AI Regulation ReferenceLaw on Artificial Intelligence
Obligations Covered
Healthcare AI — Human Oversight #
Italy is the first EU member state to legislate sector-specific AI rules beyond the EU AI Act. For healthcare AI, the law establishes a hard prohibition on AI making autonomous clinical decisions — physicians retain ultimate authority regardless of AI recommendation quality. Any healthcare organisation deploying diagnostic or treatment AI in Italy must build physician-override workflows into every clinical AI deployment.
Requirements
| Requirement | Details |
|---|---|
| Physician authority | AI systems cannot replace human clinical judgment or make fully automated clinical decisions; physicians retain ultimate decision-making authority |
| Patient notification | Patients must be informed of AI use, its benefits, and the logic of AI-assisted decision-making before and during care |
| Support role only | AI may support prevention, diagnosis, and treatment but must be positioned as a decision-support tool, not a decision-maker |
| AGENAS platform | National Agency for Regional Health Services (AGENAS) develops a national AI platform to assist medical staff; outputs are non-binding suggestions |
Employment AI — Transparency and Disclosure #
Italy extends AI transparency duties into employment and child contexts that sit beyond the EU AI Act's direct scope. Employers using AI in recruitment or performance evaluation must disclose AI involvement to workers — creating a specific notification duty for HR technology deployments. The parental consent requirement for under-14s applies to any AI-powered product or service used by children, including education platforms, apps, and consumer AI.
Requirements
| Requirement | Details |
|---|---|
| Worker notification | Employers must disclose to workers when AI is used in recruitment, performance evaluation, or other employment processes |
| AI decision logic disclosure | Employers must explain the logic of AI decision-making where AI is involved in employment decisions |
| Minors consent | Children under 14 require verifiable parental consent before using any AI-powered product or service |
Employment AI — Non-Discrimination #
Requirements
| Requirement | Details |
|---|---|
| Non-discrimination | AI systems used in employment must not discriminate; discriminatory AI applications in recruitment or evaluation are prohibited |
| Data protection compliance | Employers must comply with data protection principles to prevent bias in AI employment systems |
| Human oversight in employment | Employers must ensure human oversight of AI-assisted employment decisions |
Health Data for AI Research #
Italy's secondary-use pathway for health data is a sleeper provision with global reach: any organisation conducting AI research using Italian patient data — including non-Italian researchers accessing Italian health datasets — must satisfy both the GDPR and a 30-day Garante notification before processing. This covers clinical AI model training, drug discovery AI, and public health AI research.
Requirements
| Requirement | Details |
|---|---|
| Secondary use permitted | Anonymized or pseudonymized health data may be used for AI research without new patient consent, serving significant public interest |
| Garante notification | 30-day advance notification to the Italian Data Protection Authority (Garante) required before commencing AI research using health data |
| GDPR compliance | All health data processing for AI research must comply with GDPR requirements |
| Anonymization standards | Data must be properly anonymized or pseudonymized before secondary use for AI research |