The AI Act, National Authorities and Penalties: What Changes with the First Implementing Decree of Law No. 132/2025
On 10 June 2026, Italy's Council of Ministers gave preliminary approval to two legislative decree schemes implementing Law No. 132 of 23 September 2025 (Legge 132/2025) — Italy's primary domestic law adapting the national legal order to Regulation (EU) 2024/1689 (the AI Act).
More precisely, there are two schemes: the first addresses the powers of the national authorities and the use of artificial intelligence in education and training; the second covers the use of AI systems in policing, and civil and criminal liability.
With these texts, the Italian Government begins to build the national institutional framework for AI regulation, in implementation of the AI Act.
The timeline is broad, because the subject matter itself is broad.
In this first article, we focus on the first scheme, and specifically on its governance structure and penalty regime.
It should be stated upfront that these decree schemes are not yet final. They must still pass through the opinions of the parliamentary committees, the Unified Conference (Conferenza unificata — the body coordinating the State, the Regions and local authorities) and the competent authorities, before final approval and publication in the Official Gazette (Gazzetta Ufficiale).
This is, therefore, a draft that will undoubtedly change. But it already offers a fairly clear picture of what is to come.
Governance: The Roles of ACN and AgID
The institutional core of the decree lies in the division of tasks between Italy's two national AI authorities: AgID and ACN.
Let us start with AgID (the Agency for Digital Italy), which is entrusted with managing the notification system.
Designated as the national notifying authority under Article 70(1) of the Regulation (Article 4 of the decree), AgID will assess, designate and notify conformity assessment bodies. It will also monitor their continued compliance through periodic and ad hoc audits, up to the possible limitation, suspension or withdrawal of designation under Article 36 of the Regulation (Article 13 of the decree). The costs of these checks fall on the bodies themselves.
This is a highly sensitive task, because notified bodies are the “gatekeepers” of conformity. Wherever the Regulation requires third-party assessment — primarily for the biometric systems under Annex III, point 1, and for AI embedded in products already covered by EU harmonisation legislation (medical devices being the clearest example) — it is the notified body that certifies compliance with the requirements, opening the way to CE marking and market access.
If a body lacks competence, is too accommodating, or has a conflict of interest, non-compliant high-risk systems still reach the market: the entire risk-based architecture rests on the reliability of whoever certifies compliance. This is why the correct designation of these bodies, and continuous oversight of them — including the power to suspend or revoke their designation — is the system's first real safeguard. Trust in the AI Act is built here, even before it reaches the enforcement authorities' own procedures.
Turning now to ACN (the National Cybersecurity Agency), which is instead responsible for market surveillance and acts as the single point of contact with the European Commission and other Member States (Articles 5 and 6 of the decree).
ACN will exercise the surveillance and inspection powers set out in the AI Act and in Regulation (EU) 2019/1020 on market surveillance, including inspections — which may be conducted remotely and without prior notice — of real-world testing under Article 60 of the AI Act (Articles 15 and 16 of the decree).
How will inspections and enforcement checks actually work in practice?
The decree builds these powers on several layers: those under the AI Act itself, those under Articles 14 and 16 of Regulation (EU) 2019/1020 (access to documents, data and information; requests for corrective action; withdrawal or recall of non-compliant systems), and those under the related national implementing legislation.
The operational rules for exercising these powers, however, will be set out in a regulation adopted by decree of the President of the Council of Ministers (Article 15(3) of the decree): here too, the detail is left to a later stage.
As for establishing violations and applying penalties, the decree expressly refers to the general framework law, Law No. 689 of 24 November 1981, but excludes the application of its Article 16 (Article 24(9) of the decree). This exclusion deserves attention, because Article 16 is what allows a reduced-amount settlement payment — a mechanism that extinguishes the offence upon payment of a fraction of the fine due. Excluding it means that, for AI Act violations, this reduced settlement option is simply not available.
ACN is also responsible for maintaining the national register of high-risk systems under Annex III, point 2, of the Regulation (Article 14 of the decree), and for receiving complaints under Article 85 of the AI Act (Article 18 of the decree).
The decree scheme introduces a new body: the Coordination Committee, established at the Presidency of the Council of Ministers (Article 12, which refers to Article 20(3) of Law 132/2025).
This is the system's steering body: it brings together the national authorities (ACN and AgID), with the participation of the financial-sector authorities where matters fall within their competence, and without prejudice to the powers of the Garante (the Italian Data Protection Authority) and of AGCOM (the Italian Communications Authority) in its role as Digital Services Coordinator. Its task is to ensure coordination and cooperation among the authorities and other administrations: it can issue unified guidance for entering into agreements and memoranda of understanding and for adopting guidance instruments, and it is where the strategic management of the AI regulatory sandbox is defined. It was established, in essence, because the Italian model is a multi-authority one: without a steering body, a system this fragmented would risk moving in disconnected directions.
Finally, the decree delegates much of the operational framework to subsequent measures: decrees of the President of the Council of Ministers, joint AgID-ACN directorial decrees, authority regulations on penalty procedures, and the decree that will give substance to the Italian AI regulatory sandbox established under Article 57 of the Regulation (Articles 26 et seq. of the decree). The overall regime, in short, is mapped out in its structure but left to future acts for its details: without those acts, the machinery does not move.
Penalties: What Gets Punished
Let us turn to penalties.
First, it should be clarified that the penalty regime applies to the obligations set by the AI Act, not to those under Law 132/2025. Article 19 of the decree ties the entire framework to Article 99 of Regulation (EU) 2024/1689, and each paragraph of Article 23 — the provision setting the amounts — penalises the breach of specific obligations under the Regulation. Law 132/2025, although it contains some direct obligations of its own, is not currently backed by these penalties.
More specifically, Article 23 takes over the three-tier structure of Article 99 of the AI Act and rewrites it at national level.
More precisely:
— the top tier remains unchanged: breach of the prohibited practices under Article 5 of the AI Act is punishable by a fine of up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher (Article 23(1) of the decree). This is the threshold that, already under the Regulation, exceeds the GDPR's own cap, signalling where the legislator places the greatest disvalue;
— the Regulation's second tier (up to EUR 15 million or 3%) is instead split into a descending scale:
- up to EUR 15 million or 3% for providers' obligations and for reporting serious incidents (Articles 16, 73 and 80(2));
- up to EUR 12 million or 2% for authorised representatives (Article 22(3));
- up to EUR 10 million or 2% for importers (Article 23(4));
- up to EUR 7 million or 1% for distributors (Article 24(5));
- up to EUR 3 million or 1.5% for notified bodies (Articles 31, 33 and 34(7));
- up to EUR 5 million or 1.5% for the transparency obligations under Article 50 (paragraph 8);
- up to EUR 1 million or 0.5% for deployers' obligations, for the fundamental rights impact assessment, and for the right to explainability (Articles 26, 27 and 86(6));
The residual tier under Article 99(5) of the AI Act remains: providing inaccurate, incomplete or misleading information to notified bodies or to the authorities is punishable by up to EUR 7.5 million or 1% (Article 23(9)).
The underlying logic — a sound one — grades exposure by source: the highest liability falls on the provider, who places the system on the market, and decreases progressively for downstream operators.
This framework is supplemented by several mitigating provisions.
For natural persons, the statutory caps are reduced by 50% (Article 23(10) of the decree); for SMEs, micro-enterprises and innovative start-ups, the more favourable criterion under Article 99(6) of the Regulation applies — that is, the lower of the fixed amount and the percentage (paragraph 13); and in setting the amount, the authority takes into account the criteria under Article 99(7) of the Regulation, as well as whether the breached obligation is substantive or merely formal in nature (paragraph 12).
Not everything, finally, needs to be punished with a financial penalty.
Article 22 of the decree introduces two non-pecuniary measures for offences considered to carry limited harm or risk: 1) an order to remedy the infringement and refrain from repeating it, specifying the measures to be taken and the deadline for doing so (paragraph 1(a)); 2) a public statement identifying the violation committed and the responsible party (paragraph 1(b)) — a reputational sanction, a name and shame measure.
If the remediation order is not complied with within the deadline, the financial penalty under Article 23 nonetheless kicks in, increased by up to one third (paragraph 2). This is, in essence, a proportionality valve that — rightly — allows the deterrent to be graded without always resorting to a financial measure.
Having established what is punished, the question remains who punishes: the decree distributes the power to impose penalties among several bodies.
AgID, in exercising its functions as notifying authority, imposes the penalties relating to notified bodies and to inaccurate information provided in that context (Article 20 of the decree, which refers to Article 99(4)(f) and (5) of the Regulation).
All other operator violations are penalised by the national market surveillance authorities (Article 21 of the decree) — of which there is more than one.
More precisely: ACN is the competent authority in general terms (and therefore has enforcement duties wherever no specific authority applies); alongside it operate the Bank of Italy, CONSOB (the Italian securities regulator) and IVASS (the Italian insurance supervisory authority) for high-risk systems in the financial and insurance sectors. Finally, the Garante will be called upon to supervise and impose penalties on the high-risk systems most sensitive for fundamental rights — biometrics, law enforcement, migration and border control, the administration of justice, and democratic processes (Annex III, points 1, 6, 7 and 8) — under Article 74(8) of the Regulation.
Each authority will then apply its own procedures at the enforcement stage: the Bank of Italy under Article 145 of the Consolidated Banking Act, CONSOB under Article 195 of the Consolidated Law on Finance, and IVASS under Articles 311-septies and 324-octies of the Private Insurance Code (Article 24(5), (6) and (7) of the decree); AgID and ACN will, for the rest, set their own procedures through their own regulations (Article 24(2) and (3)).
This raises a question the decree does not, at this stage, resolve: if each authority proceeds under its own rules, do the safeguards available to the party affected — time limits, the right to be heard, rights of appeal — not risk varying by sector? The risk is a real one: protection against the very same AI Act violation could look different depending on whether ACN, a financial authority, or the Garante is the one proceeding. This is an inconsistency that, in the writer's view, will need to be revisited at the implementation stage.
Finally, the rules on publishing penalty decisions deserve attention.
Penalty decisions are published on ACN's institutional website, in anonymised form only where ordinary publication would disproportionately compromise personal data, cybersecurity, or an ongoing investigation (Article 24(4) of the decree).
The rule, therefore, remains publication by name, with anonymity as the reasoned exception.
Points Worth Flagging: The Garante, Fragmentation, Penalties for Deployers, and Resources
A few points still deserve reflection.
The first concerns the Garante. It is true that, on the AI market surveillance side, the decree confines it to the scope of Article 74(8) of the Regulation (Article 5(c) of the decree), which at first glance looks like a very narrow space. But this does nothing to erode the authority's autonomy on its own proper terrain: the Garante does not supervise AI as such, and it should not; it retains, however, full power to check correct application of the GDPR whenever an AI system processes personal data — and AI, by definition, processes a great deal of it.
In other words: limited power over AI as a product, full autonomy over data. The two do not cancel each other out; they coexist. Read this way, the decree's choice is less a marginalisation and more a division of competences.
Then there is the well-known issue of fragmentation, and this is a genuine sticking point. Between the national authorities (ACN and AgID), the financial-sector authorities (Bank of Italy, CONSOB, IVASS), the Garante, and the sectoral supervisory authorities under Legislative Decree No. 157 of 12 October 2022, a great many bodies are involved. The decree tries to hold them together through agreements under Article 15 of Law 241/1990, through the Coordination Committee, and by referring competence conflicts to Article 5(8) of Legislative Decree 157/2022. On paper, it works. In practice, whether the model holds together will depend on the quality of coordination — and on the already-noted inconsistency in procedures. The timelines involved, one can safely bet, will not be trivial.
The third point concerns the figure of the deployer: this was already clear under the Regulation, and the penalty choices confirm it — the deployer is becoming a pivotal figure in the system.
For the first time, a product regulation does not simply impose obligations on the manufacturer and the supply chain — it also imposes precise obligations on whoever uses the product, the deployer, and penalises them when they get it wrong. For anyone familiar with the logic of product legislation (think of the MDR and IVDR for medical devices), this is a paradigm shift. That the user is penalised less severely than the provider is entirely proportionate: deployers answer for different and less pervasive obligations. What matters is something else: that deployers are actually penalised when they get it wrong, just like everyone else in the chain. In our view, this is a genuine revolution.
The fourth sticking point is the “usual” budget-neutrality clause (Article 53), which accompanies the assignment to ACN and AgID of new and far from light tasks: building and maintaining registers, managing notification and complaint procedures, running an AI regulatory sandbox, and investigating and conducting technically complex penalty proceedings. All of this with unchanged resources. The regulatory landscape is unusually complex — it weaves together the AI Act, the market surveillance regulation, sector-specific legislation and penalty codes — and requires specialist technical-legal expertise that cannot be improvised. Is it really conceivable to do all of this without hiring, or at the very least without seriously training, the staff called upon to supervise it? There is a paradox that does not go unnoticed: a decree that devotes entire provisions to AI literacy and training — for teachers, professionals, and public employees — is silent on training for those who will have to control that same AI. Without adequate resources and expertise, even the most elegant architecture remains a design on paper.
Conclusions
A final consideration.
With this scheme, Italy is not merely transposing the Regulation: it is building an enforcement architecture. But the real test will not be the size of the fines — those are, in large part, already fixed by the Regulation itself. The real test will be governance: the authorities' ability to actually make the machine work — registering systems, exercising supervision, carrying out inspections, coordinating with one another — and, above all, making that activity visible.
Because the real deterrent is not the maximum figure written into Article 23, but rather the market's perception that these penalties can actually be applied: that concrete checks exist, and that the probability of being inspected is not merely theoretical. A very high fine that is never imposed deters no one; even a modest fine, made credible by visible and consistent supervisory activity, changes behaviour.
This is where the circle closes with the resources issue raised earlier. Without an authority genuinely equipped to supervise — to acquire expertise, to train it, and to police the market — deterrence remains on paper, and with it the entire architecture. The success of this decree, once it becomes final, will not be measured by the severity of the caps, but by the credibility of those tasked with enforcing them. As this is, at this stage, a text under preliminary review, this too is a hope worth voicing: that the consultation phase strengthens not the severity of the penalties, but the tools that make that severity credible.