AI Regulation Reference

Does Law on Artificial Intelligence require Data Governance?

Italy • enforcing

Yes — 1 provision

Requirements at a glance

This regulation imposes 4 specific requirements for Data Governance across 1 provision:

Health Data for AI Research #

Obligation:
Data Governance
 enforcing
Effective:
Oct 10, 2025
Risk tier:
all
Scope:
developers, deployers
 sleepercross-domain
Italy's secondary-use pathway for health data is a sleeper provision with global reach: any organisation conducting AI research using Italian patient data — including non-Italian researchers accessing Italian health datasets — must satisfy both the GDPR and a 30-day Garante notification before processing. This covers clinical AI model training, drug discovery AI, and public health AI research.

Requirements

RequirementDetails
Secondary use permittedAnonymized or pseudonymized health data may be used for AI research without new patient consent, serving significant public interest
Garante notification30-day advance notification to the Italian Data Protection Authority (Garante) required before commencing AI research using health data
GDPR complianceAll health data processing for AI research must comply with GDPR requirements
Anonymization standardsData must be properly anonymized or pseudonymized before secondary use for AI research
View full regulation View obligation Obligation matrix