:stato:legge:2025-09-23;132
02 · Type of source
Ordinary national law, with delegations
A law of the Italian State, also containing legislative delegations to the Government (Art. 76 of the Italian Constitution) for the subsequent adoption of legislative decrees.
Normattiva · Law 132/2025
03 · Nature
Binding, partly principle-setting and delegating
Hard law: a law of the State in force. Part of the provisions, however, is of a principle-setting and delegating nature: it will become fully operative only with the implementing legislative decrees.
Normattiva · Law 132/2025
04 · Subject matter
National principles, in a human-centric dimension
It lays down national principles and rules on the research, experimentation, development, adoption and use of AI systems and models, in a human-centric dimension, and adapts the Italian legal order to Regulation (EU) 2024/1689. It intervenes in specific sectors (healthcare, employment, intellectual professions, public administration, justice), on copyright and on the Criminal Code, and delegates to the Government the completion of the regulatory framework.
Normattiva · Law 132/2025
05 · Who it applies to
National scope, with sector-specific provisions
It concerns public and private entities that develop or use AI on Italian territory, with sector-specific provisions for healthcare professionals, employers, intellectual professionals (use of AI as a mere support tool), public administrations and the judicial system. It builds on the AI Act without altering the latter's European personal scope.
Normattiva · Law 132/2025
06 · Key dates
From publication to the delegating decrees
-
Publication in the Official Gazette (Gazzetta Ufficiale), General Series No. 223.
-
Entry into force (after the ordinary 15-day vacatio legis).
-
Deadline for the legislative delegation to the Government (within 12 months of entry into force) to adopt the implementing legislative decrees and the measures adapting the framework to the AI Act.
Official Gazette No. 223 of 25/09/2025 · Normattiva
07 · Competent authorities
AgID and ACN; the Data Protection Authority (Garante)
- AgID (Agency for Digital Italy) — functions of promotion and development of AI and notifying functions.
- ACN (National Cybersecurity Agency) — functions of supervision, inspection and penalties and security aspects.
- Italian Data Protection Authority (Garante) — remains the competent authority for the processing of personal data.
The designation is made by the law; the article indicated by secondary sources is Art. 20 ⚠️ [to verify] the exact numbering against the Normattiva/Official Gazette text (corroborated by AI Legal Atlas + an independent legal source).
Normattiva · Law 132/2025 (article number to be confirmed)
08 · Status
In force since 10 October 2025, partial implementation
Numerous provisions require the delegated legislative decrees (expected by October 2026) in order to become fully operative. As at the date of this brief, the implementing decrees are pending.
Normattiva · Law 132/2025
09 · Relationship with other rules
It adds to the AI Act; it touches the GDPR and the Criminal Code
- ↔ AI Act (Reg. EU 2024/1689): Law 132/2025 adds to and gives national effect to the AI Act; it does not replace it and cannot derogate from it (primacy of EU law). It designates the Act's national authorities.
- ↔ GDPR: the processing of personal data connected with AI remains subject to the GDPR and to the Italian Data Protection Code, with the Garante as competent authority.
- ↔ Criminal Code: the law amends the Criminal Code by introducing protection against the unlawful dissemination of AI-generated/altered content (deepfakes) — ⚠️ [to verify] the exact number of the new Criminal Code article (sources indicate the insertion of an Art. 612-quater of the Criminal Code).
- ↔ ISO/IEC 42001: voluntary AI management standard, useful as a governance framework in support of compliance; not referenced as a legal obligation.
Normattiva · Law 132/2025 (Criminal Code article number to be confirmed)
10 · Official source
Normattiva — consolidated text in force
Primary source to be cited: Normattiva, consolidated text in force. Publication: Official Gazette of the Italian Republic, General Series No. 223 of 25 September 2025.
Open the official source on Normattiva
Primary source · Normattiva + Official Gazette No. 223/2025
Fields 11–12 · own synthesis
Our reading for an SME.
Synthesis
- Law 132/2025 does not replace the AI Act: it is a dual track. An Italian SME must comply with both — the European Regulation (directly applicable) and the national law.
- It is largely a law of principles and delegation: many detailed rules will arrive with the legislative decrees expected by October 2026. Today it is binding as to principles, authorities and certain specific provisions (e.g. criminal, professions, employment).
- Immediate practical relevance for SMEs: the rules on the use of AI in the intellectual professions (AI as a support tool, with the human element prevailing) and the transparency/information obligations towards workers.
- The framework is human-centric: human oversight and the responsibility of the person remain the centre of gravity.
- Italian reference authorities: AgID (promotion) and ACN (supervision and penalties); for personal data, the Garante remains competent.
Practical obligations for a deployer / SME
- Monitor the implementing decrees (window until October 2026): the detailed rules will bear on concrete obligations and penalties.
- Intellectual professions: if AI is used in professional activity, document that it is a support tool and that the prevalence of human/intellectual work is maintained; ensure information to the client where due.
- Employment: inform workers about the use of AI systems that concern them; coordinate with employment-law obligations and with the AI Act.
- Healthcare (where applicable): comply with the provisions on the use of AI in support of (not replacing) clinical decision-making and on informed consent.
- Transparency on synthetic content: guard against the criminal-law risk associated with deepfakes and the unlawful dissemination of altered content.
- Coordinate the Law 132 controls with those of the AI Act and the GDPR within a single internal governance framework, avoiding duplicated compliance efforts.
Positioning note (NomotecnIA): NomotecnIA provides guidance and readiness support; it is not a notified body and does not issue conformity certifications.
From the rule to your business
How does Law 132 coordinate with the AI Act in your SME?
The AI Entry Assessment unifies the national and European controls into a single governance framework: mapping of systems, gap analysis, prioritised roadmap — with no duplicated compliance.